Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report mbKl0xHgzH

Overview

General Information

Sample Name:mbKl0xHgzH (renamed file extension from none to exe)
Analysis ID:334638
MD5:3e05cdc35f300de783fcb3dcd71e4970
SHA1:abfc51fe7bc93d12d0d163b1f7fecae0a6a8e52e
SHA256:adc220109f73acdd307036a6d14bffa68103a48e2305c3a4f1533aab74d9deb8

Most interesting Screenshot:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Drops PE files
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Too many similar processes found
Tries to load missing DLLs

Classification

Startup

  • System is w10x64
  • mbKl0xHgzH.exe (PID: 5648 cmdline: 'C:\Users\user\Desktop\mbKl0xHgzH.exe' MD5: 3E05CDC35F300DE783FCB3DCD71E4970)
    • conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6708 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6780 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6792 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6828 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6848 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6860 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6876 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6888 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6900 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6912 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6928 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6940 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6952 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6992 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 7028 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 7048 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 7060 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 7076 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 7088 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 7108 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 7152 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 7164 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 4784 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 2428 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: mbKl0xHgzH.exeVirustotal: Detection: 52%Perma Link
Source: mbKl0xHgzH.exeMetadefender: Detection: 22%Perma Link
Source: mbKl0xHgzH.exeReversingLabs: Detection: 39%
Source: mbKl0xHgzH.exe, 00000000.00000003.208305501.00000000045F0000.00000004.00000001.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: mbKl0xHgzH.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: mbKl0xHgzH.exeString found in binary or memory: http://ocsp.thawte.com0
Source: mbKl0xHgzH.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: mbKl0xHgzH.exeString found in binary or memory: http://s2.symcb.com0
Source: mbKl0xHgzH.exeString found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: mbKl0xHgzH.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: mbKl0xHgzH.exeString found in binary or memory: http://sv.symcd.com0&
Source: mbKl0xHgzH.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: mbKl0xHgzH.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
Source: mbKl0xHgzH.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: mbKl0xHgzH.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: mbKl0xHgzH.exe, 00000000.00000002.693741852.0000000070205000.00000002.00020000.sdmp, libeay32.dll.0.drString found in binary or memory: http://www.openssl.org/V
Source: libeay32.dll.0.drString found in binary or memory: http://www.openssl.org/support/faq.html
Source: mbKl0xHgzH.exeString found in binary or memory: http://www.symauth.com/cps0(
Source: mbKl0xHgzH.exeString found in binary or memory: http://www.symauth.com/rpa00
Source: mbKl0xHgzH.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: mbKl0xHgzH.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: mbKl0xHgzH.exeString found in binary or memory: https://www.flashfxp.com0
Source: mbKl0xHgzH.exeString found in binary or memory: https://www.flashfxp.com0/
Source: cmd.exeProcess created: 58

System Summary:

barindex
PE file contains section with special charsShow sources
Source: mbKl0xHgzH.exeStatic PE information: section name:
Source: mbKl0xHgzH.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess Stats: CPU usage > 98%
Source: mbKl0xHgzH.exeStatic PE information: invalid certificate
Source: mbKl0xHgzH.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mbKl0xHgzH.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mbKl0xHgzH.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mbKl0xHgzH.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mbKl0xHgzH.exe, 00000000.00000002.693741852.0000000070205000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamelibeay32.dllH vs mbKl0xHgzH.exe
Source: mbKl0xHgzH.exe, 00000000.00000002.693063392.0000000004730000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewdmaud.drv.muij% vs mbKl0xHgzH.exe
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeSection loaded: ksuser.dllJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeSection loaded: avrt.dllJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeSection loaded: audioses.dllJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeSection loaded: midimap.dllJump to behavior
Source: classification engineClassification label: mal68.evad.winEXE@303/4@0/0
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeFile created: C:\Program Files (x86)\autoit3\Extras\Geshi\autoit.php.16xJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeFile created: C:\Users\user\Desktop\libeay32.dllJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_01
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeFile read: C:\Users\user\AppData\Roaming\16x.iniJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: mbKl0xHgzH.exeVirustotal: Detection: 52%
Source: mbKl0xHgzH.exeMetadefender: Detection: 22%
Source: mbKl0xHgzH.exeReversingLabs: Detection: 39%
Source: unknownProcess created: C:\Users\user\Desktop\mbKl0xHgzH.exe 'C:\Users\user\Desktop\mbKl0xHgzH.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeFile written: C:\Users\user\AppData\Roaming\16x.iniJump to behavior
Source: mbKl0xHgzH.exeStatic file information: File size 4633408 > 1048576
Source: mbKl0xHgzH.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x1b3000
Source: mbKl0xHgzH.exeStatic PE information: Raw size of mgdfleok is bigger than: 0x100000 < 0x253000
Source: Binary string: c:\openssl-1.0.1j\out32dll\libeay32.pdb source: mbKl0xHgzH.exe, 00000000.00000002.693642715.00000000701A4000.00000002.00020000.sdmp, libeay32.dll.0.dr

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeUnpacked PE file: 0.2.mbKl0xHgzH.exe.400000.0.unpack :EW;.rsrc:W;.idata :W;mgdfleok:EW;xtmxmjcp:EW; vs :ER;.rsrc:W;.idata :W;mgdfleok:EW;xtmxmjcp:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: xtmxmjcp
Source: mbKl0xHgzH.exeStatic PE information: section name:
Source: mbKl0xHgzH.exeStatic PE information: section name: .idata
Source: mbKl0xHgzH.exeStatic PE information: section name: mgdfleok
Source: mbKl0xHgzH.exeStatic PE information: section name: xtmxmjcp
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeFile created: C:\Users\user\Desktop\libeay32.dllJump to dropped file
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)Show sources
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000007A050D second address: 00000000007A0512 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000007A0512 second address: 000000000079FD8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a or dword ptr [ebp+19B922FAh], ebx 0x00000010 jmp 00007FA6A48BE2ECh 0x00000015 push dword ptr [ebp+19B9090Dh] 0x0000001b pushad 0x0000001c adc edx, 0317635Bh 0x00000022 mov ax, 5124h 0x00000026 popad 0x00000027 call dword ptr [ebp+19B92EF4h] 0x0000002d pushad 0x0000002e sub dword ptr [ebp+19B93201h], ecx 0x00000034 xor eax, eax 0x00000036 jmp 00007FA6A48BE2F1h 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f or dword ptr [ebp+19B92394h], ecx 0x00000045 mov dword ptr [ebp+19B92D6Ch], eax 0x0000004b pushad 0x0000004c jne 00007FA6A48BE2ECh 0x00000052 movzx esi, ax 0x00000055 popad 0x00000056 mov esi, 0000003Ch 0x0000005b xor dword ptr [ebp+19B92394h], ecx 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 jmp 00007FA6A48BE2EBh 0x0000006a lodsw 0x0000006c jns 00007FA6A48BE2F2h 0x00000072 add eax, dword ptr [esp+24h] 0x00000076 jmp 00007FA6A48BE2F1h 0x0000007b mov ebx, dword ptr [esp+24h] 0x0000007f jmp 00007FA6A48BE2F4h 0x00000084 push eax 0x00000085 pushad 0x00000086 jp 00007FA6A48BE2ECh 0x0000008c push eax 0x0000008d push edx 0x0000008e ja 00007FA6A48BE2E6h 0x00000094 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000921227 second address: 000000000092122B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000092122B second address: 0000000000921237 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FA6A48BE2E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000921237 second address: 000000000092123B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000092123B second address: 0000000000921241 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000921241 second address: 000000000092125B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 ja 00007FA6A4B149A6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000920716 second address: 000000000092071A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000092071A second address: 0000000000920720 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000920B1A second address: 0000000000920B1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000941D6D second address: 0000000000941D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000942047 second address: 0000000000942068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA6A48BE2E6h 0x0000000a pop esi 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FA6A48BE2F1h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000942068 second address: 0000000000942077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6A4B149AAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000942077 second address: 0000000000942083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FA6A48BE2E6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000942083 second address: 0000000000942087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000942087 second address: 00000000009420A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007FA6A48BE2F1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000094220D second address: 0000000000942220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FA6A4B149AEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000942220 second address: 000000000094222A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA6A48BE2FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000094239B second address: 00000000009423A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009423A1 second address: 00000000009423A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009423A7 second address: 00000000009423AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009423AD second address: 00000000009423B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009427C5 second address: 00000000009427C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009427C9 second address: 00000000009427D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FA6A48BE2E6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009427D9 second address: 00000000009427DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009427DD second address: 00000000009427E3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000942BEA second address: 0000000000942BF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000942BF0 second address: 0000000000942BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000942ECF second address: 0000000000942EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jc 00007FA6A4B149A6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000942EEB second address: 0000000000942F08 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA6A48BE2E6h 0x00000008 jmp 00007FA6A48BE2F3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000942F08 second address: 0000000000942F12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FA6A4B149A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000094306D second address: 000000000094309A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA6A48BE2EFh 0x0000000c jmp 00007FA6A48BE2F7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000094309A second address: 00000000009430A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000943959 second address: 0000000000943965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000943965 second address: 0000000000943994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jnl 00007FA6A4B149BBh 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jng 00007FA6A4B149A6h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000943994 second address: 000000000094399C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000094399C second address: 00000000009439BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jmp 00007FA6A4B149B6h 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000943ADB second address: 0000000000943AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FA6A48BE2ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000943AEC second address: 0000000000943B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnp 00007FA6A4B149A8h 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000943B01 second address: 0000000000943B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6A48BE2EDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000943B12 second address: 0000000000943B16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000943B16 second address: 0000000000943B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007FA6A48BE2F5h 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000943B33 second address: 0000000000943B38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000948A63 second address: 0000000000948A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000948A67 second address: 0000000000948A6D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000949196 second address: 000000000094919A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000094B469 second address: 000000000094B47D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FA6A4B149ADh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000094F051 second address: 000000000094F057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000094F057 second address: 000000000094F061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FA6A4B149A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000094F32C second address: 000000000094F344 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA6A48BE2F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000094FD34 second address: 000000000094FD3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000094FD3A second address: 000000000094FD3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000094FFCC second address: 000000000094FFD6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA6A4B149A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000950056 second address: 0000000000950062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000950062 second address: 0000000000950066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000095054A second address: 0000000000950565 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6A48BE2F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000951BDF second address: 0000000000951BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000951BE3 second address: 0000000000951C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jp 00007FA6A48BE2E6h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007FA6A48BE2E8h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000019h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007FA6A48BE2E8h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 call 00007FA6A48BE2ECh 0x0000004b push edx 0x0000004c and esi, dword ptr [ebp+19B91D4Eh] 0x00000052 pop esi 0x00000053 pop esi 0x00000054 jng 00007FA6A48BE2E9h 0x0000005a mov di, si 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 pushad 0x00000062 popad 0x00000063 push ecx 0x00000064 pop ecx 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000951984 second address: 0000000000951989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009591E3 second address: 00000000009591ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009591ED second address: 00000000009591F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009591F2 second address: 0000000000959201 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000095A72A second address: 000000000095A7A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FA6A4B149B9h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FA6A4B149A8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 jns 00007FA6A4B149ACh 0x0000002c push 00000000h 0x0000002e xor bx, 1403h 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007FA6A4B149A8h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000017h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f xchg eax, esi 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 push ecx 0x00000054 pop ecx 0x00000055 pushad 0x00000056 popad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000095A7A6 second address: 000000000095A7B8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA6A48BE2E8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000095C762 second address: 000000000095C768 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000095C768 second address: 000000000095C76E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000095D82F second address: 000000000095D839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FA6A4B149A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000095E6A0 second address: 000000000095E743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6A48BE2F3h 0x00000009 popad 0x0000000a jmp 00007FA6A48BE2EFh 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007FA6A48BE2F9h 0x00000016 nop 0x00000017 mov edi, dword ptr [ebp+19B9311Ch] 0x0000001d mov ebx, dword ptr [ebp+19B92D4Ch] 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push esi 0x00000028 call 00007FA6A48BE2E8h 0x0000002d pop esi 0x0000002e mov dword ptr [esp+04h], esi 0x00000032 add dword ptr [esp+04h], 00000017h 0x0000003a inc esi 0x0000003b push esi 0x0000003c ret 0x0000003d pop esi 0x0000003e ret 0x0000003f je 00007FA6A48BE2EAh 0x00000045 mov di, 4C81h 0x00000049 push 00000000h 0x0000004b push 00000000h 0x0000004d push edi 0x0000004e call 00007FA6A48BE2E8h 0x00000053 pop edi 0x00000054 mov dword ptr [esp+04h], edi 0x00000058 add dword ptr [esp+04h], 00000014h 0x00000060 inc edi 0x00000061 push edi 0x00000062 ret 0x00000063 pop edi 0x00000064 ret 0x00000065 mov bx, 2807h 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c push ecx 0x0000006d push edx 0x0000006e pop edx 0x0000006f pop ecx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000095E743 second address: 000000000095E749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000953B07 second address: 0000000000953B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA6A48BE2E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000095E749 second address: 000000000095E74D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000953B12 second address: 0000000000953B21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA6A48BE2EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000953B21 second address: 0000000000953B25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000095F78A second address: 000000000095F791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000955037 second address: 0000000000955056 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA6A4B149ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007FA6A4B149ACh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000095F791 second address: 000000000095F79B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FA6A48BE2E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000955056 second address: 000000000095505C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000095505C second address: 0000000000955060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009606BF second address: 0000000000960708 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA6A4B149ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FA6A4B149B1h 0x00000010 nop 0x00000011 mov edi, esi 0x00000013 push 00000000h 0x00000015 or edi, dword ptr [ebp+19B91CDBh] 0x0000001b push 00000000h 0x0000001d movzx ebx, di 0x00000020 jno 00007FA6A4B149ACh 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jne 00007FA6A4B149A8h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000960708 second address: 000000000096070D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000965A11 second address: 0000000000965A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000965A15 second address: 0000000000965A25 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA6A48BE2E6h 0x00000008 ja 00007FA6A48BE2E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000965A25 second address: 0000000000965A3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6A4B149AEh 0x00000007 jng 00007FA6A4B149AEh 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000965A3F second address: 0000000000965A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000965A49 second address: 0000000000965A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FA6A4B149B5h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000965A67 second address: 0000000000965A7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6A48BE2F4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000966015 second address: 0000000000966019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000966019 second address: 000000000096601F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000969044 second address: 00000000009690B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a push edi 0x0000000b or dword ptr [ebp+19B92EEDh], ebx 0x00000011 pop ebx 0x00000012 push 00000000h 0x00000014 pushad 0x00000015 push ecx 0x00000016 mov eax, dword ptr [ebp+19B93857h] 0x0000001c pop ecx 0x0000001d mov dword ptr [ebp+19B91F39h], edx 0x00000023 popad 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 call 00007FA6A4B149A8h 0x0000002e pop edi 0x0000002f mov dword ptr [esp+04h], edi 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc edi 0x0000003c push edi 0x0000003d ret 0x0000003e pop edi 0x0000003f ret 0x00000040 sbb bx, F435h 0x00000045 xchg eax, esi 0x00000046 jmp 00007FA6A4B149B1h 0x0000004b push eax 0x0000004c pushad 0x0000004d push ecx 0x0000004e push edx 0x0000004f pop edx 0x00000050 pop ecx 0x00000051 push eax 0x00000052 push edx 0x00000053 push edi 0x00000054 pop edi 0x00000055 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000096A1AF second address: 000000000096A268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA6A48BE2E6h 0x0000000a popad 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f popad 0x00000010 push eax 0x00000011 jnl 00007FA6A48BE2F2h 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007FA6A48BE2E8h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 00000015h 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 jmp 00007FA6A48BE2F4h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push eax 0x0000003c call 00007FA6A48BE2E8h 0x00000041 pop eax 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 add dword ptr [esp+04h], 00000015h 0x0000004e inc eax 0x0000004f push eax 0x00000050 ret 0x00000051 pop eax 0x00000052 ret 0x00000053 mov di, ax 0x00000056 push 00000000h 0x00000058 jmp 00007FA6A48BE2F7h 0x0000005d xchg eax, esi 0x0000005e jnp 00007FA6A48BE2F6h 0x00000064 jmp 00007FA6A48BE2F0h 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007FA6A48BE2EFh 0x00000071 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000095D9CE second address: 000000000095D9D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000095DA8C second address: 000000000095DA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000095DA90 second address: 000000000095DA94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000095E8A4 second address: 000000000095E8B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA6A48BE2ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000096296B second address: 000000000096298B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA6A4B149AEh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jno 00007FA6A4B149A6h 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009662A6 second address: 00000000009662AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000096A3E2 second address: 000000000096A499 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6A4B149B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FA6A4B149A8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 add bx, 1541h 0x00000029 jmp 00007FA6A4B149B3h 0x0000002e push dword ptr fs:[00000000h] 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c push 00000000h 0x0000003e push eax 0x0000003f call 00007FA6A4B149A8h 0x00000044 pop eax 0x00000045 mov dword ptr [esp+04h], eax 0x00000049 add dword ptr [esp+04h], 00000019h 0x00000051 inc eax 0x00000052 push eax 0x00000053 ret 0x00000054 pop eax 0x00000055 ret 0x00000056 xor edi, dword ptr [ebp+19D38C43h] 0x0000005c mov eax, dword ptr [ebp+19B912F5h] 0x00000062 mov ebx, esi 0x00000064 push FFFFFFFFh 0x00000066 and edi, dword ptr [ebp+19B92DC4h] 0x0000006c nop 0x0000006d jmp 00007FA6A4B149B2h 0x00000072 push eax 0x00000073 jc 00007FA6A4B149B4h 0x00000079 push eax 0x0000007a push edx 0x0000007b push eax 0x0000007c push edx 0x0000007d rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000096A499 second address: 000000000096A49D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000096EF7A second address: 000000000096EF91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FA6A4B149ACh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000096EF91 second address: 000000000096EF97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000096EF97 second address: 000000000096EFAF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA6A4B149ACh 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009759EB second address: 0000000000975A10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6A48BE2F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000975A10 second address: 0000000000975A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA6A4B149A6h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000906F8A second address: 0000000000906FAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6A48BE2F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007FA6A48BE2ECh 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000906FAD second address: 0000000000906FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000906FBB second address: 0000000000906FC7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jns 00007FA6A48BE2E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000906FC7 second address: 0000000000906FCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000906FCC second address: 0000000000906FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000097BE4A second address: 000000000097BE50 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000097BE50 second address: 000000000097BE6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FA6A48BE2F2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000097C91D second address: 000000000097C923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000097CA84 second address: 000000000097CACE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FA6A48BE2F0h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a jmp 00007FA6A48BE2F8h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007FA6A48BE2EBh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a jo 00007FA6A48BE2E8h 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000097F644 second address: 000000000097F649 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000090A518 second address: 000000000090A51E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000090A51E second address: 000000000090A522 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000989623 second address: 0000000000989642 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6A48BE2F1h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FA6A48BE2E6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000989642 second address: 0000000000989663 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA6A4B149AAh 0x0000000e pushad 0x0000000f jg 00007FA6A4B149A6h 0x00000015 jnl 00007FA6A4B149A6h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009897E3 second address: 00000000009897E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000989EB8 second address: 0000000000989ECF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FA6A4B149ACh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000989ECF second address: 0000000000989EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000989EDA second address: 0000000000989EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000989EE0 second address: 0000000000989EE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000098A166 second address: 000000000098A16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000098A2CE second address: 000000000098A2E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6A48BE2EFh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000098A573 second address: 000000000098A577 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000989379 second address: 0000000000989393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FA6A48BE2F5h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000099425A second address: 0000000000994273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6A4B149B5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000994273 second address: 000000000099428D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6A48BE2F4h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000099428D second address: 0000000000994291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000997A82 second address: 0000000000997A8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009973FF second address: 0000000000997409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA6A4B149A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000997409 second address: 000000000099740D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009975BB second address: 00000000009975BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009975BF second address: 00000000009975D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6A48BE2F0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009A3BAD second address: 00000000009A3BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009A3BB3 second address: 00000000009A3BB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009A3BB7 second address: 00000000009A3BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009A3BBD second address: 00000000009A3BC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 0000000000919488 second address: 000000000091949C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6A4B149ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 000000000091949C second address: 00000000009194A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009A6872 second address: 00000000009A6896 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA6A4B149BDh 0x00000008 push edi 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009AC9B9 second address: 00000000009AC9BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009AC9BF second address: 00000000009AC9C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009B5C79 second address: 00000000009B5C96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA6A48BE2F4h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009B5C96 second address: 00000000009B5CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA6A4B149A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009B5CA2 second address: 00000000009B5CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA6A48BE2EEh 0x0000000a popad 0x0000000b jbe 00007FA6A48BE2F6h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 jns 00007FA6A48BE2E6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009B5B0D second address: 00000000009B5B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009B5B12 second address: 00000000009B5B3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 ja 00007FA6A48BE2E6h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jnc 00007FA6A48BE2EAh 0x00000019 jng 00007FA6A48BE2ECh 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009B5B3E second address: 00000000009B5B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6A4B149AEh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009B866A second address: 00000000009B8697 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA6A48BE2EEh 0x00000008 jmp 00007FA6A48BE2EAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jng 00007FA6A48BE2E6h 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009BAD95 second address: 00000000009BAD9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009C1CBB second address: 00000000009C1CC5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA6A48BE2E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009C1CC5 second address: 00000000009C1CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009C1CD1 second address: 00000000009C1CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA6A48BE2E6h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009C1CDC second address: 00000000009C1CE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009C1CE1 second address: 00000000009C1CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA6A48BE2E6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009D0EBF second address: 00000000009D0F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6A4B149ABh 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FA6A4B149B6h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FA6A4B149B5h 0x00000019 popad 0x0000001a pushad 0x0000001b jns 00007FA6A4B149A6h 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 ja 00007FA6A4B149A6h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009D3C3B second address: 00000000009D3C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jnc 00007FA6A48BE2EEh 0x0000000d js 00007FA6A48BE2ECh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009DBE90 second address: 00000000009DBE96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009DBE96 second address: 00000000009DBEB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA6A48BE2F0h 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009DC007 second address: 00000000009DC00B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009DC00B second address: 00000000009DC01B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007FA6A48BE2E8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009DC01B second address: 00000000009DC021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009DC5E1 second address: 00000000009DC5E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009DC5E5 second address: 00000000009DC5EB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009DC5EB second address: 00000000009DC60A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA6A48BE2ECh 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009DC60A second address: 00000000009DC624 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FA6A4B149B5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009DC7B6 second address: 00000000009DC7BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009DE7BB second address: 00000000009DE7BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009DE7BF second address: 00000000009DE7DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6A48BE2F6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009DE7DB second address: 00000000009DE808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FA6A4B149ABh 0x00000008 jmp 00007FA6A4B149AFh 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FA6A4B149ABh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009E3093 second address: 00000000009E3099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009E51E9 second address: 00000000009E51F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA6A4B149A6h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRDTSC instruction interceptor: First address: 00000000009E51F7 second address: 00000000009E5229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FA6A48BE2EAh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 pop edx 0x00000013 push ecx 0x00000014 jmp 00007FA6A48BE2F6h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exe TID: 4116Thread sleep time: -212106s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exe TID: 5928Thread sleep time: -314157s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exe TID: 4220Thread sleep time: -174087s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exe TID: 4160Thread sleep time: -192096s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exe TID: 2052Thread sleep time: -222111s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exe TID: 2792Thread sleep time: -202101s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exe TID: 5628Thread sleep time: -146073s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exe TID: 1264Thread sleep count: 205 > 30Jump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: mbKl0xHgzH.exeBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: mbKl0xHgzH.exe, 00000000.00000002.689227440.0000000000928000.00000040.00020000.sdmpBinary or memory string: ADVAPI32.DLLOpenSCManagerACreateServiceAStartServiceAGetNativeSystemInfoOpenServiceADeleteServiceCloseServiceHandleControlServiceoreans32.sysoreansx64.sysoreans32\\.\oreans32\\.\Global\oreans32oreansx64\\.\Global\oreansx64SYSTEMROOT%s\system32\drivers\%s%s\syswow64\drivers\%s%s\system32\drivers\oreans32.sys3no3no3no\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: mbKl0xHgzH.exeBinary or memory string: bal\oreansx64SYSTEMROOT%s\system32\drivers\%s%s\syswow64\drivers\%s%s\system32\drivers\oreans32.sys3no3no3no\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeProcess created: unknown unknownJump to behavior
Source: mbKl0xHgzH.exe, 00000000.00000002.691633369.0000000001480000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: mbKl0xHgzH.exe, 00000000.00000002.691633369.0000000001480000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: mbKl0xHgzH.exe, 00000000.00000002.691633369.0000000001480000.00000002.00000001.sdmpBinary or memory string: Progman
Source: mbKl0xHgzH.exe, 00000000.00000002.691633369.0000000001480000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\mbKl0xHgzH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection12Masquerading2OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
mbKl0xHgzH.exe53%VirustotalBrowse
mbKl0xHgzH.exe22%MetadefenderBrowse
mbKl0xHgzH.exe40%ReversingLabsWin32.Packed.Themida

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Desktop\libeay32.dll0%VirustotalBrowse
C:\Users\user\Desktop\libeay32.dll0%MetadefenderBrowse
C:\Users\user\Desktop\libeay32.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://crl.thawte.com/ThawteTimestampingCA.crl0mbKl0xHgzH.exefalse
    		high
    http://www.openssl.org/VmbKl0xHgzH.exe, 00000000.00000002.693741852.0000000070205000.00000002.00020000.sdmp, libeay32.dll.0.drfalse
      		high
      http://www.symauth.com/cps0(mbKl0xHgzH.exefalse
        		high
        http://www.symauth.com/rpa00mbKl0xHgzH.exefalse
          		high
          http://ocsp.thawte.com0mbKl0xHgzH.exefalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.openssl.org/support/faq.htmllibeay32.dll.0.drfalse
            		high

            Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:31.0.0 Red Diamond
            Analysis ID:334638
            Start date:29.12.2020
            Start time:06:54:07
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 7m 52s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:mbKl0xHgzH (renamed file extension from none to exe)
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:40
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal68.evad.winEXE@303/4@0/0
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 98.1% (good quality ratio 84.9%)
            • Quality average: 70.5%
            • Quality standard deviation: 38.2%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenFile calls found.
            • Report size getting too big, too many NtWriteVirtualMemory calls found.

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Program Files (x86)\AutoIt3\Extras\Geshi\autoit.php.16x
            Process:C:\Users\user\Desktop\mbKl0xHgzH.exe
            File Type:data
            Category:dropped
            Size (bytes):124512
            Entropy (8bit):7.892573450992061
            Encrypted:false
            SSDEEP:3072:nciCBc7434kYanTO2DZrl3JwowBjc1Y4kXMPZTEa5Zvm+CTlazezflVKEHbfwZf7:cPZfuBjc1Y4kXMBo8u4ygvf7
            MD5:4E7C4DA3C161CFBFAB8131AFB42D3EB9
            SHA1:D9CE4E73252B36A23B68E4E9DD311AA05556DAB8
            SHA-256:1C3B01D1637C8698CBF6750CB6FFDDCFAD32ACD81F8A75B519B952943F2244C3
            SHA-512:E6600D4294B04D1F186CF8B0EEEDF8D476305068C75AD2F0B303F58B4C1971F42F3BE46E5163DB321ED4450234A0BBB575013DEAB65AABBA1259F3250353361E
            Malicious:false
            Preview: ......)Z..f..[j1..Q....}..Q....}..Q....}..Q....}..Q....}..Q....}..Q....}..Q....}..Q....}..Q....}0..T......)Q.{!...k*....@.:...]e...a.c..QC[.urQ.3,p...dG.......f..v.K.mj..-..b.)...kV..n.?uP.}.q.}........H..it.R:6....g..1.a.<.z.@.\>.CL.C..o.*[...t..a+..."..J}Q..c.&..!.K...x..K..f..5...p&..,.......*.G.#.yS...'...(...k...=.(%G.q....+q.q+\J...)|.|.$.'X\.p{6.(.. .....F.E....0K@h.e....=.....T.v.y.4{.....:.GLa1.i....r`..=..E......W.gQ..?Y.l.. K...m.&U....r..J..HQ.E.W.$L...k].!......F..D..!."F.../...i{.v..y.e........R.&X.[....Y...}.@%.'......w-..;|....Lw.D..n..U.$C.Y.&J.`/eJL...IX...../C.._.}..Er...2...^...da.&..E.,.v.w...L.T..Cd...h....r.....X..h.30k.....@...S.oy...Z0l9..._.../..[...y.....Y....K..RV..Svz{.R.&X.[.$.Ks...."Q.J.6N.....w .x.x....h.Y..e.Z3Y..r........2...^......N.Q."xX..Z.x.I8..%.l.5........t..S..'.<!0o...po....2...^...G...bV.zq..MxyE..?....2.p.]IK.iD..Y.....4afG<}V.......R.&X.[..c..qai....R.../...2....$..Q..U.!...y9X..|.o.t*.V..`
            C:\Users\user\AppData\Roaming\16x.ini
            Process:C:\Users\user\Desktop\mbKl0xHgzH.exe
            File Type:ISO-8859 text, with very long lines, with CRLF line terminators
            Category:dropped
            Size (bytes):694
            Entropy (8bit):4.93069209726991
            Encrypted:false
            SSDEEP:12:j/bAxeBFmD7LRdb5q9I5Pd3A5pJuJQSVcUc+hAHfWC/LuexAfsjBcDnjTwbV4M:71LIRdbaI1pA5pJRTQhfMAaQjTwbmM
            MD5:7607FDF65230F0FCB5E80467CD786350
            SHA1:4C0C7EAD8D0EE0D3EF479ABE57D7B620135125FA
            SHA-256:D9A4F2AAE13C8E16B4302363BED114F4435488C4E6F78DA82063FE287938B7FC
            SHA-512:F9879B537CFEF8E839B87C0454A378C938B8F42619A783B77D1582559D93D0D9CF2F1B0DB5AC15F52A233E0D2D8F988A95DB857561827475C47D3457DA19F429
            Malicious:false
            Preview: [16x]..Warning=Be sure not to modify or delete the file, and if you choose to do so, all application parts on your computer will be automatically deleted.....Code=2076BCC671DA00C0025229F3E9956EE75FE4B1741CD23DCC27833A7F7ECD685EA447B52EC55ABE9AE2D8691F89587C4C72E293F3AC11D2F0498FB722D1F0EFD9A6611EA6755E7738C3C8AC15E088DF6C509B7B7B861C4B48B7F61D81E7F3841E46771922BCBC7D94B2F8C38E1A8E3B7C8537D35BC6CF8B88E3D03DCF10C2B52AE493DD71E183463F34CF66EC2F14C4322DBB569FDF0A851A252847DD168C4CF28525A43FED7293A66EA9550DF8F39609E8E889C843EBCA42E5F44A58E5CDC8BD8EA4BEE99B8119CE10EFDEF7EC58BF9C96F88300C4CB4C8C4B6565DB760BD3EB857CD25F8579426F960601B84F32319D474A09AD06D8F28A47C8DCAF3ADD27F0 ..POne..Number=1..
            C:\Users\user\Desktop\libeay32.dll
            Process:C:\Users\user\Desktop\mbKl0xHgzH.exe
            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):1282048
            Entropy (8bit):6.772219124376366
            Encrypted:false
            SSDEEP:24576:pBUHPVn2vXa+G6RVNNkHlPdVugQiZCFrf7dtPQAV1Fq:2F2vXRNW/1Y7dtPQAV1Fq
            MD5:E5E521468E2A9F9B314E06E29116B5A9
            SHA1:4044A4EFD7998E8C4245E632B18056B089F0AA53
            SHA-256:19B4D189A73B79A73C2DDD678ED5FF7357D92494CF76A21372A58E3DCE075D50
            SHA-512:71B7FCA9D2BF361DAAA69F3855E49F635183B6A2C6FA7F82376C7E565694D14859ADB649CDF8D12B6B6749F4777948D9164A2A8580143171F2970CE8B28F3A41
            Malicious:false
            Antivirus:
            • Antivirus: Virustotal, Detection: 0%, Browse
            • Antivirus: Metadefender, Detection: 0%, Browse
            • Antivirus: ReversingLabs, Detection: 0%
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M.-.,j~.,j~.,j~.}.~.,j~.}.~.,j~.}.~.,j~{.~.,j~.,k~4,j~.~.~.,j~.~.~..j~.~.~.,j~.~.~.,j~.~.~.,j~Rich.,j~........................PE..L......T...........!.....(...........Y.......@............................................@.........................P...Q....|..x....P..@....................`.....pB..8...............................@............@..$............................text....&.......(.................. ..`.rdata..|G...@...H...,..............@..@.data...........p...t..............@....rsrc...@....P......................@..@.reloc......`......................@..B........................................................................................................................................................................................................................................................................................................
            \Device\ConDrv
            Process:C:\Users\user\Desktop\mbKl0xHgzH.exe
            File Type:ISO-8859 text, with very long lines, with CRLF, CR line terminators
            Category:dropped
            Size (bytes):166522
            Entropy (8bit):3.6598649715389078
            Encrypted:false
            SSDEEP:3072:5/YlXrFLWZsObbWpqKxVxMi8Y/lmxfk+sCsym2rn9zYuKVJK0qCmdi3/DJMuo8Tc:p
            MD5:EA4FCCEFD7E3A0D51597F15CB5B4A02F
            SHA1:BD4DCBB7ED275B9782152052304AF159B6587F33
            SHA-256:B371C4D378244CBB1CD4142B59C927D954E98FBCB7D878CF002BBF1A511552F4
            SHA-512:D8DAA7D9377F117FF510B744041A1CE42125226E50705D084DDCC1DC271D8B50B557A36299B5E00BC8C12ED490F2EBAD3DE474607ABEACEFCCD38701927CEA53
            Malicious:false
            Preview: .-" "-.... / \... | |... |, .-. .-. ,|... | )(__/ \__)( |... |/ /\ \|... (@_ (_ ^^ _)... _ ) \_______\__|IIIIII|__/_____________________... (_)@8@8{}<________|-\IIIIII/-|______________________>... )_/ \ /... (@ `--------`H .-" "-.... / \... | |... |, .-. .-. ,|... | )(__/ \__)( |... |/ /\ \|... (@_ (_ ^^ _)... _ ) \_______\__|IIIIII|__/_____________________... (_)@8@8{}<________| |_____________________>... )_/ \-\IIIIII/-/... (@ `--------`He .-" "-.... / \... | |... |, .-. .-. ,|...

            Static File Info

            General

            File type:PE32 executable (console) Intel 80386, for MS Windows
            Entropy (8bit):7.078015467680053
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:mbKl0xHgzH.exe
            File size:4633408
            MD5:3e05cdc35f300de783fcb3dcd71e4970
            SHA1:abfc51fe7bc93d12d0d163b1f7fecae0a6a8e52e
            SHA256:adc220109f73acdd307036a6d14bffa68103a48e2305c3a4f1533aab74d9deb8
            SHA512:fff156d64fcd720d2d27b3e53dccb9fb817775b11b04eae44e41bb266112f3655ced03ef3e6037748155bdd02b6d749eda778e92eb66a9362546513c48ce4775
            SSDEEP:98304:ocHxAWpnC6vMjoGDn8d1LqiYErL63aTrmOjaL8SIOv9r:TiWpogdVg9l
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G...................(...x.......U.../...a...........d...5.......5...n.......H...............#...........Rich...................

            File Icon

            Icon Hash:b271f0b2f2703152

            Static PE Info

            General

            Entrypoint:0x9ef000
            Entrypoint Section:xtmxmjcp
            Digitally signed:true
            Imagebase:0x400000
            Subsystem:windows cui
            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            DLL Characteristics:
            Time Stamp:0x5FE57D40 [Fri Dec 25 05:48:48 2020 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:baa93d47220682c04d92f7797d9224ce

            Authenticode Signature

            Signature Valid:false
            Signature Issuer:CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
            Signature Validation Error:The digital signature of the object did not verify
            Error Number:-2146869232
            Not Before, Not After
            • 7/19/2015 5:00:00 PM 10/18/2018 4:59:59 PM
            Subject Chain
            • CN=OpenSight Software LLC, O=OpenSight Software LLC, L=Quincy, S=Illinois, C=US
            Version:3
            Thumbprint MD5:D50076766D15D5EC892B3A708B486C31
            Thumbprint SHA-1:18DEB35231ED9E4555A1F91877D0FFD492067400
            Thumbprint SHA-256:5A11D1B4A66FE757210439FB7F8AC81A385029B02B608ABBED03FA73062F5E65
            Serial:46BC2E32787C9108226D4CEB76FB048A

            Entrypoint Preview

            Instruction
            push esi
            push eax
            push ebx
            call 00007FA6A45F4646h
            int3
            pop eax
            mov ebx, eax
            inc eax
            sub eax, 00253000h
            sub eax, 100C1678h
            add eax, 100C166Fh
            cmp byte ptr [ebx], FFFFFFCCh
            jne 00007FA6A45F465Bh
            mov byte ptr [ebx], 00000000h
            mov ebx, 00001000h
            push 358022DFh
            push 4D623FE0h
            push ebx
            push eax
            call 00007FA6A45F464Fh
            add eax, 14h
            mov dword ptr [esp+08h], eax
            pop ebx
            pop eax
            ret
            push ebp
            mov ebp, esp
            push eax
            push ebx
            push ecx
            push esi
            mov esi, dword ptr [ebp+08h]
            mov ecx, dword ptr [ebp+0Ch]
            shr ecx, 02h
            mov eax, dword ptr [ebp+10h]
            mov ebx, dword ptr [ebp+14h]
            test ecx, ecx
            je 00007FA6A45F464Ch
            xor dword ptr [esi], eax
            add dword ptr [esi], ebx
            add esi, 04h
            dec ecx
            jmp 00007FA6A45F4634h
            pop esi
            pop ecx
            pop ebx
            pop eax
            leave
            retn 0010h
            pop di
            cmp ch, byte ptr [ebx+67h]
            sbb al, byte ptr [ebp+12h]
            cmp al, byte ptr [edi+6B5A17ACh]
            jc 00007FA6A45F4698h
            mov dword ptr [esp], edi
            mov eax, 469F5E59h
            mov ebp, E9E60F96h
            sub ebp, eax
            mov edi, ebp
            push edi
            sub dword ptr [esp], 26826720h
            pop eax
            add eax, 26826720h
            mov edi, dword ptr [esp]
            sub esp, 04h
            mov dword ptr [esp], ecx
            mov ecx, esp
            push edi
            mov edi, 00000004h
            add ecx, edi
            pop edi
            add ecx, 00000004h
            xchg dword ptr [esp], ecx
            mov esp, dword ptr [esp]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Rich Headers

            Programming Language:
            • [C++] VS98 (6.0) SP6 build 8804
            • [C++] VS98 (6.0) build 8168
            • [EXP] VC++ 6.0 SP5 build 8804
            • [ C ] VS98 (6.0) SP6 build 8804
            • [ C ] VS98 (6.0) build 8168

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x39b06d0x95.idata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x33c0000x5e16c.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x4680000x3340mgdfleok
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            0x10000x33b0000x1b3000unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .rsrc0x33c0000x5e16c0x5f000False0.145931846217data3.53863555326IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .idata 0x39b0000x10000x1000False0.02734375data0.220958014954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            mgdfleok0x39c0000x2530000x253000unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            xtmxmjcp0x5ef0000x10000x1000False0.05419921875data0.51707742639IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            TEXTINCLUDE0x33cdac0xbASCII text, with no line terminatorsChineseChina
            TEXTINCLUDE0x33cdb80x16C source, ASCII text, with CRLF line terminatorsChineseChina
            TEXTINCLUDE0x33cdd00x151C source, ASCII text, with CRLF line terminatorsChineseChina
            RT_CURSOR0x33cf240x134dataChineseChina
            RT_CURSOR0x33d0580x134dataChineseChina
            RT_CURSOR0x33d18c0x134dataChineseChina
            RT_CURSOR0x33d2c00xb4dataChineseChina
            RT_BITMAP0x33d3740x248dataChineseChina
            RT_BITMAP0x33d5bc0x144dataChineseChina
            RT_BITMAP0x33d7000x158dataChineseChina
            RT_BITMAP0x33d8580x158dataChineseChina
            RT_BITMAP0x33d9b00x158dataChineseChina
            RT_BITMAP0x33db080x158dataChineseChina
            RT_BITMAP0x33dc600x158dataChineseChina
            RT_BITMAP0x33ddb80x158dataChineseChina
            RT_BITMAP0x33df100x158dataChineseChina
            RT_BITMAP0x33e0680x158dataChineseChina
            RT_BITMAP0x33e1c00x5e4dataChineseChina
            RT_BITMAP0x33e7a40xb8dataChineseChina
            RT_BITMAP0x33e85c0x16cdataChineseChina
            RT_BITMAP0x33e9c80x144dataChineseChina
            RT_ICON0x33eb0c0x2e8dataChineseChina
            RT_ICON0x33edf40x128GLS_BINARY_LSB_FIRSTChineseChina
            RT_ICON0x33ef1c0x130data
            RT_ICON0x33f04c0x668data
            RT_ICON0x33f6b40x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1617488104, next used block 0
            RT_ICON0x33f99c0x128GLS_BINARY_LSB_FIRST
            RT_ICON0x33fac40xea8data
            RT_ICON0x34096c0x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15198183, next used block 15198191
            RT_ICON0x3412140x568GLS_BINARY_LSB_FIRST
            RT_ICON0x34177c0x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
            RT_ICON0x3837a40x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
            RT_ICON0x393fcc0x25a8data
            RT_ICON0x3965740x10a8data
            RT_ICON0x39761c0x468GLS_BINARY_LSB_FIRST
            RT_MENU0x397a840xcdataChineseChina
            RT_MENU0x397a900x284dataChineseChina
            RT_DIALOG0x397d140x98dataChineseChina
            RT_DIALOG0x397dac0x17adataChineseChina
            RT_DIALOG0x397f280xfadataChineseChina
            RT_DIALOG0x3980240xeadataChineseChina
            RT_DIALOG0x3981100x8aedataChineseChina
            RT_DIALOG0x3989c00xb2dataChineseChina
            RT_DIALOG0x398a740xccdataChineseChina
            RT_DIALOG0x398b400xb2dataChineseChina
            RT_DIALOG0x398bf40xe2dataChineseChina
            RT_DIALOG0x398cd80x18cdataChineseChina
            RT_STRING0x398e640x50dataChineseChina
            RT_STRING0x398eb40x2cdataChineseChina
            RT_STRING0x398ee00x78dataChineseChina
            RT_STRING0x398f580x1c4dataChineseChina
            RT_STRING0x39911c0x12adataChineseChina
            RT_STRING0x3992480x146dataChineseChina
            RT_STRING0x3993900x40dataChineseChina
            RT_STRING0x3993d00x64dataChineseChina
            RT_STRING0x3994340x1d8dataChineseChina
            RT_STRING0x39960c0x114dataChineseChina
            RT_STRING0x3997200x24dataChineseChina
            RT_GROUP_CURSOR0x3997440x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
            RT_GROUP_CURSOR0x3997580x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina
            RT_GROUP_CURSOR0x39976c0x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina
            RT_GROUP_ICON0x3997900xaedata
            RT_GROUP_ICON0x3998400x14dataChineseChina
            RT_GROUP_ICON0x3998540x14dataChineseChina
            RT_VERSION0x3998680x648dataChineseChina
            RT_MANIFEST0x399eb00x2b9XML 1.0 document, ASCII text, with very long lines, with no line terminators

            Imports

            DLLImport
            kernel32.dlllstrcpy
            comctl32.dllInitCommonControls

            Version Infos

            DescriptionData
            LegalCopyrightMicrosoft Corporation.All rights reserved.
            FileVersion10.0.18362.1
            CompanyNameMicrosoft Corp
            CommentsService Host, or SvcHost is a system process that can host from one to many Windows services in the Windows NT family of operating systems. Svchost is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption. This program is important for the stable and secure running of your computer and should not be terminated.
            ProductNameMicrosoft Windows Operating System
            ProductVersion10.0.18362.1
            FileDescriptionMicrosoft Windows Operating System
            Translation0x0804 0x04b0

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            ChineseChina

            Network Behavior

            No network behavior found

            Code Manipulations

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: mbKl0xHgzH.exe PID: 5648 Parent PID: 5660

            General

            Start time:06:54:56
            Start date:29/12/2020
            Path:C:\Users\user\Desktop\mbKl0xHgzH.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\mbKl0xHgzH.exe'
            Imagebase:0x400000
            File size:4633408 bytes
            MD5 hash:3E05CDC35F300DE783FCB3DCD71E4970
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            Chronological Activities

            Analysis Process: conhost.exe PID: 2212 Parent PID: 5648

            General

            Start time:06:54:56
            Start date:29/12/2020
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff6b2800000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 6708 Parent PID: 5648

            General

            Start time:06:55:43
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 6780 Parent PID: 5648

            General

            Start time:06:55:43
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 6792 Parent PID: 5648

            General

            Start time:06:55:44
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 6828 Parent PID: 5648

            General

            Start time:06:55:44
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 6848 Parent PID: 5648

            General

            Start time:06:55:44
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 6860 Parent PID: 5648

            General

            Start time:06:55:45
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 6876 Parent PID: 5648

            General

            Start time:06:55:45
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 6888 Parent PID: 5648

            General

            Start time:06:55:45
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 6900 Parent PID: 5648

            General

            Start time:06:55:46
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 6912 Parent PID: 5648

            General

            Start time:06:55:46
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 6928 Parent PID: 5648

            General

            Start time:06:55:47
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 6940 Parent PID: 5648

            General

            Start time:06:55:47
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 6952 Parent PID: 5648

            General

            Start time:06:55:47
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 6992 Parent PID: 5648

            General

            Start time:06:55:48
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 7028 Parent PID: 5648

            General

            Start time:06:55:48
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 7048 Parent PID: 5648

            General

            Start time:06:55:48
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: cmd.exe PID: 7060 Parent PID: 5648

            General

            Start time:06:55:49
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: cmd.exe PID: 7076 Parent PID: 5648

            General

            Start time:06:55:49
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: cmd.exe PID: 7088 Parent PID: 5648

            General

            Start time:06:55:49
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: cmd.exe PID: 7108 Parent PID: 5648

            General

            Start time:06:55:50
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: cmd.exe PID: 7152 Parent PID: 5648

            General

            Start time:06:55:50
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: cmd.exe PID: 7164 Parent PID: 5648

            General

            Start time:06:55:51
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: cmd.exe PID: 4784 Parent PID: 5648

            General

            Start time:06:55:51
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Chronological Activities

            Analysis Process: cmd.exe PID: 2428 Parent PID: 5648

            General

            Start time:06:55:51
            Start date:29/12/2020
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c cls
            Imagebase:0xbf0000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Chronological Activities

            Disassembly

            Code Analysis

            Reset < >

              Analysis Process: mbKl0xHgzH.exe PID: 5648 Parent PID: 5660 mbKl0xHgzH.exeCOMMON

              Executed Functions

              Function 004455F0, Relevance: 4.0, APIs: 3, Instructions: 223COMMON
              Download Yara Rule
              C-Code - Quality: 15%
              			E004455F0() {
				void* _t63;
				void* _t64;
				signed int _t66;
				void* _t69;
				signed int _t70;
				intOrPtr* _t82;
				intOrPtr _t83;
				void* _t84;
				void* _t86;
				void* _t92;
				void* _t94;
				void** _t98;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t104;
				signed int _t107;
				signed int _t108;
				void* _t124;
				void* _t125;
				void* _t128;
				signed int _t137;
				signed int _t138;
				intOrPtr _t139;
				void* _t142;
				intOrPtr* _t143;
				void* _t144;

				_t143 =  *((intOrPtr*)(_t144 + 0xc));
				while(1) {
					L1:
					_t63 = _t143 + 0x28;
					0x74b5f730(2, _t63, 0, 0x22b8);
					_t64 = _t63;
					if(_t64 != 0) {
						break;
					}
					_t128 = _t143 + 0x30;
					0x77e2eef0(_t128);
					_t137 =  *(_t143 + 0x10);
					 *(_t144 + 0x18) = _t137;
					0x77e2eb70(_t128);
					if(_t137 <= 0) {
						continue;
					} else {
						_t98 = ( *(_t143 + 0x14) << 5) +  *((intOrPtr*)(_t143 + 0xc));
						if((_t98[4] & 0x00000002) != 0) {
							0x740fd260( *((intOrPtr*)(_t143 + 4)), _t98, 0x20);
						}
						_t137 =  *(_t143 + 0x1c);
						_t66 =  *((intOrPtr*)(_t143 + 8)) - _t137;
						if(_t66 <= 0x3c00) {
							if(_t66 <= 0) {
								if( *((intOrPtr*)(_t144 + 0x14)) < 0x14) {
									continue;
								} else {
									_t137 = 0;
									if( *((intOrPtr*)(_t143 + 0x48)) == 0) {
										do {
											_t69 =  *((intOrPtr*)(_t143 + 0xc)) + _t137;
											if(( *(_t69 + 0x10) & 0x00000002) != 0) {
												0x740fd260( *((intOrPtr*)(_t143 + 4)), _t69, 0x20);
											}
											_t137 = _t137 + 0x20;
										} while (_t137 < 0x280);
									} else {
										0x77e2eef0(_t128);
										_t84 =  *(_t143 + 0x28);
										 *(_t143 + 0x1c) = 0;
										 *(_t143 + 0x14) = 0;
										 *(_t143 + 0x10) = 0x14;
										if(_t84 != 0) {
											0x74b5f6e0(_t84, 0x14, 0);
										}
										0x77e2eb70(_t128);
										continue;
									}
								}
							} else {
								goto L11;
							}
						} else {
							_t66 = 0x3c00;
							L11:
							_t107 = _t66;
							_t142 = _t137 +  *_t143;
							_t108 = _t107 >> 2;
							memcpy( *_t98, _t142, _t108 << 2);
							_t86 = memcpy(_t142 + _t108 + _t108, _t142, _t107 & 0x00000003);
							_t144 = _t144 + 0x18;
							_t98[1] = _t86;
							 *(_t143 + 0x1c) = _t86 +  *(_t143 + 0x1c);
							0x740fd1a0( *((intOrPtr*)(_t143 + 4)), _t98, 0x20); // executed
							0x740fd280( *((intOrPtr*)(_t143 + 4)), _t98, 0x20);
							_t137 = _t143 + 0x30;
							0x77e2eef0(_t137);
							 *(_t143 + 0x10) =  *(_t143 + 0x10) - 1;
							0x77e2eb70(_t137);
							asm("cdq");
							 *(_t143 + 0x14) = ( *(_t143 + 0x14) + 1) % 0x14;
							continue;
						}
					}
					L25:
					0x77e2eef0(0x71e878);
					_t139 =  *0x71e898; // 0x46c10a0
					_t101 =  *0x71e894; // 0x46c10a0
					_t70 = 0;
					while(_t101 != 0 && _t70 < _t139 - _t101 >> 2) {
						if( *((intOrPtr*)(_t101 + _t70 * 4)) == _t143) {
							_t124 = _t101 + _t70 * 4;
							_t104 = _t139;
							_t53 = _t124 + 4; // 0x46c10a4
							_t82 = _t53;
							if(_t82 != _t104) {
								_t125 = _t124 - _t82;
								do {
									 *((intOrPtr*)(_t125 + _t82)) =  *_t82;
									_t82 = _t82 + 4;
								} while (_t82 != _t104);
								_t139 =  *0x71e898; // 0x46c10a0
							}
							_t55 = _t139 - 4; // 0x46c109c
							_t83 = _t55;
							 *((intOrPtr*)(_t144 + 0x14)) = _t83;
							 *0x71e898 = _t83;
						} else {
							_t70 = _t70 + 1;
							continue;
						}
						break;
					}
					0x77e2eb70(0x71e878);
					E004450B0( *((intOrPtr*)(_t143 + 4)));
					E004874CE( *_t143); // executed
					E00445050( *((intOrPtr*)(_t143 + 0xc)));
					CloseHandle( *(_t143 + 0x20));
					CloseHandle( *(_t143 + 0x28));
					CloseHandle( *(_t143 + 0x2c));
					0x77e4a080(_t143 + 0x30);
					E00497391(_t143);
					return 0;
				}
				_t92 = _t64 - 1;
				if(_t92 == 0 || _t92 == 0x101) {
					0x740fd180( *((intOrPtr*)(_t143 + 4)));
					0x740fd1c0( *((intOrPtr*)(_t143 + 4)));
					_t138 = _t137 ^ _t137;
					do {
						_t99 =  *((intOrPtr*)(_t143 + 0xc));
						_t94 = _t138 + _t99;
						if(( *(_t138 + _t99 + 0x10) & 0x00000002) != 0) {
							0x740fd260( *((intOrPtr*)(_t143 + 4)), _t94, 0x20);
						}
						_t138 = _t138 + 0x20;
					} while (_t138 < 0x280);
				} else {
					goto L1;
				}
				goto L25;
			}





























              0x004455f2
              0x004455f8
              0x004455f8
              0x004455fd
              0x00445606
              0x0044560b
              0x0044560e
              0x00000000
              0x00000000
              0x00445624
              0x00445629
              0x0044562e
              0x00445632
              0x00445637
              0x0044563e
              0x00000000
              0x00445640
              0x00445649
              0x0044564f
              0x00445659
              0x00445659
              0x0044565e
              0x00445664
              0x0044566b
              0x00445676
              0x004456e5
              0x00000000
              0x004456eb
              0x004456ee
              0x004456f2
              0x00445764
              0x00445767
              0x0044576d
              0x00445777
              0x00445777
              0x0044577c
              0x0044577f
              0x004456f4
              0x004456f6
              0x004456fb
              0x004456fe
              0x00445703
              0x00445706
              0x0044570d
              0x00445714
              0x00445714
              0x0044571b
              0x00000000
              0x0044571b
              0x004456f2
              0x00000000
              0x00000000
              0x00000000
              0x0044566d
              0x0044566d
              0x00445678
              0x0044567b
              0x0044567f
              0x00445685
              0x00445688
              0x00445690
              0x00445690
              0x00445692
              0x0044569e
              0x004456a2
              0x004456af
              0x004456b4
              0x004456b9
              0x004456c3
              0x004456c7
              0x004456d5
              0x004456d8
              0x00000000
              0x004456d8
              0x0044566b
              0x00445787
              0x0044578d
              0x00445792
              0x00445798
              0x0044579e
              0x004457a0
              0x004457b2
              0x004457b7
              0x004457ba
              0x004457bc
              0x004457bc
              0x004457c1
              0x004457c3
              0x004457c5
              0x004457c7
              0x004457ca
              0x004457cd
              0x004457d1
              0x004457d1
              0x004457d7
              0x004457d7
              0x004457da
              0x004457de
              0x004457b4
              0x004457b4
              0x00000000
              0x004457b4
              0x00000000
              0x004457b2
              0x004457e9
              0x004457f2
              0x004457fb
              0x00445804
              0x00445816
              0x0044581c
              0x00445822
              0x00445829
              0x0044582f
              0x0044583d
              0x0044583d
              0x00445610
              0x00445611
              0x0044572a
              0x00445734
              0x00445739
              0x0044573b
              0x0044573b
              0x0044573e
              0x00445748
              0x00445752
              0x00445752
              0x00445757
              0x0044575a
              0x00445622
              0x00000000
              0x00445622
              0x00000000

              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.687225397.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.687210634.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.688358454.00000000006B6000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688367918.00000000006BC000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688385276.00000000006CD000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688424145.00000000006F9000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688450973.0000000000711000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688458342.000000000071D000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688465640.0000000000724000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688473260.0000000000734000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688482155.0000000000736000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688487916.000000000073A000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688493733.000000000073C000.00000008.00020000.sdmp Download File
              • Associated: 00000000.00000002.688500811.0000000000744000.00000008.00020000.sdmp Download File
              • Associated: 00000000.00000002.688557869.000000000079B000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.688565938.000000000079C000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688577932.00000000007A6000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.688585561.00000000007A7000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688592479.00000000007A8000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.688971716.0000000000903000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689000117.0000000000906000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689162239.000000000091C000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689227440.0000000000928000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689264626.000000000092C000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689290829.000000000092E000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689364818.000000000093B000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689383011.000000000093C000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689404236.000000000093D000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689439251.0000000000942000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689452806.0000000000943000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689468994.0000000000944000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689527659.000000000095F000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689555587.000000000096B000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689641876.000000000098B000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689649142.000000000098D000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689900510.00000000009CB000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689959285.00000000009E0000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689977796.00000000009EF000.00000040.00020000.sdmp Download File
              Similarity
              • API ID: CloseHandle
              • String ID:
              • API String ID: 2962429428-0
              • Opcode ID: ce05583893dd06a574999084026cd3a48d83e06efe06cc541ccc8d41c017324b
              • Instruction ID: e3978c41a09d73ae00533f26aa2ad21ba508bdbf8a6679d848aa6713b1d20aa0
              • Opcode Fuzzy Hash: ce05583893dd06a574999084026cd3a48d83e06efe06cc541ccc8d41c017324b
              • Instruction Fuzzy Hash: F6612576610619EBEF14DF18CC98AAB77A9EF89704F04582AFD05DB342C638ED01CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004875F5, Relevance: 1.6, APIs: 1, Instructions: 81memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 24%
              			E004875F5(unsigned int _a4) {
				signed int _v8;
				intOrPtr _v20;
				void* _v32;
				intOrPtr _t19;
				void* _t20;
				signed char _t22;
				void* _t23;
				void* _t24;
				void* _t36;
				unsigned int _t44;
				unsigned int _t46;
				intOrPtr _t47;
				void* _t50;

				_push(0xffffffff);
				_push(0x6eef00);
				_push(E004886C0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_t19 =  *0x73a968; // 0x1
				if(_t19 != 3) {
					__eflags = _t19 - 2;
					if(_t19 != 2) {
						goto L11;
					} else {
						_t24 = _a4;
						__eflags = _t24;
						if(_t24 == 0) {
							_t44 = 0x10;
						} else {
							_t9 = _t24 + 0xf; // 0x46c10af
							_t44 = _t9 & 0xfffffff0;
						}
						_a4 = _t44;
						__eflags = _t44 -  *0x711624; // 0x1e0
						if(__eflags > 0) {
							L10:
							_push(_t44);
							goto L14;
						} else {
							E0048D7C4(9);
							_pop(_t36);
							_v8 = 1;
							_v32 = E0048F814(_t36, _t44 >> 4);
							_v8 = _v8 | 0xffffffff;
							E004876BB();
							_t23 = _v32;
							__eflags = _t23;
							if(_t23 == 0) {
								goto L10;
							}
						}
					}
				} else {
					_t46 = _a4;
					_t50 = _t46 -  *0x73a960; // 0x0
					if(_t50 > 0) {
						L11:
						_t20 = _a4;
						__eflags = _t20;
						if(_t20 == 0) {
							_t20 = 1;
						}
						_t22 = _t20 + 0x0000000f & 0x000000f0;
						__eflags = _t22;
						_push(_t22);
						L14:
						_push(0);
						_t23 = RtlAllocateHeap( *0x73a964); // executed
					} else {
						E0048D7C4(9);
						_v8 = _v8 & 0x00000000;
						_push(_t46);
						_v32 = E0048ED71();
						_v8 = _v8 | 0xffffffff;
						E0048765C();
						_t23 = _v32;
						if(_t23 == 0) {
							goto L11;
						} else {
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t23;
			}
















              0x004875f8
              0x004875fa
              0x004875ff
              0x0048760a
              0x0048760b
              0x00487618
              0x00487620
              0x00487665
              0x00487668
              0x00000000
              0x0048766a
              0x0048766a
              0x0048766d
              0x0048766f
              0x0048767b
              0x00487671
              0x00487671
              0x00487674
              0x00487674
              0x0048767c
              0x0048767f
              0x00487685
              0x004876b5
              0x004876b5
              0x00000000
              0x00487687
              0x00487689
              0x0048768e
              0x0048768f
              0x004876a2
              0x004876a5
              0x004876a9
              0x004876ae
              0x004876b1
              0x004876b3
              0x00000000
              0x00000000
              0x004876b3
              0x00487685
              0x00487622
              0x00487622
              0x00487625
              0x0048762b
              0x004876c4
              0x004876c4
              0x004876c7
              0x004876c9
              0x004876cd
              0x004876cd
              0x004876d1
              0x004876d1
              0x004876d3
              0x004876d4
              0x004876d4
              0x004876dd
              0x00487631
              0x00487633
              0x00487639
              0x0048763d
              0x00487644
              0x00487647
              0x0048764b
              0x00487650
              0x00487655
              0x00000000
              0x00000000
              0x00487657
              0x00487655
              0x0048762b
              0x004876e5
              0x004876f0

              APIs
              • RtlAllocateHeap.NTDLL(00000000,046C1091,?,?,?,?,046C10A0), ref: 004876DD
              Memory Dump Source
              • Source File: 00000000.00000002.687225397.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.687210634.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.688358454.00000000006B6000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688367918.00000000006BC000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688385276.00000000006CD000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688424145.00000000006F9000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688450973.0000000000711000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688458342.000000000071D000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688465640.0000000000724000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688473260.0000000000734000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688482155.0000000000736000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688487916.000000000073A000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688493733.000000000073C000.00000008.00020000.sdmp Download File
              • Associated: 00000000.00000002.688500811.0000000000744000.00000008.00020000.sdmp Download File
              • Associated: 00000000.00000002.688557869.000000000079B000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.688565938.000000000079C000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688577932.00000000007A6000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.688585561.00000000007A7000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688592479.00000000007A8000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.688971716.0000000000903000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689000117.0000000000906000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689162239.000000000091C000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689227440.0000000000928000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689264626.000000000092C000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689290829.000000000092E000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689364818.000000000093B000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689383011.000000000093C000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689404236.000000000093D000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689439251.0000000000942000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689452806.0000000000943000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689468994.0000000000944000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689527659.000000000095F000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689555587.000000000096B000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689641876.000000000098B000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689649142.000000000098D000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689900510.00000000009CB000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689959285.00000000009E0000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689977796.00000000009EF000.00000040.00020000.sdmp Download File
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 51edd5538ab1e707dd383e2de96a2ace018212115fdb76d063df94fe1c0fe168
              • Instruction ID: 6c4d36e797ff8321bd568ad354d08063dd5dc927b22789ef06a661382e5f6438
              • Opcode Fuzzy Hash: 51edd5538ab1e707dd383e2de96a2ace018212115fdb76d063df94fe1c0fe168
              • Instruction Fuzzy Hash: 7021A631904A05ABDB10FB699C52B9E7BA4AB01774F344916F410BB2D1E77CE841875D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004874CE, Relevance: 1.6, APIs: 1, Instructions: 76memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 30%
              			E004874CE(intOrPtr _a4) {
				signed int _v8;
				char _v20;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _t19;
				intOrPtr _t20;
				intOrPtr _t24;
				intOrPtr _t27;
				intOrPtr _t40;
				char _t42;
				intOrPtr _t49;

				_push(0xffffffff);
				_push(0x6eeee8);
				_push(E004886C0);
				_t19 =  *[fs:0x0];
				_push(_t19);
				 *[fs:0x0] = _t42;
				_t40 = _a4;
				if(_t40 != 0) {
					_t20 =  *0x73a968; // 0x1
					if(_t20 != 3) {
						if(_t20 != 2) {
							_push(_t40);
							goto L12;
						} else {
							E0048D7C4(9);
							_v8 = 1;
							_t24 = E0048F778(_t40,  &_v44,  &_v36);
							_v40 = _t24;
							if(_t24 != 0) {
								E0048F7CF(_v44, _v36, _t24);
							}
							_v8 = _v8 | 0xffffffff;
							_t19 = E00487590();
							goto L9;
						}
					} else {
						E0048D7C4(9);
						_v8 = _v8 & 0x00000000;
						_t27 = E0048EA1D(_t40);
						_v32 = _t27;
						if(_t27 != 0) {
							_push(_t40);
							_push(_t27);
							E0048EA48();
						}
						_v8 = _v8 | 0xffffffff;
						_t19 = E00487538();
						_t49 = _v32;
						L9:
						if(_t49 == 0) {
							_push(_a4);
							L12:
							_push(0);
							_t19 = RtlFreeHeap( *0x73a964); // executed
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t19;
			}
















              0x004874d1
              0x004874d3
              0x004874d8
              0x004874dd
              0x004874e3
              0x004874e4
              0x004874f1
              0x004874f6
              0x004874fc
              0x00487504
              0x00487544
              0x00487599
              0x00000000
              0x00487546
              0x00487548
              0x0048754e
              0x0048755e
              0x00487566
              0x0048756b
              0x00487574
              0x00487579
              0x0048757c
              0x00487580
              0x00000000
              0x00487585
              0x00487506
              0x00487508
              0x0048750e
              0x00487513
              0x00487519
              0x0048751e
              0x00487520
              0x00487521
              0x00487522
              0x00487528
              0x00487529
              0x0048752d
              0x00487532
              0x00487589
              0x00487589
              0x0048758b
              0x0048759a
              0x0048759a
              0x004875a3
              0x004875a3
              0x00487589
              0x00487504
              0x004875ab
              0x004875b6

              APIs
              • RtlFreeHeap.NTDLL(00000000,?,?,046C10A0,?), ref: 004875A3
              Memory Dump Source
              • Source File: 00000000.00000002.687225397.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.687210634.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.688358454.00000000006B6000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688367918.00000000006BC000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688385276.00000000006CD000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688424145.00000000006F9000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688450973.0000000000711000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688458342.000000000071D000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688465640.0000000000724000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688473260.0000000000734000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688482155.0000000000736000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688487916.000000000073A000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688493733.000000000073C000.00000008.00020000.sdmp Download File
              • Associated: 00000000.00000002.688500811.0000000000744000.00000008.00020000.sdmp Download File
              • Associated: 00000000.00000002.688557869.000000000079B000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.688565938.000000000079C000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688577932.00000000007A6000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.688585561.00000000007A7000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688592479.00000000007A8000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.688971716.0000000000903000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689000117.0000000000906000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689162239.000000000091C000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689227440.0000000000928000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689264626.000000000092C000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689290829.000000000092E000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689364818.000000000093B000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689383011.000000000093C000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689404236.000000000093D000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689439251.0000000000942000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689452806.0000000000943000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689468994.0000000000944000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689527659.000000000095F000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689555587.000000000096B000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689641876.000000000098B000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689649142.000000000098D000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689900510.00000000009CB000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689959285.00000000009E0000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689977796.00000000009EF000.00000040.00020000.sdmp Download File
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 2678dff8c23983cafdbe9c95574a88d2003638a0a46de6d5bb43aafa8f1c19aa
              • Instruction ID: b6545e93b54fd454e44ebfe98642214536955068ada2062390ff460333d20dfd
              • Opcode Fuzzy Hash: 2678dff8c23983cafdbe9c95574a88d2003638a0a46de6d5bb43aafa8f1c19aa
              • Instruction Fuzzy Hash: B321C572805205BADB11BB959C52B9F7B78EB05724F24091BF010B25D1D73CDA408BA9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00445050, Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
              Download Yara Rule
              C-Code - Quality: 37%
              			E00445050(void* _a4) {
				char _t3;

				_t2 = _a4;
				0x74b04f20();
				_t3 = RtlFreeHeap(_a4, 0, _t2); // executed
				return _t3;
			}




              0x00445050
              0x00445058
              0x0044505f
              0x00445064

              APIs
              • RtlFreeHeap.NTDLL(00000000,?,?), ref: 0044505F
              Memory Dump Source
              • Source File: 00000000.00000002.687225397.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.687210634.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.688358454.00000000006B6000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688367918.00000000006BC000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688385276.00000000006CD000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688424145.00000000006F9000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688450973.0000000000711000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688458342.000000000071D000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688465640.0000000000724000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688473260.0000000000734000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688482155.0000000000736000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688487916.000000000073A000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688493733.000000000073C000.00000008.00020000.sdmp Download File
              • Associated: 00000000.00000002.688500811.0000000000744000.00000008.00020000.sdmp Download File
              • Associated: 00000000.00000002.688557869.000000000079B000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.688565938.000000000079C000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688577932.00000000007A6000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.688585561.00000000007A7000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688592479.00000000007A8000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.688971716.0000000000903000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689000117.0000000000906000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689162239.000000000091C000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689227440.0000000000928000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689264626.000000000092C000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689290829.000000000092E000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689364818.000000000093B000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689383011.000000000093C000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689404236.000000000093D000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689439251.0000000000942000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689452806.0000000000943000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689468994.0000000000944000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689527659.000000000095F000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689555587.000000000096B000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689641876.000000000098B000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689649142.000000000098D000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689900510.00000000009CB000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689959285.00000000009E0000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689977796.00000000009EF000.00000040.00020000.sdmp Download File
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 4bf59205afbaa7276e325330daad5e2d689785c78f82d0fe77eeffe7b0b4227e
              • Instruction ID: f7e88221cdb4d170448674eed5224951b9b9511a5f15176ee1df317197c3764d
              • Opcode Fuzzy Hash: 4bf59205afbaa7276e325330daad5e2d689785c78f82d0fe77eeffe7b0b4227e
              • Instruction Fuzzy Hash: D7B012E91991013AF400D3105DD8F3F654CDBC6702FC0AC003204800A0C810ED000610
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 00492C7F, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 51libraryloaderCOMMON
              Download Yara Rule
              C-Code - Quality: 28%
              			E00492C7F(struct HINSTANCE__* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t5;
				intOrPtr* _t8;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x736e4c - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t5 =  *0x736e50; // 0x0
					if(_t5 != 0) {
						_t14 =  *_t5();
						if(_t14 != 0) {
							_t8 =  *0x736e54; // 0x0
							if(_t8 != 0) {
								_t14 =  *_t8(_t14);
							}
						}
					}
					return  *0x736e4c(_t14, _a4, _a8, _a12);
				}
				0x74b057b0("user32.dll");
				_t15 = __eax;
				if(__eax == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(__eax, "MessageBoxA");
				 *0x736e4c = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x736e50 = GetProcAddress(_t15, "GetActiveWindow");
					 *0x736e54 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}









              0x00492c80
              0x00492c82
              0x00492c8a
              0x00492cce
              0x00492cce
              0x00492cd5
              0x00492cd9
              0x00492cdd
              0x00492cdf
              0x00492ce6
              0x00492ceb
              0x00492ceb
              0x00492ce6
              0x00492cdd
              0x00000000
              0x00492cfa
              0x00492c92
              0x00492c97
              0x00492c9b
              0x00492d04
              0x00000000
              0x00492d04
              0x00492ca9
              0x00492cad
              0x00492cb2
              0x00000000
              0x00492cb4
              0x00492cc2
              0x00492cc9
              0x00000000
              0x00492cc9

              APIs
              • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00492CA9
              • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00492CBA
              • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00492CC7
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.687225397.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000000.00000002.687210634.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.688358454.00000000006B6000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688367918.00000000006BC000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688385276.00000000006CD000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688424145.00000000006F9000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688450973.0000000000711000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688458342.000000000071D000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688465640.0000000000724000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688473260.0000000000734000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688482155.0000000000736000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688487916.000000000073A000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688493733.000000000073C000.00000008.00020000.sdmp Download File
              • Associated: 00000000.00000002.688500811.0000000000744000.00000008.00020000.sdmp Download File
              • Associated: 00000000.00000002.688557869.000000000079B000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.688565938.000000000079C000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688577932.00000000007A6000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.688585561.00000000007A7000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.688592479.00000000007A8000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.688971716.0000000000903000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689000117.0000000000906000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689162239.000000000091C000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689227440.0000000000928000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689264626.000000000092C000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689290829.000000000092E000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689364818.000000000093B000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689383011.000000000093C000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689404236.000000000093D000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689439251.0000000000942000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689452806.0000000000943000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689468994.0000000000944000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689527659.000000000095F000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689555587.000000000096B000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689641876.000000000098B000.00000080.00020000.sdmp Download File
              • Associated: 00000000.00000002.689649142.000000000098D000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689900510.00000000009CB000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689959285.00000000009E0000.00000040.00020000.sdmp Download File
              • Associated: 00000000.00000002.689977796.00000000009EF000.00000040.00020000.sdmp Download File
              Similarity
              • API ID: AddressProc
              • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
              • API String ID: 190572456-4044615076
              • Opcode ID: c2bead820baefeaf9a2507dcbafc1e9a1497e799def939cdb0b1395010076c2e
              • Instruction ID: 4aad847d52fe839d267e8d88e554eaa699197810fdfb1fccf8c0e62836a2ef72
              • Opcode Fuzzy Hash: c2bead820baefeaf9a2507dcbafc1e9a1497e799def939cdb0b1395010076c2e
              • Instruction Fuzzy Hash: 2A017575341351FB9B11DFBAED8492B2ED9B685B42301C43AB504C3220D6E9C8098B68
              Uniqueness

              Uniqueness Score: -1.00%